California Attorney General Begins Enforcement of CCPA Even Ahead of Regulations’ Approval

On August 14, 2020, California Attorney General Becerra announced that the Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The approved regulations, which became effective immediately, guide businesses and consumers on the CCPA.  The final regulations can be found here.

Even before final approval of the regulations, the California Attorney General’s Office announced that it had already begun enforcing the CCPA in California. By July 10, 2020, the Office had issued warning notices to online businesses for failure to comply with the CCPA. The businesses receiving these notices will have 30 days to comply with the CCPA, or they risk a lawsuit being filed against them by the Attorney General’s Office. It is expected that in the future the AG will no longer issue warning letters and proceed with enforcement.

The CCPA allows California residents to learn what information companies have collected about them, seek the deletion of any collected information, and prevent companies from selling their personal information to third parties. The law also requires any covered business to place a link on its homepage, labeled “Do Not Sell My Personal Information,” that consumers can click to ensure the company does not sell their data. Additionally, the CCPA prohibits businesses from selling minors’ personal information without parental consent for those under the age of 13 or consent of those 13-16 years old.

The CCPA applies to companies that: (1) have more than $25 million in gross annual revenue; (2) buy, sell, or receive the personal information of at least 50,000 consumers, devices, or households; or (3) gain 50% or more of their annual revenue from selling consumers’ personal information.

When determining the recipients of the warning letters, the Attorney General’s Office reviewed consumer complaints, including some that were made on the Twitter platform. The Office has also advised businesses that sell consumers’ information to quickly confirm that they have a “do not sell” button on their website. 

California businesses that are under the CCPA should carefully ensure they comply with all of the CCPA’s requirements, including the presence of the “do not sell” link, in order to avoid potential liability.