If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:

  • On July 1, 2020, the AG sent an initial wave of notice letters to companies it believed were in violation of the CCPA;
  • Because the CCPA Regulations are still under review with the Office of Administrative Law, the current round of enforcement is focused on violations of the “four corners” of statute itself;
  • The initial round of letters focused on online-only businesses;
  • The AG selected its targets after reviewing the data privacy practices of a broad range of businesses;
  • Customer complaints on social media sites such as Twitter relating to difficulty exercising CCPA rights factored into the AG’s decisions on which companies to investigate; and
  • There was also an emphasis on violations of the CCPA’s rules governing the sale of personal information.

Obviously, none of the above is the “official” word of the AG, but it does give an idea of where CCPA enforcement currently stands.  In terms of future enforcement of the CCPA, it sounds like the AG could take things in several different directions.  The following seem to be among the key enforcement priorities:

  • Violations of the CCPA’s rules relating to children’s privacy;
  • Violations involving sensitive personal information such as financial or health information;
  • Violations of the CCPA in addition to another statute such as the California Online Privacy Protection Act, the California Confidentiality of Medical Information Act, or the California Unfair Competition Law;
  • Repeated consumer complaints; and
  • Issues raised in class actions brought by private plaintiffs that may go unaddressed without AG enforcement.

There are many lessons to be gleaned from the discussion that took place on this panel, not the least of which is to make sure your company is addressing any customer complaints about using the privacy rights CCPA provides.