On July 1, 2020, the California State Attorney General (“AG”) began enforcement action against businesses that it believes have violated the California Consumer Privacy Act (“CCPA”). In anticipation of the July 1 deadline, it was unclear how the AG would prioritize CCPA enforcement. It was thought that the AG would target the largest businesses for CCPA violations in order to set an example for those companies (large and small) that meet the CCPA thresholds. In reality, the AG has shown no discretion with respect to CCPA enforcement and has sent notices of alleged violation to a large swath of businesses that it believes have not complied with the CCPA. 

What do these notices allege and how should you respond to them?

CCPA Enforcement Notices

Businesses that receive notices of alleged noncompliance will be provided with a summary of their purported CCPA violation(s). Examples of alleged violations that we have seen include failure to provide: 1) a clear and conspicuous link titled “Do Not Sell My Personal Information” on company homepages; 2) users with the opportunity to request that businesses disclose what personal information they have collected, used, shared and/or sold; 3) users with the ability to request that businesses delete the personal information that they have collected about them; and 4) a privacy policy that details consumers’ privacy rights and how they may exercise them. In the CCPA enforcement notices, businesses have been advised of the potential legal consequences associated with failure to comply, which include civil penalties of up to $2,500 for each violation, and penalties of $7,500 for violations that are deemed “intentional.” The notices explain that businesses have thirty (30) days to cure and respond to the AG.

Responding to Notices

Please note that fraudulent notices have been sent by scam artists for purposes of scaring businesses into paying money. As such, businesses should first confirm with the AG that the notices that they receive are valid before responding to them. Businesses should respond to valid notices via email to [email protected] within thirty (30) days of notice receipt. The responses should describe all actions that have taken in order to come into full compliance with the CCPA. Failure to respond and cure the alleged violations may lead to imposition of the above civil penalties.