On July 1, 2020, the California State Attorney General (“AG”) began enforcement action against businesses that it believes have violated the California Consumer Privacy Act (“CCPA”). In anticipation of the July 1 deadline, it was unclear how the AG would prioritize CCPA enforcement. It was thought that the AG would target the largest businesses for CCPA violations in order to set an example for those companies (large and small) that meet the CCPA thresholds. In reality, the AG has shown no discretion with respect to CCPA enforcement and has sent notices of alleged violation to a large swath of businesses that it believes have not complied with the CCPA.
What do these notices allege and how should you respond to them?
CCPA Enforcement Notices
Businesses that receive notices of alleged noncompliance will be provided with a summary of their purported CCPA violation(s). Examples of alleged violations that we have seen include failure to provide: 1) a clear and conspicuous link titled “Do Not Sell My Personal Information” on company homepages; 2) users with the opportunity to request that businesses disclose what personal information they have collected, used, shared and/or sold; 3) users with the ability to request that businesses delete the personal information that they have collected about them; and 4) a privacy policy that details consumers’ privacy rights and how they may exercise them. In the CCPA enforcement notices, businesses have been advised of the potential legal consequences associated with failure to comply, which include civil penalties of up to $2,500 for each violation, and penalties of $7,500 for violations that are deemed “intentional.” The notices explain that businesses have thirty (30) days to cure and respond to the AG.
Providing the most up-to-date counsel
on all things data security, privacy and Internet law.
Is a NY CCPA Law Coming Soon?
CCPA Regulations Updated, Again
App Law and Future Changes to iOS Privacy
Responding to Notices
Please note that fraudulent notices have been sent by scam artists for purposes of scaring businesses into paying money. As such, businesses should first confirm with the AG that the notices that they receive are valid before responding to them. Businesses should respond to valid notices via email to privacy@doj.ca.gov within thirty (30) days of notice receipt. The responses should describe all actions that have taken in order to come into full compliance with the CCPA. Failure to respond and cure the alleged violations may lead to imposition of the above civil penalties.
If your business has received a notice of alleged noncompliance, or if you require general assistance with implementing CCPA compliance measures, please email us at info@kleinmoynihan.com, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney Advertising
Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash
Related Blog Posts:
Final CCPA Regulations Released
