Attorney General enforcement of CCPA

Any lessons?

Published on

Among the most important features of the CCPA is that it vests most of the law’s enforcement with the California Attorney General’s Office. That means that private plaintiffs may not enforce most of the law’s provisions. This article looks at the tea leaves regarding the Attorney General’s enforcement to see what the future may hold.

In a presentation to the International Association of Privacy Professionals earlier this summer, Supervising Deputy Attorney General Stacey Schesser spoke about the AG’s planned and existing enforcement. Notably, she said that the AG has sent out initial letters to allegedly noncompliant businesses. While these letters are confidential, she provided the following observations:

  • They targeted multiple industries and business sectors.
  • They focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where AG thought one was necessary).
  • The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made using social media.

Schesser states that future enforcement of the law is likely to emphasize the following areas:

  • Protections of minors and other vulnerable populations.
  • Large impacts on Californians
  • Actual harm to consumers.

Many businesses, such as car dealers, that do not handle a large amount of personal information for minors can take some comfort in these priorities. However, it is worth noting that the enforcement letters to date are at least partly motivated by consumer complaints. It is therefore crucial for California businesses to focus on the fact that the CCPA is a public facing law and that compliance should focus on meeting customers' expectations.