On CCPA’s First Anniversary, California AG Details Enforcement Actions, Consumer Notice Tool

On July 19, 2021, California Attorney General Rob Bonta issued a press release highlighting the first anniversary of the date on which the California Consumer Privacy Act (CCPA) became enforceable.

The CCPA vests the AG with the authority to enforce its provisions, limiting private rights of action to security violations involving particularly sensitive personal information. Before commencing a formal action against a business subject to the CCPA, the AG must give the business notice and 30 days in which to cure the alleged violations. AG Bonta stated that 75 percent of all companies that received notices of alleged CCPA violations in the past year responded with amended practices within the allotted 30-day cure period and that the remaining 25 percent were either currently within their 30-day cure window or under active investigation.

In a press conference that same day, AG Bonta touted the effectiveness of such cure notices, stating that “[w]e’ve sent quite a few [notices], but the good news is when we send out notices to cure we get a response. . . . We’re not seeing resistance, stiff-arming or foot-dragging.” Notably, despite early speculation that enforcement would target specific industries or prominent businesses, notices to cure have been sent to a broad spectrum across many industries, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers.

AG Bonta also announced the availability of a new Consumer Privacy Tool that allows individual consumers to draft and send notices to businesses regarding their CCPA violations. At the moment, the tool is “limited to drafting notices to businesses that do not post an easy-to-find ‘Do Not Sell My Personal Information’ link on their website.” Although consumers cannot, as noted, take action to enforce the CCPA other than in limited security violation cases, the AG suggested that he may treat a consumer’s notice of violation of the “Do Not Sell” link requirement as triggering the 30-day cure period for his own action based on such violation.

Businesses subject to the CCPA, therefore, should take steps to receive and respond to notices issued by consumers using the Consumer Privacy Tool. This tool, and the AG’s active issuance of notices of alleged violations, are signs that the statute has teeth that will continue to bite.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.