On July 19, California’s recently appointed Attorney General, Rob Bonta, launched an interactive tool to aid consumers with drafting notices of noncompliance for businesses who fail to publish the “Do Not Sell My Personal Information” link (DNS link) required by the California Consumer Privacy Act (CCPA). According to the AG, the consumer notice “may trigger” the 30-day cure period businesses enjoy before becoming subject to enforcement actions for non-compliance. Questions remain about use of resident-led notices of noncompliance, including whether this novel approach satisfies CCPA notice requirements or whether it may foster spamming and other abuses.

The tool provides consumers with an eight-part questionnaire seeking to confirm that the business they are reporting is subject to the CCPA, sells personal information, and has failed to publish a DNS link or has published a DNS link that is “difficult and confusing to find” in violation of the CCPA’s obligation that the link be “clear and conspicuous.” If the questions are answered in a way that signals the business may not be in compliance with the CCPA, the tool generates a draft notice of noncompliance that consumers can then copy into an email to the business. Allegations made in this way are not verified by the California Attorney General.

Examples of the notice of noncompliance letters generated using the tool are here (no DNS link) and here (DNS link not clear and conspicuous).

The CCPA provides businesses who are alleged to be in noncompliance with the CCPA with a 30-day period to “cure” any violations of law before becoming liable for their noncompliance. The AG has stated, and confirmed in a press release, its view that notices of noncompliance delivered to businesses by consumers “may trigger” the CCPA’s 30-day cure period. The legal basis for having consumer-driven notices trigger the cure period is not immediately clear. The AG also instructs consumers to file follow-up complaints with the AG’s office against any business that fails to cure alleged noncompliance within 30 days after receiving the consumer’s email.

The AG’s office announced the tool’s release during a press conference where it also provided an update on CCPA enforcement. According to the AG, 75% of businesses who have received a notice of noncompliance from the AG have cured the alleged violation and the remaining 25% are still within the 30-day cure period or are subject to an open investigation. In addition, the AG also published a collection of CCPA enforcement case examples summarizing how businesses have cured alleged CCPA violations following receipt of notices of noncompliance.

It is not yet clear what impact the tool will have on future CCPA enforcement actions other than to signal that the CCPA continues to be a point of focus for the AG’s office, which is seeking to leverage increased public attention to privacy issues as a means to develop enforcement opportunities. It also suggests that the AG’s office is considering options to avoid having to issue notices of noncompliance from the AG’s office that give companies the opportunity to cure violations, and rather to delegate this statutory obligation.

The legal viability of this strategy remains unclear. Ultimately, whether consumers, rather than the AG, can trigger the 30-day cure period will likely need to be decided in court. The passive formulation of language supporting the AG’s interpretation at 1798.155(a) (“. . . if the business fails to cure any alleged violation within 30 days after being notified . . .”) leaves room on its face for consumers to trigger the cure period through notice, but there is not a clear mandate like the one found in analogous language at 1798.150 related to consumers’ private right of action to enforce security harms (“. . . a consumer provides a business 30 days’ written notice . . .”). Due process considerations also may need to be taken into account.

The tool is also likely to face other challenges. For example, the tool generates draft notices of noncompliance addressed to particular businesses, but there is no accountability mechanism to confirm the identity of the individual generating the notice. Based on our review, notices can be generated through the tool anonymously with ease. There also is no mechanism to confirm that the business subject to a notice of noncompliance generated through the tool actually has violated the CCPA, which still would need to be confirmed independently by the AG.

There are two practical effects from this pronouncement. First, businesses may start to receive these consumer-generated “notices of noncompliance,” which may merit at least a review to determine what complaints may be filed with the AG. Second, if the AG’s interpretation prevails, these notices may impact the ability to cure violations before AG enforcement can occur (although the ability to cure violations was slated to go away in January 2023 anyway, when the California Privacy Rights Act updates the CCPA).