California AG: ‘Great progress’ under CCPA despite no fines

A year later, we still have yet to see a publicly announced fine.

That doesn’t mean the state legislature has been standing still. New California Attorney General Rob Bonta issued a press release Monday lauding enforcement efforts under the CCPA. According to Bonta, 75 percent of businesses to receive a notice of alleged violation have come into compliance within the 30-day timeframe the law allows. The remaining 25 percent are either still in the grace period or under active investigation.

“We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” said Bonta in a statement. “Plain and simple: Exercise your rights under the CCPA. Any Californian is empowered to opt out of the sale of their personal information online.”

The California AG’s office has sought to work with firms on ensuring compliance rather than rushing to hand out the kind of eyebrow-raising fines the law calls for ($7,500 per violation). Bonta noted a handful of examples of alleged violations businesses have resolved during the grace period, including:

• A car manufacturer/seller that failed to notify consumers of the use of personal information in addition to other privacy policy omissions.
• A grocery chain that required consumers to provide personal information in exchange for participation in its loyalty program without a notice of financial incentive.
• A social media app failing to timely respond to CCPA requests.
• An online dating platform that collected and sold personal information without having a “Do Not Sell My Personal Information” link option on its homepage.

When the CCPA first took effect, experts predicted enforcement efforts to prioritize children’s privacy and digital marketing. Bonta’s statement reveals alleged violations under the law have been wide in scope, with many able to be resolved by a simple update to privacy policies or terms and conditions.

While the CCPA continues to get its legs under it, the data privacy legislation landscape across the United States has started taking form. Virginia and Colorado this year have passed privacy laws of their own, and many other states have proposed bills to protect their residents’ data rights.

Even California is headed for change after the California Privacy Rights Act (CPRA) was passed last year. The measure will replace the CCPA in January 2023, calling for a new state agency—the California Privacy Protection Agency (CPPA)—to enforce the law and adding additional responsibilities for businesses handling private data. The CPPA held its first meeting in June and is currently seeking an executive director to lead its efforts.