The California Consumer Privacy Act (CCPA) took effect on July 1, 2020, providing state residents with the most comprehensive data privacy protections in the US. Comparable to the EU’s GDPR, the CCPA specifies individuals’ rights regarding companies collecting, using, and storing their personal data.
Who enforces CCPA compliance? California’s Office of the Attorney General.
Who Enforces the CCPA?
The Attorney General for the state of California enforces CCPA compliance. While the CA Attorney General (AG) is responsible for enforcing the CCPA, there is no recurring audit or self-reporting process—unlike many other compliance frameworks. Instead, individual citizens typically report suspected CCPA violations.
The Office of the Attorney General (OAG), the entity who enforces CCPA compliance broadly, investigates these submitted complaints.
Notice of Noncompliance
If a business is discovered or suspected of violating the CCPA, it will receive notice from the California AG office. Once notified, it must fix the instance of noncompliance or provide evidence that the listed activities fall within the CCPA’s approved scope. As a compliance expert, RSI Security can help your company navigate CCPA compliance or remediation efforts.
The OAG website has published 27 examples of companies notified of alleged noncompliance during the first year of enforcement. All of these cases resulted in remediation efforts.
The California AG’s CCPA Noncompliance Notification Examples
The list of notified companies spans numerous industries and all enterprise sizes, including:
- Online services – Including services for consumers and businesses:
- Consumer services – Including social media, media, classified advertisements, event sales, education technology, pet adoption, dating, gaming, retail electronics, and retail clothing companies
- Business-to-Business (B2B) Services – Including marketing, advertising, data broker, email newsletter platform, and digital strategy companies
- Physical Locations – Including retail grocers and an automotive dealership
- B2B Distribution – Including childrens’ toy and video game distributors
The general lack of sector focus reveals that the California AG regards enforcement seriously and hasn’t spared any industry from CCPA investigation.
Demonstrating CCPA Compliance Following Notice
In one of the noncompliance notice examples published by the CA Attorney General, a company demonstrated that the suspected violations were inaccurate. The provided evidence showed that they had acted as a service provider for other businesses and did not share processed consumer information obtained from one customer with any others.
However, the company in question still updated the terms provided to customers, specifying its service provider obligations per the CCPA.
To avoid enforcement, companies must enact compliance measures to adhere to the CCPA for all CA residents. The CCPA revolves around four enumerated rights:
- The “right to know” – Consumers are guaranteed the right to know what personal information a company collects and how it will be used (e.g., personalized services, shared, sold).
- The “right to delete” – Consumers are granted the right to delete or request the disposal of collected personal information (excluding some exceptions).
- The “right to opt-out” – Consumers are granted the right to decline whether a company may sell their personal information.
- The “right to non-discrimination” – Consumers may not be subject to altered goods and services or different quality levels if they exercise their CCPA rights.
- However, the CCPA does acknowledge that if personal information is integral to the goods or services provided and a consumer has exercised their CCPA rights, a failure to complete transactions does not count as noncompliance. The same applies if a promotion or another deal is provided in exchange for collecting personal information.
While the CCPA took effect on July 1, 2020, the CA Attorney General published a series of proposed modifications in the following months. As of March 15, 2021, the OAG has announced that it approved the changes. The new inclusions to the CCPA final regulations generally focus on:
- Expanded considerations for opting out
- Attempts to obfuscate consumers’ ability to exercise CCPA rights
- Authorized agents that may subject CCPA requests on consumers’ behalf
- CCPA considerations for CA minors
Companies Subject to the CCPA
All for-profit companies conducting business within California and that collect individuals’ personal data are subject to the CCPA, provided they meet at least one of the following criteria:
- Annual gross revenues exceed $25 million
- Business activities include buying, selling, or sharing the personal data of 50,000 or more individual consumers or households
- Selling personal data generates over 50% of the company’s annual revenue
Note that nonprofit and public organizations and government agencies are not subject to the CCPA.
CA residents retain their data privacy rights specified within the CCPA regardless of a company’s primary location—as with the EU’s GDPR that protects member states’ citizens. Therefore, conducting for-profit business in California (and meeting at least one of the above criteria) automatically obligates CCPA compliance.
Ensure CCPA Compliance
Much as how the EU’s GDPR brought sweeping data privacy changes across all industries and business activities, the CCPA requires substantial considerations and efforts for companies to remain compliant. In effect for just over one year, the CA Attorney General’s Office, who enforces CCPA compliance, has already sent notification of suspected violations to many companies.
As a compliance and cybersecurity expert, RSI Security can help review your company’s current policies and practices—as well as revise or implement new ones—to help ensure CCPA compliance.