CCPA update
Contributors
Eric P. Weiss
In 2018, California enacted the California Consumer Privacy Act (“CCPA”) which, in essence, granted consumers several rights, including: the right to know about how the business collects, uses, and shares personal information.
To supplement the CCPA and provide more protection to consumers, the California Privacy Rights Act (“CPRA”) was enacted with the passage of Proposition 24 in 2020. The CPRA expanded and introduced new privacy rights for consumers.
There have been several developments in 2024 pertaining to California’s privacy laws. Specifically, the California Privacy Protection Agency (“CPPA”) – the agency that enforces the CPRA - won the battle in an important court case that allows it to begin immediate enforcement of its revised CPRA regulations. In addition, the California Attorney General’s office (“AG”) announced its second-ever enforcement decision under the CPRA and further advised that it would continue with its enforcement “sweeps.”
Immediate enforcement of revised CCPA regulations
On June 30, 2023, the California Chamber of Commerce filed a complaint with the Sacramento County Superior Court and requested that the California Privacy Protection Agency (“CPPA”) delay its enforcement of CPRA regulations from July 1, 2023, to March 29, 2024. The crux of the California Chamber of Commerce’s argument was that the CPPA failed to honor its statutory deadline of finalizing all of the CPRA regulations by 2022 and instead finalized those regulations on March 29, 2023. Given the extensive requirements of the CPRA’s regulations, the California Chamber of Commerce argued that the CPPA should wait one year from the date of finalizing the CPRA regulations, to begin enforcement. The Sacramento Superior Court agreed with the California Chamber of Commerce and concluded that the CPPA could not begin enforcing the CPRA regulations until March 29, 2024.
On February 9, 2024, the California Third District Court of Appeals overturned the superior court’s decision of postponing enforcement and determined that the CPPA and the California Attorney General could immediately enforce CPRA regulations without having to wait until the end of March 29, 2024. In overturning the decision, the appellate court found that “the statute does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap.” Since there was no clear intent to delay enforcement of the final regulations a year after being finalized, the CPPA could immediately begin enforcement. The California Chamber of Commerce filed a petition with the California Supreme Court to take review of the appellate court’s decision.
AG settlement with DoorDash
In February, the AG issued a $375,000 fine and “strong injunctive terms” against DoorDash to resolve allegations that the company violated both the CCPA and the California Online Privacy Protection Act (“COPPA”). Specifically, the California AG’s complaint alleged that DoorDash “sold” its customers’ personal information – by sharing the personal information with a marketing cooperative, which allowed other members of the cooperative to use the information for their own marketing efforts – without providing notice or the right to opt out, as required by the state’s privacy laws.
In announcing the enforcement decision, the AG stated, “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.” In addition to the “wakeup call” that the AG mentioned with respect to the CCPA, this development is noteworthy because it demonstrates that the AG is also actively enforcing COPPA – a law that has been in effect for almost 20 years.
As a result of the DoorDash settlement, businesses should keep in mind the following:
- Failure to meet the requirements of CCPA may lead to fines of up to $7,500 for each intentional violation, and businesses could face up to millions of dollars in fines for repeated violations.
- Covered businesses should consider whether any disclosures of personal information could constitute a “sale” under the broad interpretation.
The DoorDash settlement is a warning for businesses to take the time to review their data collection and disclosure policies and platforms to ensure compliance with privacy laws, including the CCPA.
AG continues CCPA enforcement sweeps
On January 26, 2024, the California AG celebrated Data Privacy Day by announcing its latest CCPA “sweep.” As a result, the AG sent letters to businesses with popular streaming apps and devices alleging that they failed to comply with the CCPA. In years past, the California AG has conducted enforcement sweeps looking into specific practices and industries. But this latest sweep “focuses on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data.”
The AG’s announcement is just the start of what many anticipate will be a busy enforcement year for privacy compliance. Given the dynamic and complex changes in California’s privacy laws, it is imperative that your dealership be complaint with privacy laws to avoid punitive enforcement actions from the state.