As businesses await the January 1, 2023, effective date of the California Privacy Rights Act (CPRA), the California AG’s office has been actively enforcing the CCPA and providing updated guidance for consumers and businesses. Recently, California AG Rob Bonta held a press conference to discuss enforcement proceedings brought by his office over the last year and to announce a new tool designed to simplify consumer reporting of complaints related to personal information “sales” opt-outs. The AG’s office also recently released a summary of its CCPA enforcement activities as well as updated CCPA FAQs.
There are a number of important takeaways from the AG’s office’s recent announcements, which are discussed in greater detail below. In short:
- The AG’s office remains committed to requiring businesses to treat global browser privacy signals (“global privacy controls” or “GPCs”) as opt-out requests. Although there is currently no universally accepted global opt-out mechanism, the latest CCPA FAQs mandate that businesses treat GPC signals as valid CCPA opt-out requests – technical obstacles and consumer intent notwithstanding.
The AG’s CCPA “Consumer Privacy Interactive Tool” may increase pressure on businesses that have not yet prominently enabled “Do Not Sell” functionality. A new tool on the AG’s website will enable consumers who believe that a business is selling or has sold their personal information to generate a “notice of noncompliance” directed to the business. The AG’s website hints that such consumer-generated notices may satisfy the AG’s statutory obligation to provide notice before filing an enforcement action under the CCPA – regardless of whether the business believes it “sells” personal information or has previously received notice from the AG’s office.