California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The board of the California Privacy Protection Agency (CPPA) held a meeting on July 16, 2024, to discuss future regulations, legislative efforts related to privacy, and more. Included on the agenda was an annual update on enforcement from Deputy Director Michael Macko.
Perhaps seeking to allay concerns that the Agency’s enforcement of the California Privacy Protection Act (CCPA) has been lacking, especially when compared to ongoing enforcement by the state’s attorney general, Deputy Director Macko discussed in some detail what his division has been up to for the last 12 months.
Here are the key points.
The last year has been about building a robust enforcement division from the ground up. Not that long ago, the enforcement division was just one person; they have now filled roughly a dozen new positions and are still seeking a few more subject-matter experts to round out their technological expertise.
They’ve also been busy laying out the internal groundwork in terms of organization, processes, and technologies. Creating a new division within a new agency has presented the team with challenges, but also a unique opportunity to design the enforcement operations they want without the baggage of institutional inertia.
With all of these efforts coming to a close, the CPPA is ready to turn its attention to enforcement.
Without providing much detail, Deputy Director Macko strongly suggested that there is already enforcement happening now, but that it is not visible to the public. He gave a couple of reasons for this.
The first is that not every investigation proceeds to litigation; in fact, most of them do not. Whether in response to a consumer complaint or their own investigation, the CPPA starts by reaching out to the business in question. Many cases are resolved at this stage, and if there is a compliance issue it may be fixed voluntarily by the business.
The second reason is timing. According to Deputy Director Macko, the average time needed to resolve a consumer protection case is approximately 18 months. That timeframe can easily stretch out longer. For an enforcement division that has only existed for just over a year, it is not surprising that we haven’t seen any major case announcements yet from the CPPA.
The CPPA’s online consumer complaint tool has gotten a lot of hits. In the 12-month period from July 2023 to June 2024, the CPPA got 2176 separate complaints. They review every consumer complaint, typically with 7–14 days. The most common topics were:
Obviously just these three categories add to up to well over 100%, signaling that a single complaint may relate to multiple issues.
The CPPA also set out a number of priorities for future enforcement, putting businesses on notice. These priorities are:
Earlier in 2024, the CPPA released its first enforcement advisory, focused on the principle of data minimization as it relates to privacy requests. Deputy Director Macko stated that we should expect more of these in the future, possibly later this year.
Why does this matter? Macko indicated that if an enforcement advisory had been published on a certain topic, that fact would likely be taken into consideration while investigating any alleged violations related to that advisory.
In other words, the enforcement advisories are meant to put regulated businesses on notice; failure to take any necessary action in response to those advisories means the CPPA is less likely to give an opportunity to cure and more likely to impose a fine.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.