Klein Moynihan Turco’s Response to COVID-19 – Click here

Klein Moynihan Turco

CCPA compliance

I Received a CCPA Enforcement Notice! How do I Respond?

by David Klein

On July 1, 2020, the California State Attorney General (“AG”) began enforcement action against businesses that it believes have violated the California Consumer Privacy Act (“CCPA”). In anticipation of the July 1 deadline, it was unclear how the AG would prioritize CCPA enforcement. It was thought that the AG would target the largest businesses for CCPA violations in order to set an example for those companies (large and small) that meet the CCPA thresholds. In reality, the AG has shown no discretion with respect to CCPA enforcement and has sent notices of alleged violation to a large swath of businesses that it believes have not complied with the CCPA. 

What do these notices allege and how should you respond to them?

CCPA Enforcement Notices

Businesses that receive notices of alleged noncompliance will be provided with a summary of their purported CCPA violation(s). Examples of alleged violations that we have seen include failure to provide: 1) a clear and conspicuous link titled “Do Not Sell My Personal Information” on company homepages; 2) users with the opportunity to request that businesses disclose what personal information they have collected, used, shared and/or sold; 3) users with the ability to request that businesses delete the personal information that they have collected about them; and 4) a privacy policy that details consumers’ privacy rights and how they may exercise them. In the CCPA enforcement notices, businesses have been advised of the potential legal consequences associated with failure to comply, which include civil penalties of up to $2,500 for each violation, and penalties of $7,500 for violations that are deemed “intentional.” The notices explain that businesses have thirty (30) days to cure and respond to the AG.

Providing the most up-to-date counsel
on all things online advertising and Internet law.

NCAA to Update Athlete Marketing Rules
CCPA Regulations Updated, Again
What You Need to Know Before Running a Facebook Sweepstakes

Responding to Notices

Please note that fraudulent notices have been sent by scam artists for purposes of scaring businesses into paying money. As such, businesses should first confirm with the AG that the notices that they receive are valid before responding to them. Businesses should respond to valid notices via email to privacy@doj.ca.gov within thirty (30) days of notice receipt. The responses should describe all actions that have taken in order to come into full compliance with the CCPA. Failure to respond and cure the alleged violations may lead to imposition of the above civil penalties. 

If your business has received a notice of alleged noncompliance, or if you require general assistance with implementing CCPA compliance measures, please email us at info@kleinmoynihan.com, or call us at (212) 246-0900. 

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising 

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

Related Blog Posts:

Final CCPA Regulations Released

CCPA Law: The Private Right of Action

CCPA Record Keeping Requirements

Voters Approve Amendment to CCPA Law

by David Klein

Californians took to the polls last week and decisively voted to approve Proposition 24, the California Privacy Rights Act, an amendment to the recently-enacted California Consumer Privacy Act (“CCPA”). The amendments to CCPA law are expected to strengthen protections to what is already the foremost data privacy law in the Country.

[Read More]

CCPA Amendment Passes, Creating New HIPAA-related Exceptions

by David Klein

On September 25, 2020, California Governor Gavin Newsom signed AB 713 (the “Amendment”) into law, amending the California Consumer Privacy Act (“CCPA”) to implement exceptions related to consumer health data. Specifically, the CCPA amendment addresses inconsistencies between data protection afforded under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the CCPA, respectively. The Amendment took effect on September 30, 2020. 

What does the CCPA Amendment cover?

[Read More]

Clarifying the $25 Million Threshold in the Final CCPA Regulations

by David Klein

On August 14, 2020, the Office of Administrative Law (“OAL”) approved the California Department of Justice’s final California Consumer Privacy Act (“CCPA”) regulations and filed them with the California Secretary of State. Prior to approval, some businesses were uncertain as to whether the $25 million revenue threshold was related to revenue generated only from California State sales, California residents, or total global revenues. The California Attorney General’s Office has since clarified that limiting the threshold to revenue generated only in California or from California State residents would be inconsistent with the intended broad reach of the CCPA regulations. 

What businesses are regulated by CCPA Regulations?

[Read More]

CCPA Enforcement has Begun

by David Klein

Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020, the California Attorney General (“AG”) was prohibited from bringing enforcement actions until July 1, 2020. Due to the COVID-19 pandemic, some observers were unsure whether the AG would be able to meet the July 1st deadline. However, the AG is moving full speed ahead and has even denied businesses’ requests to delay the CCPA enforcement date due to COVID-19. Now, the AG has commenced enforcement action as planned, and businesses have already started to receive CCPA violation notices. 

What should you do if you receive a CCPA violation notice?

[Read More]

CCPA Compliance: The CA Attorney General is Enforcing Now!

by David Klein

With the outbreak of the COVID-19 pandemic, businesses have had to react to a whole new set of issues that were not on their radar four (4) months ago.  One task that may have been tabled until some sense of normalcy was restored is compliance with the California Consumer Privacy Act (“CCPA”). Businesses must be aware that July 1, 2020, marked the day that the California State Attorney General’s Office began its CCPA enforcement efforts. Attorney General Xavier Becerra announced the enforcement date by releasing a statement encouraging “every Californian to know their rights to internet privacy and every business to know its responsibilities.” Although it is too early to know what enforcement will look like, businesses that are not already within CCPA compliance must act fast to avoid stiff penalties. 

What are the immediate responsibilities businesses should be aware of?

[Read More]

Preparing for the July 1 CCPA Enforcement Deadline

by David Klein

Despite the fact that the California Consumer Privacy Act (“CCPA”) regulations have yet to be finalized, the California Attorney General is prepared to begin CCPA enforcement as of July 1, 2020. In 2018, the CCPA was enacted to create enhanced consumer privacy rights by imposing obligations on how businesses collect, use and share California State resident personal information. Over the past two years, the California State Attorney General has been tinkering with the CCPA regulations in an effort to assist businesses with navigating statutory compliance. Given that the CCPA enforcement deadline is upon us, businesses should now be familiar with the various provisions of the CCPA. 

What are the key provisions of the CCPA?

Overview of CCPA Regulations

Businesses fall within the ambit of the CCPA if they: 1) do business in the State of California; 2) collect California State residents’ personal information; and 3) satisfy at least one of the following thresholds:

  • Have annual gross revenue of over $25 million;
  • Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes each year; or 
  • Derive 50% or more of annual revenue from selling consumer personal information. 

Dating back to the passage of the CCPA on June 28, 2018, we have blogged about the CCPA compliance measures that businesses need to take in order to avoid private rights of action and/or investigation by the California State Attorney General. Some key CCPA provisions worth noting include:

  • Notice to Consumers: Businesses that collect California consumer personal information must provide notice prior to or at the point of collection. The purpose of this notice is to inform consumers about the categories of personal information that businesses will collect and the purposes for which the information will be used. Additionally, businesses must notify consumers of their right to opt-out from having their personal information sold to third parties. 
  • Privacy Policies: As stated in the CCPA regulations, “[t]he purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” In order to achieve this level of transparency, businesses must disclose: 1) the categories of personal information collected; 2) the sources from which personal information is collected; and 3) the commercial or business purpose for which the personal information was collected or sold.
  • CCPA Forms: The CCPA affords California consumers the right to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information has been collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. The CCPA regulations provide detailed requirements on how to present, process, respond to and store these requests. 
  • Accessibility: All of the foregoing CCPA-related notices should be accessible to consumers with disabilities and conform to standards included in the Web Content Accessibility Guidelines (“WCAG”), version 2.1, as promulgated by the World Wide Web Consortium (“W3C”). 

CCPA Enforcement 

Businesses that run afoul of the CCPA face both private rights of action and investigation by the California Attorney General’s Office. California consumers can bring private rights of action against businesses for data breaches (and only data breaches) that have exposed their non-encrypted and non-redacted personal information to unauthorized third parties. For private rights of action, statutory damages will amount to the greater of actual damages, or between $100 and $750 per consumer, per incident. Additionally, following the July 1, 2020 CCPA enforcement deadline, the California Attorney General is expected to begin sending notifications of alleged violation to non-compliant businesses. Please note that businesses will be afforded thirty (30) days to cure any instances of non-compliance. Civil penalties levied by the California Attorney General’s office will range from $2,500 for non-intentional violations, up to $7,500 for intentional violations. Notwithstanding the foregoing, considering the amount of time and resources that are being devoted to the COVID-19 pandemic response, it is unclear how the California Attorney General’s Office will prioritize CCPA enforcement. We expect that the Attorney General will initially focus its attention on the largest companies that have misused the most amount of consumer data. 

If you require assistance in connection with CCPA compliance, please email us at info@kleinmoynihan.com, or call us at (646) 713-1684. 

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Related Blog Posts:

California Data Broker Registration Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

CCPA Record Keeping Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

by David Klein

Despite the myriad issues that businesses now face with the Covid-19 pandemic, the California State Attorney General remains committed to the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. As such, businesses that have not already done so should add CCPA compliance to their immediate to-do lists. One area of compliance that requires attention is online privacy policies that include CCPA-mandated provisions (“CCPA Privacy Policies”). Since the proposed CCPA regulations were first released to the public on October 11, 2019, the California State Attorney General’s Office has released two (2) modifications thereto. Those modifications have, in turn, necessitated changes to companies’ CCPA Privacy Policies. Businesses must, among other things, update their online privacy policies to ensure that they include CCPA-required disclosures and the associated menu of consumer options. 

What is required of CCPA Privacy Policies?

[Read More]