California Attorney General releases new violation-reporting tool

California's attorney general has reported his one-year enforcement metrics on the California Privacy Protection Act (CCPA). 

On June 19, California Attorney General Rob Bonta issued a one-year enforcement update on the California Consumer Privacy Act (CCPA). While the law passed in January 2020, the attorney general’s office started enforcing it on July 1, 2020. Bonta also introduced a new online tool for consumers to contact businesses perceived to violate the law directly. 

Bonta was optimistic about the CCPA’s efficacy to date in reporting the first-year metrics. He said once his office received a notification of an alleged violation, 75% of businesses made moves to come into compliance within the 30 days companies have to “cure” the situation, a right the CCPA regulations grant them. The rest have been notified and are still within the cure period, or under active investigation, the AG reported. 

“Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” said Bonta in a press release. “Plain and simple: Exercise your rights under the CCPA. Any Californian is empowered to opt out of the sale of their personal information online. Consumers can also join our enforcement efforts with our new Data Privacy Protection Tool that allows anyone to notice a business that appears to be out of compliance with CCPA.” 

The CCPA was the first comprehensive consumer privacy law to pass in a U.S. state. It was a huge deal, because it put pressure on the federal government to push toward passing a U.S. privacy law before additional states pass bills.  Since the CCPA won at the ballot box in California, Colorado and Virginia have enacted laws, and California itself passed what's frequently called CCPA 2.0, which will replace the CCPA in 2023. Companies, many of whom contribute a whole lot of cash to legislators in return for police votes that suit their needs, do not want to comply with 50 different privacy laws within one country. They'd much rather have one standard and then retrofit or build around it. 

The attorney general’s new consumer privacy tool intends to allow consumers to alert businesses that don’t have a clear “Do Not Sell My Personal Information” link on their website. Under the CCPA, businesses that sell personal information must post “Do Not Sell” buttons clearly on their websites to allow consumers to opt out.

The tool is operational now, and the AG said it would likely be updated to notify businesses of other potential violations beyond the sell button. It asks consumers first to answer a series of six questions about the scenario to determine whether a violation could exist. Questions include whether the business is acting as a service provider for another company, whether it sells consumers’ personal information to third parties and whether the business’s “do not sell” button goes to information about opting out of the sale of personal information. 

It also provides a draft notice form consumers can fill out and submit directly to the business. 

“While consumers cannot sue businesses for more CCPA violations, sending a notice of noncompliance is useful,” the AG said in a press release, noting the attorney general can sue businesses that violate the CCPA if they don’t cure the violation within 30 days of notification of noncompliance. “That notice you send may satisfy the prerequisite.” 

But not everyone is thrilled with the new reporting tool. In a Digiday story on the news, Jennifer B. Lee, a privacy attorney at Loeb and Loeb, said such a tactic “puts the consumer in the attorney general’s office and helps them in policing the function,” but it creates a bunch of questions. For example, does the 30-day window start when a consumer sends the letter? What about people using the attorney general’s draft notice form incorrectly and sending businesses what amount to “nuisance letters going out.” 

It seems there’s a need for clarification from the attorney general for this to work if it’s going to work. We’ll be on the watch for that, and we’ll bring it to you when it happens.