CCPA Update: Agencies Push Ahead with Enforcement as Superior Court Delays New Regulations
The California Privacy Protection Agency (CPPA) and California Office of Attorney General (OAG) are publicly pressing ahead with enforcement now that they have the authority to enforce the California Consumer Privacy Act (CCPA) as of July 1st. While the agencies did not announce headline grabbing enforcement decisions at the start of the month, there were some notable developments.
Investigative Sweep Targeting Employers
On July 14th, OAG announced an investigative sweep targeting employer compliance with the CCPA.
Beginning January 1, 2023, after three years of statutory delays, the CCPA now applies to employers, requiring them to provide employees with privacy notices and to respond to employee privacy requests, including to access, correct, and delete their personal information, and offer opt outs, as applicable.
As part of the OAG sweep, the agency sent inquiry letters to large employers in California asking about how these companies comply with the CCPA’s requirements with respect to their employees and job applicants.
Under recent amendments to the CCPA, OAG and CPPA both have authority to enforce the privacy law although only the CPPA has the ability to engage in rulemaking. The CCPA no longer provides a right to cure violations of the law before either the OAG or CPPA allege a violation, although the statute indicates the CPPA may decide to offer a right to cure based on a lack of intent to violate CCPA or efforts undertaken by a business to cure the alleged violation. The OAG also maintains discretion in how it evaluates a company’s compliance and whether an enforcement action is appropriate.
Enforcement Update & Priorities
Also on July 14th, the CPPA held a public meeting that in part responded to the recent Superior Court decision in California Chamber of Commerce v. California Privacy Protection Agency delaying enforcement of the CPPA’s recently finalized rulemaking completed on March 29, 2023.
During the meeting, Deputy Director of Enforcement for CPPA, Michael Macko, stated businesses “do not have a free pass” from all enforcement after the decision.
The Court’s ruling was based on the language of the California Privacy Rights Act ballot initiative approved by voters in November 2020 that added new requirements to the CCPA and created the CPPA. Under the ballot initiative, the CPPA was required to complete its rules on July 1, 2022, one year prior to enforcing those rules on July 1, 2023, but CPPA did not meet the deadline. The Superior Court stayed the agency’s enforcement of wholly new regulations for 12 months from the date the regulations were finalized in order to reflect the one-year timeframe codified in the ballot initiative.
Nonetheless, the CPPA’s position is that the court decision does not stop the Enforcement Division from enforcing the CCPA statute and earlier versions of the CCPA regulations. Macko also explained that regulations affected by the ruling are only one enforcement tool that the Enforcement Division plans to use. Macko expects to see robust compliance, while being sensitive and aware of potential implications and impacts for businesses that designed their compliance based on the new regulations.
Macko also described that the CPPA’s stance on enforcement will be emphasizing matters involving children, the elderly, and vulnerable or marginalized groups that he said are “susceptible to privacy violations or commonly overlooked.” According to Macko, cases will be considered based on overall circumstances, including harm to consumers, nature and severity to the harm, good nature to comply, and the size and resources of a business.
Macko also indicated the CPPA will prioritize privacy notices and policies. This includes reviewing whether businesses are collecting data in the way they tell consumers, how businesses are complying with the right to delete personal information, and the implementation of consumer requests from the stand point of business practices.
Legislative Update and CPPA’s Position on Pending Legislation
The CPPA also used its July 14th meeting to endorse legislation that amends or impacts the CCPA. Maureen Mahoney, Deputy Director of Policy & Legislation for the CPPA, proposed that the CPPA make recommendations for the following bills that would directly affect the agency or its operations. Here is a list of pending legislation that the Board voted to recommend:
- Sensitive Personal Information: Assembly Bill 947 adds immigration and citizenship status to the definition of sensitive personal information. The bill is slated for a third reading in the California Senate after passage in the California Senate Appropriations Committee.
- Reproductive Health: Assembly Bill 1194 provides additional consumer protection for reproductive health information, including information related to accessing, searching, or procuring abortion services, pregnancy care, perinatal care, and contraception. The bill is currently under consideration by the California Senate Appropriations Committee.
- Statute of Limitations: Assembly Bill 1546 changes the statute of limitations to enforce a civil action within one year of the violation to begin instead within five years of the violation. The bill is currently under consideration by the California Senate Appropriations Committee.
- Data Broker Registration: Senate Bill 362 amends the California’s Data Broker Registry Law to transfer administration and rulemaking authority to the CPPA and directs the agency to establish a deletion mechanism for consumers to request all data brokers to delete their personal information through a single request. Beginning July 1, 2026 under the legislation, data brokers will not be able to sell or share new personal information from consumers that have already requested deletion, unless the consumer states otherwise. Starting on January 1, 2028, and every three years, data brokers will be audited by an independent third party to determine compliance. The bill is currently re-referred to the Committee on Appropriations pursuant to Assembly Rule 96.
The California legislature is currently on recess and reconvenes August 14th.
If you have any questions about the above developments, compliance efforts with the new state privacy laws, or concerns related to a regulatory inquiry, please feel free to reach out to our team.
Summer Associate Brianna Robinson contributed to this post.