Privacy policies and privacy violations in business is certainly a hot topic these days. On July 19, 2021, the California Attorney General issued an update on businesses that violate the California Consumer Privacy Act of 2018 (CCPA). The progress of the AG’s enforcement actions is impressive. They even introduced a new tool for consumers to notify businesses of CCPA violations.
The CCPA serves as a watch dog on businesses that sell consumer or client information. If a business engages in selling consumer information, the website of said business must offer an “opt-out” option for its consumers. Websites must have a clear and conspicuous link for consumers to say, “Do Not Sell My Personal Information.” Some of these businesses include, “data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers,” according to the AG’s announcement. Properly worded privacy policies are a critical part of websites belonging to these businesses.
Enforcement Results Are Encouraging
The AG started privacy violation enforcement activities more than a year ago. The update provides a “report card” on how businesses are responding to notices of alleged violation. You can read the AG’s announcement here.According to the AG, 75% of businesses fixed the violation within a 30-day statutory cure period once they received notice. However, the remaining 25% of businesses receiving a notice of alleged violation were either within the 30-day cure period or being investigated. Nevertheless, the strong response rate is very encouraging.
New Online Tool
The AG announced the launch of a new online tool consumers can use to notify businesses of potential privacy violations. The tool addresses consumer concerns about businesses failing to provide a clear and easy-to-find “Do Not Sell My Personal Information” link on their homepage.
Consumers using the tool can review information about the CCPA. They can also read their rights provided by the privacy legislation. The tool generates a notice that can be sent to the business. This notification may trigger the 30-day period for the business to cure their violation. This is a prerequisite to the AG bringing an enforcement action. The tool can be accessed here: https://oag.ca.gov/consumer-privacy-tool.
If the CCCP governs your business or if you have a question about your privacy policy, I encourage you to contact my office so we can assist you with this new tool
Adam Grant
Adam D.H. Grant specializes in cyber liability, digital privacy, business litigation, real estate and construction law.