California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
It’s a stressful moment for any business leader: You’ve just received a written notice from the California Attorney General alleging violations of the California Consumer Privacy Act (CCPA), and you have 30 days to respond. For many, this may be the first time you’ve ever heard of the data privacy law. What do you do now?
There are two things you should do immediately. The first is to contact the Office of the Attorney General (OAG) directly to confirm that the notice is actually legitimate and not a scam. The second is to contact your business’s attorney. Every situation is different, and while this article provides helpful information, it is not a substitute for legal advice.
With that out of the way, here is some of the most important information you’ll need moving forward.
The CCPA is a state law designed to give California residents (“consumers”) more control over how their personal information is collected and used by businesses. It does so by creating a variety of legal obligations toward consumers, primarily falling into two categories: posting the required privacy notices and responding to consumers’ privacy requests. Read our Guide to the CCPA for more detailed information and to see if the CCPA applies to your business.
Businesses that fail to meet their obligations may face enforcement actions, including injunctive relief and civil penalties of up to $7,500 per violation. However, the law’s cure provision states that the OAG must first give businesses 30 days to fix any alleged violations and provide assurance that they won’t happen again in the future. This is called a cure notice, or sometimes an enforcement notice.
The most common violations of the CCPA occur when businesses fail to provide the required privacy notices to consumers.
The majority of businesses already have a privacy policy posted on their website, but the CCPA identifies specific types of information that it must contain. These include the categories of personal information being collected, for what purposes they are collected, categories of outside parties the business discloses the information to, consumers’ privacy rights under the CCPA, and how to submit privacy requests.
Depending on the business’s practices, there may be additional notices required. For example, if a business sells consumers’ personal information, as defined by the CCPA, it must disclose this fact. It also must post a clear and conspicuous “Do Not Sell My Personal Information” link on its home page, sending consumers to the privacy notice and instructions for submitting a request to opt out. The only alternative is to cease any activities that qualify as a sale of personal information.
Posting CCPA-compliant privacy notices within 30 days is relatively easy, but only if the business already has a detailed data map. A data map helps businesses understand what personal information is being collected, whom it is collected from, and how it is used. It is the cornerstone of CCPA compliance and informs everything in the privacy notices.
In addition to keeping consumers informed, businesses have a duty to respond to CCPA privacy requests in a timely manner. Businesses must provide two methods of submitting privacy requests, at least one of which corresponds to how the business usually interacts with consumers. For example, an online retailer must provide at least one online method. They have 45 days to comply with requests to know and delete, though this can be extended for another 45 days if reasonably necessary. They have 15 days to comply with a request to opt out.
Responding to privacy requests can be quite complex. All of the rules have nuances and exceptions that businesses need to be aware of in advance. If you’ve received a CCPA cure notice related to privacy requests, the OAG will want to see evidence of a system in place for dealing with requests in the future.
There is a separate type of cure notice that is mentioned in the CCPA, one that is sent by a consumer in the event of a cybersecurity breach. Though the CCPA does not create a private right of action for consumers to enforce their privacy rights, it does allow them to sue businesses when their non-encrypted and non-redacted personal data is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. In this case, consumers can recover statutory damages of up to $750, or actual damages, whichever is greater.
Before consumers can avail themselves of the CCPA’s private right of action—likely in the form of a class-action lawsuit—they must first send a written statement to the business giving them 30 days to cure any violation, if a cure is possible. The California Privacy Rights Act (CPRA) clarifies that implementing data protection measures after a breach will not cure the violation.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.