You’ve Got Mail
California Attorney General Begins Enforcement of CCPA - Notices of Noncompliance Sent to “Swath” of Companies on July 1, 2020
The effective date for enforcement of the California Consumer Privacy Act (CCPA) by the Office of the California Attorney General (OAG) did not pass without some expected fireworks. Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a team of attorneys in the OAG charged with enforcing the CCPA, confirmed during a recent panel discussion hosted by the International Association of Privacy Professionals (IAPP) that the OAG began sending notices of noncompliance on July 1, 2020 to companies it believed were in violation of the CCPA.
Although she did not identify any of the companies targeted in the OAG’s initial notifications, companies in every industry sector need to be prepared for this new enforcement environment. The maintenance of a holistic CCPA compliance program - that includes an understanding what your customers are saying about your program - will go a long way in helping your company stay off the OAG’s mailing list.
Enforcement of Statutory Requirements
The proposed final CCPA regulations are still under review with California’s Office of Administrative Law. As such, Ms. Schesser confirmed that the OAG’s initial notices of noncompliance were focused on violations of the “four corners” of the statute. This leaves the OAG with a wide runway of issues to focus on in these initial enforcement actions.
Industry Focus
Ms. Schesser confirmed that the OAG selected its targets after reviewing the data privacy practices of a broad range of businesses. The initial round of notices was sent to a number of online-only businesses.
The pandemic did not slow down anyone’s ability to review the privacy notices posted on your company’s website and whether your company disclosed whether it was selling the personal information of California residents. Although online-only businesses may have been targeted in this initial round of notices of noncompliance, the OAG will likely expand its focus to other businesses.
Importance of Customer Complaints
For those financial services companies subject to the enforcement authority of the Consumer Financial Protection Bureau (CFPB), it should come as no surprise that customer complaints to the OAG and on social media sites such as Twitter factored into the OAG’s decision on which companies to target in its initial round of notices. Richard Cordray, the former director of the CFPB, noted in a speech on May 31, 2017 as follows:
Every complaint provides insight into real problems, experienced by real people, communicated nearly in real time. Of course, nobody actually believes that “the customer is always right,” but customers taken as a group can tell us a lot and we would be foolish not to listen closely to them as our truest compass point to guide the direction of our work.
The OAG has followed this same compass point. Ms. Schesser mentioned that the OAG had received thousands of complaints from consumers about the difficulties they were experiencing with certain companies in trying to exercise their CCPA rights. The OAG includes a link for consumers to “File a Complaint” on their CCPA page. See https://oag.ca.gov/privacy/ccpa. She also noted that the OAG had reviewed complaints posted on social media sites to identify companies to be targeted.
Companies should vigilantly monitor the complaints they receive directly from consumers, complaints forwarded to them for a response from the OAG and other regulators, and comments made on social media regarding their CCPA compliance program and proactively respond to any issues identified in these complaints.
Next Steps
The notices of noncompliance sent by the OAG are Step One in the enforcement process. Each company that receives a notice still has the the opportunity to prove to the OAG that the issues identified in the notice are unfounded or if accurate, to prove to the OAG that the company has cured the alleged violations.
A business will be in violation of the CCPA if it fails to cure any alleged violation within 30 days after being notified of the alleged noncompliance by the OAG. This is tight window to shore up any issues identified in a notice of noncompliance, but the potential civil penalties that may be assessed for violations of the CCPA provide a strong incentive to meet this deadline. Any business, service provider, or other person that violates the CCPA will be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. These civil penalties may be assessed and recovered in a civil action brought in the name of the people of the State of California by the OAG.
One of the key take-aways from this initial round of notices of noncompliance is the OAG’s focus on consumer complaints. There is no way to opt out of online ratings and reviews in today’s marketplace. As such, many companies may currently rely on social media monitoring and listening programs to track favorable and unfavorable mentions their brand online, but had not incorporated these programs into their overall CCPA compliance programs.
Companies should be proactively monitoring what their customers may be saying online about any difficulties they may be experiencing in exercising their CCPA rights and remediate any identified issues. Companies should also monitor the complaints they receive through other channels. Responding to such customer feedback allows companies to maintain their customers, increase the value of their brand, and improve their products and services. It may now also keep your company from receiving a notice of noncompliance from the OAG.