California Attorney General Begins Enforcement of CCPA Even Ahead of Regulations’ Approval
Client Alert | 2 min read | 08.18.20
On August 14, 2020, California Attorney General Becerra announced that the Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The approved regulations, which became effective immediately, guide businesses and consumers on the CCPA. The final regulations can be found here.
Even before final approval of the regulations, the California Attorney General’s Office announced that it had already begun enforcing the CCPA in California. By July 10, 2020, the Office had issued warning notices to online businesses for failure to comply with the CCPA. The businesses receiving these notices will have 30 days to comply with the CCPA, or they risk a lawsuit being filed against them by the Attorney General’s Office. It is expected that in the future the AG will no longer issue warning letters and proceed with enforcement.
The CCPA allows California residents to learn what information companies have collected about them, seek the deletion of any collected information, and prevent companies from selling their personal information to third parties. The law also requires any covered business to place a link on its homepage, labeled “Do Not Sell My Personal Information,” that consumers can click to ensure the company does not sell their data. Additionally, the CCPA prohibits businesses from selling minors’ personal information without parental consent for those under the age of 13 or consent of those 13-16 years old.
The CCPA applies to companies that: (1) have more than $25 million in gross annual revenue; (2) buy, sell, or receive the personal information of at least 50,000 consumers, devices, or households; or (3) gain 50% or more of their annual revenue from selling consumers’ personal information.
When determining the recipients of the warning letters, the Attorney General’s Office reviewed consumer complaints, including some that were made on the Twitter platform. The Office has also advised businesses that sell consumers’ information to quickly confirm that they have a “do not sell” button on their website.
California businesses that are under the CCPA should carefully ensure they comply with all of the CCPA’s requirements, including the presence of the “do not sell” link, in order to avoid potential liability.
Contacts
Insights
Client Alert | 3 min read | 11.21.25
On November 7, 2025, in Thornton v. National Academy of Sciences, No. 25-cv-2155, 2025 WL 3123732 (D.D.C. Nov. 7, 2025), the District Court for the District of Columbia dismissed a False Claims Act (FCA) retaliation complaint on the basis that the plaintiff’s allegations that he was fired after blowing the whistle on purported illegally discriminatory use of federal funding was not sufficient to support his FCA claim. This case appears to be one of the first filed, and subsequently dismissed, following Deputy Attorney General Todd Blanche’s announcement of the creation of the Civil Rights Fraud Initiative on May 19, 2025, which “strongly encourages” private individuals to file lawsuits under the FCA relating to purportedly discriminatory and illegal use of federal funding for diversity, equity, and inclusion (DEI) initiatives in violation of Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity (Jan. 21, 2025). In this case, the court dismissed the FCA retaliation claim and rejected the argument that an organization could violate the FCA merely by “engaging in discriminatory conduct while conducting a federally funded study.” The analysis in Thornton could be a sign of how forthcoming arguments of retaliation based on reporting allegedly fraudulent DEI activity will be analyzed in the future.
Client Alert | 3 min read | 11.20.25
Client Alert | 3 min read | 11.20.25
Client Alert | 6 min read | 11.19.25
