Reed Smith Client Alerts

One year after enforcement of the California Consumer Privacy Act (CCPA) took effect, the California attorney general (AG) released an enforcement update and a tool for consumers to create and issue notices of noncompliance with certain parts of the CCPA.

As businesses await the January 1, 2023, effective date of the California Privacy Rights Act (CPRA), the California AG’s office has been actively enforcing the CCPA and providing updated guidance for consumers and businesses. Recently, California AG Rob Bonta held a press conference to discuss enforcement proceedings brought by his office over the last year and to announce a new tool designed to simplify consumer reporting of complaints related to personal information “sales” opt-outs. The AG’s office also recently released a summary of its CCPA enforcement activities as well as updated CCPA FAQs.

There are a number of important takeaways from the AG’s office’s recent announcements, which are discussed in greater detail below. In short:

  • The AG has cast a wide net, but privacy policies and personal information “sales” are the most common bases for CCPA enforcement. According to the AG’s summary of 27 recent enforcement proceedings, businesses receiving notices of alleged noncompliance have run the gamut from brick-and-mortar grocery chains to online dating apps and marketing service providers. As expected, the majority of the enforcement activities have related to businesses’ compliance with the CCPA regulations’ privacy policy and personal information “sales” opt-out requirements. However, the AG’s office has also targeted an array of other subjects, such as children’s data, service provider vendor agreements, and notices of financial incentives.
  • The AG’s office remains committed to requiring businesses to treat global browser privacy signals (“global privacy controls” or “GPCs”) as opt-out requests. Although there is currently no universally accepted global opt-out mechanism, the latest CCPA FAQs mandate that businesses treat GPC signals as valid CCPA opt-out requests – technical obstacles and consumer intent notwithstanding.

The AG’s CCPA “Consumer Privacy Interactive Tool” may increase pressure on businesses that have not yet prominently enabled “Do Not Sell” functionality. A new tool on the AG’s website will enable consumers who believe that a business is selling or has sold their personal information to generate a “notice of noncompliance” directed to the business. The AG’s website hints that such consumer-generated notices may satisfy the AG’s statutory obligation to provide notice before filing an enforcement action under the CCPA – regardless of whether the business believes it “sells” personal information or has previously received notice from the AG’s office.