A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.
California Attorney General Investigative Sweep
Making clear that its office intends to continue enforcing the CCPA and exercising its authority pursuant to Cal. Civ. Code 1798.199.90 alongside the enforcement and investigative activities of the CPPA, the California Attorney General’s Office announced an investigative sweep “through inquiry letters sent to large California employers requesting information on the companies’ compliance with the [CCPA] with respect to the personal information of employees and job applicants.” In the statement, Attorney General Rob Bonta stated: “We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.”
Recipients of the inquiry letters are strongly encouraged not to delay addressing the California Attorney General’s inquiries. The employee carve-out, as well as the CCPA 30-day cure period, both sunset at the end of 2022, and companies that are not compliant with the employee and applicant-focused obligations may find themselves under attorney general scrutiny.
Guiding Principles and Enforcement Priorities
At the July 14 CPPA meeting, the CPPA’s Deputy Director of Enforcement, Michael Macko, laid out “guiding principles” for enforcement and categories of enforcement priorities his Enforcement Division will focus on for the coming year, each laid out below.
A common theme and warning throughout the CPPA meeting were that the Ruling did not pause all enforcement of the California privacy law. Macko stated that while the Ruling delayed some enforcement of the Regulations, it did not impinge on the CPPA’s enforcement authority generally. He noted that “businesses do not have a free pass from all enforcement.” On the contrary, the CPPA still has the authority to enforce the CCPA, including those parts that were amended by the CPRA and took effect in January, as well as the corresponding 2020 regulations. Because many of these laws and regulations have been in place for years, Macko stated that enforcement authority for these portions of the law and regulations remains unchanged and active. Practitioners generally concur that the Ruling supports this same conclusion.
Furthermore, Macko noted that since the deadline for compliance with the Regulations was delayed by the Ruling until March 29, 2024, the Enforcement Division will expect businesses to be in “full compliance” when the Regulations become enforceable. Macko explicitly stated that the Ruling did not authorize a “vacation day” for enforcement and that businesses must be compliant with the statute’s text and earlier regulations or risk enforcement action.
This is yet another reason why businesses that have not brought their privacy programs into compliance with the CCPA should be working expeditiously to do so.
Guiding Principles for Enforcement
“We will enforce the laws fairly and sensibly.” Macko supported this pledge by establishing two “guiding principles” the Enforcement Division will follow.
Principle One: Sound Prosecutorial Discretion
First, Macko stressed the need for “sound prosecutorial discretion,” stating that the Enforcement Division will prioritize matters that involve vulnerable communities, including “children, the elderly, [and] any vulnerable or marginalized group that might be more susceptible to privacy violations or more susceptible to being overlooked.”
Principle Two: Overall Circumstances
Second, there will be consideration of “the overall circumstances of the case.” For example, in gauging whether to pursue matters, the Enforcement Division will weigh several factors, including:
- the harm to consumers;
- the nature and severity of the harm;
- a business’s ability to comply with the law; and
- a business’s size and resources.
Categories of Potential Enforcement Priorities
The CPPA’s Macko put to rest any notion that enforcement of violations would be delayed further, setting out the Enforcement Division’s three immediate enforcement priorities for the upcoming year:
- Privacy Notices and Policies. The focus will not be “legalese and paperwork” but rather an assessment of whether “businesses [are] doing what they say.” In that sense, this CPPA enforcement priority is expected to home in on whether businesses are honoring disclosures to their customers on how they collect, share, and use data.
- The Right to Delete. The focus will be on whether and how the “longstanding California right” to deletion of one’s personal data is being honored by entities.
- Implementation of Consumer Requests. Related to priority two, an overall focus will be placed on “how businesses, in fact, are evaluating and responding to consumer requests that they receive” and particularly assessing whether companies are erecting barriers for consumers who seek to exercise their rights.
Macko stressed that these priorities are simply a starting point and noted that “priorities will be evolving, and are not limited to these broad areas.” Nevertheless, these categories give a good signal as to what businesses can expect going forward: close regulatory scrutiny assessing their immediate California privacy compliance efforts.
CPPA Consumer Complaint System
During the CPPA meeting, Agency staff unveiled the CPPA’s Consumer Complaint System, a method for individual consumers in or outside California to submit an informal complaint directly to the CPPA regarding a business’s privacy practices. Agency staff will review these complaints and may elect to proceed with further enforcement as a result.
The Consumer Complaint form can be found on the CPPA’s home page or in the CPPA’s FAQs under the heading “Filing a Complaint with the CPPA?” The CPPA has already received 13 complaints through this mechanism since its soft launch in early July.
Our Chambers-ranked Privacy & Security team will continue monitoring upcoming developments as the California Attorney General and the CPPA move forward with enforcement.