California Privacy Enforcement Will Heat up This Summer as the Agency Takes Control

The California Privacy Rights Act (the “CPRA”), which substantially amended the California Consumer Privacy Act (the “CCPA”), took effect January 1, 2023. Beginning July 1, 2023, the newly formed California Privacy Protection Agency (the “Agency”) will be responsible for handling the enforcement actions already authorized by the CCPA and enforcing violations of the new provisions implemented by the CPRA. Since the passage of the CPRA, the Agency has been busy finalizing the rulemaking package, which was approved by the California Office of Administrative Law on March 30, 2023. It is apparent that the Agency will not waste any time enforcing the CPRA, and businesses operating in California should be on high alert.

The Agency Confirms Commitment to Aggressive Enforcement

The Agency confirmed at a public board meeting on March 3, 2023 that it is prioritizing enforcement preparedness as the July 1, 2023 CPRA enforcement date rapidly approaches. This includes ramping up hiring and budgeting for enforcement positions as the Agency prepares to take on concurrent enforcement of the CCPA and CPRA.

The Agency’s new authority comes on the heels of the Attorney General’s (“AG”) landmark enforcement action against beauty retailer Sephora, Inc., which resulted in a $1.2 million stipulated judgment against Sephora for violations of the CCPA. The AG’s settlement with Sephora was the result of a broader enforcement sweep in which the AG was investigating compliance with Global Privacy Control (“GPC”) directives. The AG emphasized his Office’s intent to increase enforcement of the CCPA, highlighting scores of violation notices that were sent out in 2022.

Importantly, the 30-day notice and opportunity to cure period provided by the CCPA expired on January 1, 2023, and the CPRA does not provide for a similar cure period. Consequently, businesses now should not expect to receive violation warnings. Instead, the CPRA permits the Agency to order substantial administrative fines (from $2,500 to $7,500 per violation) at the time a cease and desist letter is issued.

Compliance With Opt-out Requests Is Still an Area of Focus

On January 27, 2023, the AG announced an investigative emphasis focused on mobile application compliance with the CCPA, targeting apps that fail to offer consumers an opt-out option or fail to honor the opt-out requests they receive. The AG’s announcement called out “popular apps in retail, travel, and food service” for allegedly failing to comply with the CCPA and specifically urged “the tech industry to innovate for good – including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” The AG’s comments echo his prior praise for the convenience of universal opt-out options for consumers, and it appears that the Agency will likely take a similar interest in GPCs when it takes over enforcement of the CCPA and CPRA. Thus, businesses should prioritize convenience to consumers when implementing and complying with opt-out requests.

In addition to the GPC violations that landed Sephora in hot water, the AG previously announced notices for other violations of the CCPA last year, including:

• failure to post Notice of Financial Incentives with regard to loyalty programs that offered financial invectives in exchange for collection of consumer’s personal information;
• failure to post required notices concerning CCPA consumer rights;
• failure to disclose whether the company has sold personal information;
• failure to displace a clear “Do Not Sell My Personal Information” link;
• erroneous treatment of requests to know; non-compliant privacy policies;
• non-compliant opt-out processes;
• non-compliant service provider contracts;
• untimely responses to CCPA requests;
• charging consumers to respond to a request under the CCPA;
• defective methods to submit requests;
• and more.

Given the broad array of issues that the AG has already identified, it seems that nothing will be off-limits when the Agency takes over this summer.

Chamber of Commerce Seeks Delay of CPRA Enforcement

Given the fast approaching enforcement date, the California Chamber of Commerce is seeking to obtain more time for its members – California businesses – to comply with the CPRA. This request is partly based on the fact that the Agency delayed finalizing the rulemaking package for months, leaving California businesses in the dark about what business practice changes are required. As a result, the Chamber filed a lawsuit in a California state trial court on March 30, 2023, seeking a twelve-month extension on the compliance deadline contemplated in Proposition 24. The Chamber argues that the Agency was required to adopt final regulations by July 1, 2022 (one year prior to the CPRA enforcement date), but failed to do so until March 2023. The Agency’s delayed and piecemeal approach to the regulations imposes a difficult, if not impossible, requirement on businesses – giving them just three months to comply with the final rules.

Absent an injunction or expedited ruling from the court, though, businesses should assume that enforcement of the CPRA will still commence on July 1, 2023. Further, the CCPA remains enforceable, regardless of whether the Chamber is successful in its attempt to delay enforcement of the CPRA.

Conclusion

The Agency’s enforcement of the CCPA and CPRA is sure to bring heightened focus on compliance with these consumer privacy statutes in California. Further, given that the CPRA does not provide for a cure period, businesses interacting with California consumers should not expect to receive any warnings prior to the Agency’s commencement of enforcement actions. Businesses should review the Agency’s final rulemaking package and ensure that their policies and procedures comply with the CCPA and CPRA, including the newly implemented regulations, with a hyper-focus on convenience to consumers.