• Please search to find attorneys
Close Btn



Do Business In California? How To Avoid An Enforcement Action By The California Attorney General

The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, and the California Office of the Attorney General (OAG) has been bringing enforcement actions against companies since July 1, 2020. With a year under our belt, we’ve gained important insight into the types of violations the OAG is focusing on. Notably, in July 2021, the OAG published an exemplary list of CCPA enforcement actions that the office has taken over the last year. This list helps provide further insight into the types of violations that the OAG has investigated, sent notices for, and seen remedied over the last year.

According to the OAG, CCPA violations thus far include inadequate notices to consumers, not providing a “Do Not Sell My Personal Information” (DNS) link, and not providing proper avenues to submit consumer requests, just to name a few.

Below are key tips for any organization doing business in California to implement today to avoid receiving a notice of violation from the OAG; these tips will help you avoid the real-world CCPA shortcomings that the OAG has investigated over the last year:

  • Establish Internal Policies and Mechanisms for Receiving, Reviewing, and Executing Consumer Requests. Many of the alleged violations of CCPA over the last year are related to businesses’ processing of consumer requests. To avoid such shortcomings, your business should implement mechanisms and internal policies to properly receive, review, and execute such requests. Those processes must take into account the required response timeframes, request methods and verification processes set forth in CCPA.
  • Provide Proper Notices of Financial Incentives. If you provide a financial incentive related to the collection of personal information, you must provide such notice prior to collection and the consumer must explicitly opt-in to the program. Financial incentives related to the collection of personal information are programs that provide an incentive or bonus to the consumer if they choose to opt-in to the collection, sale, and/or sharing of their data.
  • Include a Functional DNS link on Your Website. The requirement that businesses that sell or share personal data include a DNS link on their website is one of the most easily identified violations of CCPA. Consequently, the OAG has identified many businesses that have not conformed with this provision of CCPA over the last year. The link must be on the website’s homepage, conspicuous, functional, and titled “Do Not Sell My Personal Information.” The link must lead to a web page that directly and immediately empowers consumers to opt-out of the sale of their data, without any account creation or multiple submissions required.
  • Ensure that Your Service Provider Contracts Meet CCPA’s Requirements. Some businesses subject to CCPA have foregone updating their service provider contracts, which have led to alleged violations of CCPA. Service provider contracts must include various restrictions on the retention, use and disclosure of personal information.
  • Make Sure Your Privacy Policy is Updated. Many businesses that have lagged behind in updating their privacy policies have been alerted of their noncompliance by the OAG. In updating your privacy policy, the policy must include a litany of notices. In addition, CCPA requires that you review your privacy policy at least every 12 months for updates. Finally, make sure that your business is adhering to your posted privacy policy. Noncompliance with your own privacy policy may violate federal regulations in addition to state laws.
  • Comply with CCPA Regulations. The OAG has published several regulations that further refine and expand upon CCPA. Violations of these regulations are still subject to enforcement by the OAG, despite not being in the text of CCPA itself. Most notably, some businesses have been found to violate the OAG’s regulations regarding verification of authorized agents of consumers, including not providing proper notices specifying verification processes in their privacy policy.
  • Cure Period. If you are informed by the OAG of a potential CCPA violation, take advantage of the granted cure period and cure the violation within 30 days. Most businesses cure their alleged violations of CCPA within 30 days of receiving notice from OAG to wholly prevent further investigations and any punitive action.

Organizations must keep in mind that the above key tips only highlight certain violations we’ve seen the OAG focus on thus far. A comprehensive review of the CCPA and relevant regulations should be performed and a privacy compliance plan tailored to each organization’s activities.

The OAG also recently released an interactive tool for consumers to draft a notice of noncompliance and send it directly to businesses that may have violated the CCPA. California consumers have been active in reporting violations to date, and with this new easy tool, privacy experts expect to see an increase in the number of reported violations.

McGrath North’s Privacy and Cybersecurity team has vast knowledge in assisting organizations of all sizes and across all industries in the creation and implementation of a privacy and security compliance program. Whether your organization requires assistance with getting up to speed on CCPA compliance or is in need of a well-rounded and customized compliance plan, McGrath North can efficiently provide personalized support that makes sense for your organization.