Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.

The accompanying press release stated the company allegedly “failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the thirty (30) day period currently allowed by the CCPA.”

In addition to the $1.2 million penalty, the company must:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control;
  • Conform its service provider agreements to the CCPA’s requirements; and
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.

Attorney General Bonta also announced that his office was in the process of sending over a dozen more notices of violation today. Companies receiving notices will have thirty (30) days to comply or face an enforcement action.

Attorney General Bonta was quick to point out that “the kid gloves are coming off” with the CCPA’s right to cure period expiring on January 1, 2023. According to Bonta, “there are no more excuses” for noncompliance.

Finally, the Attorney General’s office updated its list of enforcement case examples with thirteen (13) more examples. The examples include companies (1) failing to recognize the Global Privacy Control signal, (2) not posting financial incentive notices, (3) providing incorrect privacy policy disclosures, (4) failing to process consumer requests, and (5) not providing the required notice at collection.