The first CCPA enforcement warning letters were recently mailed out. The California Consumer Privacy Act (CCPA) was effective January 1st of 2020. Enforcement efforts were put on hold until July to give organizations a little extra time to comply. However, it looks like the time has now passed. California Attorney General Xavier Becerra is now issuing warning letters.
“Under the CCPA, Californians have the right to access and stop the sale of their personal data if they choose to exercise it,” Attorney General Becerra said in a news release at the same time the letters were being sent.
The first round of letters targeted businesses that were lacking in privacy disclosures on their website or failing to respond to user requests about the treatment of their data. The CCPA requires website doing business with California residents to prominently display a “Do Not Sell” link on their home page to allow users to opt-out of selling their data to third-parties. Also targeted were companies that didn’t respond promptly to deletion requests or right of access to the data. For those catching up, you can find checklists and best practices in this CCPA Compliance Resources page.
During a keynote speech at the International Association of Privacy Professionals, California Supervising Deputy Attorney General, Stacy Schesser, provided some additional insight into the letters. While the letters and their recipients are confidential at this time, Schesser revealed that many of the targets were identified because of consumer complaints. That should serve as a clear indication for organizations to pay attention when their website users or customers complain.
The warning letters are the first step in the CCPA enforcement process. The CCPA requires the Attorney General’s office to notify organizations about their noncompliance and give them 30 days to fix the problems. Businesses are legally in violation of the CCPA if they fail to cure these potential violations within 30 days.
Businesses Subject to the CCPA
Not every organization is subject to the Act. Businesses required to comply include ones that:
- Have gross revenue of $25 million or more annually
- Buy, receive, or sell personal information of at least 50,000 consumers, households, or devices
- Make 50% of more of their total revenue from the sale of such information
The penalties for failing to cure the noncompliance are stiff.
Potential Penalties Under the CCPA
Penalties can include fines of $2,500 per violation up to $7,500 for violation. That can add up quickly. For example, a company selling the data from 50,000 customers and not complying with the law could potentially be fined $375 million for a violation.
People Want Control of Their Data
84% of consumers say they want more control over the data and the way companies use it. The CCPA is California’s attempt to provide enhanced control. Acceptance hasn’t been universal, however. At the end of 2019, just weeks before the new law went into effect, only 30% of companies reported being in compliance with the CCPA. 52% of website owners said they hope to be compliant sometime in 2020 with a quarter saying it won’t happen until 2021 or they have no plans to comply.
The CCPA is the toughest law in the country addressing online privacy consent and consumer rights and there are more in the works. More than a dozen other states have laws currently under consideration. In California, more laws may be even tougher. There’s an initiative on the ballot for the state’s November election from the same advocacy group that was behind the CCPA. This initiative, called the California Privacy Rights Act (CPRA) would be more stringent, create a separate protection agency for enforcement, and fund it with a $10 million annual budget.
Concerns about CCPA, GDPR, and website compliance? Admiral can help you get compliant with one of the industry's first IAB-compliant Consent Management Platforms (CMP). Easy to install, highly configurable, full conversion and visitor consent state reporting. Find out more today.