The California Consumer Privacy Act (CCPA) has been mostly out of the headlines since enforcement started in July – but that doesn’t mean businesses can take their eye off the ball.
The California attorney general’s office isn’t.
“We’re watching and we’re aware [and] looking to see how the industry is responding,” said Lisa Kim, a deputy attorney general in the privacy and enforcement protection unit of the consumer law section at the California Department of Justice, speaking at an AdMonsters event in late August.
On July 1, which was its first opportunity to do so, the California AG’s office sent a series of warning notices to businesses for alleged violations of the CCPA.
Although the specific content of the letters is confidential, California’s supervising deputy AG, Stacey Schesser, did share a few titbits about the notices at an International Association of Privacy Professionals event in July.
The letters mainly targeted businesses that were missing key privacy disclosures on their website, such as a “Do Not Sell” link, Schesser said, or weren’t properly responding to consumer rights requests, including the right of access or deletion.
Under the law, businesses have 30 days to cure their violation before the AG takes any action. It’s been well over a month since the first wave of notices were sent, and it’s unclear if any further steps have been taken.
“We’ll have to wait and see how the AG approaches this,” said Gary Kibel, a partner at Davis & Gilbert. “But what is clear is that the AG wants to send a message about compliance with this initial batch of enforcement actions, like putting the industry on notice that this is real – and if you haven’t completed your compliance projects yet, get moving, because you could be next.”
Attention, ad tech
But it’s unlikely that ad tech companies will be part of this first wave of enforcement.
“What I don’t expect the AG to get into right now is the minutiae of whether or not data sharing in the ad tech ecosystem constitutes a sale or whether industry solutions [like the IAB Tech Lab’s compliance specs] are sufficient,” Kibel said. “I think that will come in time, but it probably won’t be a focus of any early enforcement actions.”
It’s safe to expect that the AG’s office will continue to go after mainly consumer-facing companies committing obvious infractions of foundational obligations under CCPA, such as the consumer right to transparency through a privacy policy. Investigators at the California DOJ can easily see if a company is in violation simply by visiting its website or following up on a specific consumer complaint.
That doesn’t mean ad tech is off the hook, though – far from it. Compliance programs are essential, even if the AG doesn’t appear to be targeting the ad tech ecosystem out of the gate.
At the same time, however, the ad tech industry is a focal point for a crop of new privacy tech startups, such as Mine and Tapmydata, that help consumers discover what data is being collected about them and make it easier for them to exercise their deletion rights.
“Those guys will create an environment where it’s really easy to complain about ad companies,” said Dan Clarke, president of IntraEdge, an Intel-backed privacy technology platform. “They’ll help drive complaints and that will help drive enforcement.”
Putting aside any class-action lawsuits that might arise from aggregating consumer complaints – there’s a private right of action under CCPA for violations that involve data breaches – collecting complaints could focus the AG’s attention on a particular company or industry.
Just when you thought it was safe …
But there’s something else on the horizon that could spur enforcement, and in a big way.
There’s a new initiative on the November ballot in California from the same grassroots advocacy group behind the CCPA.
The proposal, called the California Privacy Rights Act (CPRA), would make the CCPA more stringent and establish a dedicated privacy protection agency to enforce the law. This agency would have a $10 million annual budget, employ around 50 people and eventually supplant the California AG as the primary privacy enforcer.
If the CPRA passes, it would become enforceable on July 1, 2023, with a lookback to January 2022, which means the new enforcement agency would need to be up and running by some time in 2021, which is just around the corner.
“You’ve got to think that if I’m working in a new agency whose sole purpose is enforcing privacy laws in California that I’m going to be very aggressive,” Clarke said. “We’d see a dramatic increase in enforcement after the CPRA.”
But even if the CPRA isn’t adopted, the AG’s office will still be there ready to enforce the CCPA.
“My word of warning or advice would be that you need to take this seriously and make a good-faith effort to comply – don’t take the posture of just wait and see,” cautioned California Deputy AG Kim. “The CPRA may change things, but it’s really just going to be adding to it, and not completely changing the law.”