California Enforcement Actions Signal the Need for CCPA Compliance

In August 2022, the California Office of Attorney General (OAG) issued its first fine for California Consumer Privacy Act (CCPA) violations. The OAG sued cosmetics retailer Sephora, in part for failing to provide consumers with a “Do Not Sell My Personal Information” link and continuing to sell information to third parties after consumers had opted out via General Privacy Controls (GPCs). Sephora entered into a $1.2 million settlement agreement with the OAG.

Many organizations are preparing to comply with the California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, with enforcement to begin on July 1, 2023. However, California AG Rob Bonta made it clear that his office is enforcing the existing CCPA. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable,” he said in a statement.

Although the CCPA is state legislation, it has global reach. It applies to any covered business that collects data from California residents — regardless of where the business is physically located. Other states are also following the California model. Colorado, Connecticut, Utah and Virginia have enacted data privacy laws, and at least 38 other states introduced consumer privacy legislation.

Interested In Learning More?

Consumer Rights under the CCPA

There are variations from state to state, but these bills all tend to emulate the consumer rights established under California law. The CCPA specifically gives consumers:

The right to know. Businesses must inform consumers upfront that they’re collecting personal information, what categories of information they’re collecting and the purpose of the collection.
The right to disclosure. Upon receipt of a consumer’s verifiable request, businesses must disclose what personal information they’ve collected on the consumer in the previous 12 months.
The right to be forgotten. Businesses must delete consumers’ personal data upon request, although there are some exceptions.
The right to opt out. Consumers can ask businesses not to sell their personal information to third parties. Businesses must provide a conspicuous “Do Not Sell My Personal Information” link on the homepage of their websites.
The right to equal services and prices. A business may not discriminate against consumers who exercise their rights under the CCPA by denying goods or services or charging a different price or rate for them.

The regulation regarding GPCs was not part of the original CCPA but was added by the AG under statutory authority. Under the rule, businesses must provide a second opt-out mechanism, such as a toll-free phone number, email address, form submitted in person or through the mail, or user-enabled GPC, which include browser plug-ins and privacy settings.

New Rules under the CPRA

The CPRA amends and expands on the CCPA with several new rights for California residents, including:

The right to opt out of sharing personal information. Consumers can ask businesses not to provide their information to third parties that use it for “cross-context behavioral advertising.”
The right to opt out of the use or disclosure of “sensitive personal information.” The CPRA classifies certain information, such as Social Security Numbers and health data, as sensitive. Consumers can ask that this information not be used or disclosed.
The right to correct personal information. Consumers can ask that businesses correct inaccurate information.

The CPRA eliminates the CCPA’s exceptions for employee and B2B personal information, increases data retention and purpose limitation requirements, and includes the first data minimization requirements in U.S. data privacy law. The CPRA also requires businesses to include certain provisions in contracts with service providers and other third parties.

Building Trust

Failure to comply with the CCPA can result in fines of up to $2,500 per violation, which can quickly add up considering that data breaches typically involve tens of thousands of unique records. The state may also impose fines of up to $7,500 per willful violation or for violations in which the business knew the consumer was under age 16. Beyond the fines, breaches can also result in civil lawsuits, lost customers and damaged reputation.

Of course, companies should not view data protection as just a way to avert negative consequences. It also creates important business benefits by building customer trust and loyalty, mitigating losses from data breaches, improving efficiency and enhancing data analytics.

At DeSeMa, we recognize that achieving and maintaining compliance with data privacy regulations can be a resource-intensive process. One of the biggest challenges organizations face is knowing where all of their sensitive data is stored.

As part of our asset management services, we track data storage locations across the extended enterprise, including cloud instances, remote locations, edge data centers and end-user devices. We also offer continuous monitoring services that enable organizations to generate up-to-date compliance reports whenever needed. Contact us for help ensuring CCPA compliance today and CPRA compliance next year.