During a webinar last week hosted by the International Association of Privacy Professionals, a representative from the California Attorney General’s office confirmed that on July 1, the first date of the AG’s statutory enforcement authority, the office sent its first set of CCPA enforcement letters. Per the statute, businesses have 30 days to cure the violations before the AG’s office may commence a confidential investigation or initiate a lawsuit.
Although no specifics were disclosed, the representative stated that no one industry or sector was targeted in the July 1 enforcement letters but that all the subject businesses operated online and had to come into compliance concerning online statements or mechanisms. Notably, the representative described the opt-out right as the most robust CCPA right and suggested businesses that sell personal information ensure that the “do not sell my info” link is posted clearly and conspicuously on the homepage (as defined in the statute).
The representative mentioned that the AG’s office is monitoring consumer complaints made directly to the AG’s public inquiry unit, public complaints made on social media platforms and other outlets, as well as lawsuits alleging CCPA violations. Although currently only enforcing the four corners of the statute, the representative underscored the importance for businesses to read and understand the nuances of both the statute and the regulations because, upon the regulations being finalized, the AG will enforce both.
Per the representative, the AG’s office also recognizes the importance of consumer education around the CCPA. Perhaps in furtherance of that, the CCPA section of the AG’s website has been significantly revised to provide further information on the CCPA and now links to the AG’s online consumer complaint form.