A plan for an enforcement program under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) (collectively CCPA) is on its way from the California Privacy Protection Agency (CPPA). Despite a recent court ruling that the enforcement of some of the amendments under the CPRA cannot begin until March 2024, last week the CPPA revealed three key areas of its enforcement focus. While the CPPA is still in the process of building and hiring the enforcement team, the agency indicated that despite the court ruling it will still begin enforcing the underlying statute and previous regulations this year. The CPPA Deputy Director of Enforcement, Michael Macko, said, “There’s no vacation here from enforcement. When we find violations, we will take aggressive action to protect the public.”
The CPPA will focus its efforts on three areas of enforcement:
- privacy notices and policies;
- consumers’ right to delete personal information; and
- the handling and implementation of consumer requests.
Deputy Director Macko also said, “We expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.” The CPPA will be reviewing companies’ privacy policies to see if what they say they are doing matches with what they are actually doing. The agency sees non-compliance with a company’s own privacy policy to likely lead to other issues of non-compliance such as not respecting consumers’ privacy rights. Since the consumer right to delete their data is “well-established” and “long-standing” this will be a focus for enforcement. Another area under scrutiny includes proper notification of a consumers’ right to opt-out of the sale of their data. Deputy Director Macko added in his statement that companies that implement smooth experiences for consumers exercising their rights will more likely be found in compliance.
The CPPA will consider many factors in determining which violations to pursue such as the severity of the harm to consumers, good-faith efforts to comply, and the company’s size and resources. However, incidents that involve children, older adults, marginalized communities, and other vulnerable populations will receive special scrutiny and focus.
One of the ways in which the CPPA will find potential violations will be through its new consumer complaint system. So far, 13 complaints have been submitted via this system. While this statement from the CPPA is certainly helpful guidance for companies struggling with CCPA compliance issues, there are still some unanswered questions. Companies still do not know how fines per number of violations will be calculated or the process for the agency to coordinate with the state attorney general to request an injunction against a business. Next steps for your business: get ready and make sure you are in compliance.