Home Privacy The California Privacy Protection Agency Is ‘Primed And Ready’ For Enforcement

The California Privacy Protection Agency Is ‘Primed And Ready’ For Enforcement

SHARE:
grizzly bear

It may appear as if The California Privacy Protection Agency (CPPA) has been in hibernation mode.

Other than sporadic enforcement of the California Consumer Protection Act (CCPA) led by the state’s attorney general, whose office shares enforcement powers with the CPPA, it’s been mostly quiet on the western front.

Since the law came into effect more than four years ago, we’ve seen only two major settlements: one with Sephora in 2022 and one with DoorDash in February.

But don’t let that fool you. The bear is awake and it’s got an appetite.

‘Primed and ready’

The Supreme Court in California recently reinstated the agency’s full enforcement authority, which had been temporarily delayed after a lawsuit attempting to postpone enforcement was overturned in February.

Meanwhile, the CPPA has spent the past eight months staffing up, including hiring technologists, litigators, people with industry experience, experts in administrative proceedings, the former chief privacy officer of a Fortune 500 company and the former in-house counsel at a large tech company.

“We are primed and ready to go,” said Michael Macko, the agency’s deputy director of enforcement.

Macko was speaking to a room full of ad tech lawyers at an IAB event in Washington, DC, on Tuesday devoted to public policy and legal issues. He jokingly referred to himself as being “in the lion’s den.”

It’s sobering to hear a regulator say their office is “primed and ready” for enforcement, but it’s unlikely that any of the “lions” in the room were overly surprised by that pronouncement.

The California Privacy Protection Agency was quite literally created with a mandate to protect consumer privacy and enforce the CCPA with vigor.

But publicly calling out a company for violations, which Macko acknowledged can be a “blunt tool,” isn’t the only way to spur compliance in an industry.

Next up: enforcement advisories

Which is why the CPPA plans to periodically publish what it refers to as enforcement advisories that highlight specific provisions within the CCPA and other related regs.

You can think of an enforcement advisory as a gentle reminder of important aspects of the law – combined with a warning shot of sorts that more than hints at the agency’s enforcement priorities.

But the main purpose of an advisory is actually to avoid enforcement where possible. “This is our way to encourage voluntary compliance,” Macko said.

An advisory might emphasize a certain consumer right or address an issue that’s come up multiple times through the agency’s consumer complaint system. For example, Macko said the CPPA gets a heck of a lot of complaints about companies that don’t appear to be implementing opt-out requests properly.

Take the concept of data minimization, which was the subject of the agency’s first-ever enforcement advisory, released on Tuesday.

Data minimization is a core concept within the CCPA. It’s the practice of not hoarding data and only collecting and storing the personal information that’s necessary to complete a certain task.

There’s the potential for real harm when companies collect more information than they need, including data governance challenges and a greater risk of exposure in the event of a data breach.

But the CPPA’s enforcement division has noticed companies not applying the data minimization principle – and in some cases even flouting it in the name of compliance.

For instance, the CPPA has observed companies going overboard with their processing of consumer opt-outs by asking people to provide “excessive and unnecessary personal information.”

Say someone wants a company to delete their name and email address. Is it really necessary to ask that person to share their social security number or driver’s license number to verify their identity?

According to the advisory, that’s the type of question a business should ask itself before collecting gratuitous PII.

The many flavors of enforcement

The advisories will hopefully help companies avoid unwanted attention from the CPPA. But they aren’t a substitute for enforcement actions.

“You’re going to see a lot more engagement from us on the investigative side,” Macko said.

And enforcement and outreach can come in many forms and flavors.

Sometimes, it’s as simple as a phone call from a regulator or a casual email with a question or two about a business practice. Or a business might receive a narrative letter with questions, a request for documents or an informal information request.

In some cases, a letter may arrive enclosing a consumer complaint and an invitation to the business to respond – and if you get a letter like that, it’s not nothing. “We don’t send those out for every complaint,” Macko said. “There’s something that got our attention.”

And then there’s even less welcome correspondence, which can also arrive in the form of a subpoena for documents.

“We use all of those things,” Macko said.

Which may sound scary, but the worst-possible response in any scenario is to ignore a regulator’s outreach or fail to engage.

“Don’t let the anxiety about what will happen next prevent you from engaging,” Macko said. “The fear is usually that a regulator will use the information against you, but, more often than not, these kinds of engagements lead to more credibility with the regulator.”

Oh, and don’t get so caught up in building better mouse traps that you forget about the spirit of the law – which the ad tech industry has a tendency to do.

The agency is on the lookout for compliance shortcuts.

“We’re not looking for workarounds; we’re looking for meaningful compliance,” Macko said. “And it’s not an answer to say that a particular ecosystem is too complex to comply; that’s not a satisfactory response.”

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.