30-Day Right to Cure: California AG Letters Being Delivered

Between the enforcement date (July 1, 2020) being six months after the effective date (January 1, 2020), the global pandemic, and limited resources in the California AG’s office, there were some valid questions and unknowns surrounding when the California AG’s office would be prepared to begin investigating and enforcing the California Consumer Privacy Act (CCPA). We have an answer now and it is almost immediately following the enforcement date.

Under the CCPA, businesses have a 30-day right to cure potential violations and the California AG is currently sending out 30-day notices to businesses surrounding potential violations. A representative from the California AG’s office previously stated on an IAPP webinar that the office would keep an eye out for privacy complaints regarding a business’s privacy practices on social media. Based on this, it is safe to assume that the AG’s office is not sitting back waiting for complaints from consumers and is even proactively combing websites for potential violations – violations that are not that difficult to spot.

Here are a few tips and steps to take to improve your website and privacy program to ensure the next letter the California AG sends is not to your business:

  • A major area under the CCPA that causes confusion and is easy to check by the California AG (or consumers) is the “Do Not Sell My Personal Information” link requirement as well as the definition of “sale” under the CCPA. Things to consider:
    • If your business is registered with California as a data broker, then it is likely required that the business has the appropriate links, disclosures, and other rights spelled out on your website.
    • Even if your business is not a data broker, AdTech activities must be reviewed. Companies like Facebook and Google provided guidance to their customers and even implemented controls to limit the personal information processing activities to be a Service Provider under the CCPA. While the guidance and technical settings are helpful, businesses are still confused by the definitions of “sale” and “service provider” under the CCPA. Businesses must review other cookies and trackers that are considered third parties to whom a business sells personal information under the CCPA that may still remain on the website. The California AG can research this very quickly and savvy consumers can easily leverage existing functionality and browser plug-ins to determine a business’s AdTech and data sharing activities that may fall under the definition of “sale.”
    • Personal information sharing activities, which should be spelled out in a business’s privacy policy, might be considered selling personal information under the CCPA. Businesses should review the definition of sale under the CCPA and limit sharing activities to service providers or businesses that would not meet the “sale” criteria and make sure the privacy policy accurately discloses those activities. Check out our study on vendor relationships and whether they have defined themselves as service providers or third parties here.

Solutions to this likely include a combination of implementing cookie consent, which may exempt your sharing activities from the definition of sale, and following the IAB Compliance Framework on the AdTech side of this requirement. Further, businesses should ensure their data inventory, vendor contracts, and website change management processes are in place.

  • Privacy policy disclosures are numerous and can be confusing under the CCPA. Quick checkpoints to ensure the policy is up to date include:
    • Effective date.
    • CCPA specific disclosure requirements.
      • This can be a link to a separate privacy policy specifically for California consumers.
    • Web forms and other modalities (such as a toll-free phone number) for a California consumer to make a rights request.
    • Accurate descriptions of personal information collected, purposes of collection, and any sharing/selling activities.
    • Contact information where consumers may submit questions or concerns about the business’s privacy policy and processing activities.
  • Monitor the activity surrounding your brand on social media and other online areas:
    • Consumers often take to online forums to complain about a business.
    • Scanning technology is available to monitor social media and consumer review sites for mentions surrounding a brand and this technology is often already used by a business’s marketing or website team.
    • This allows businesses to take a proactive approach towards monitoring and remediating any privacy issues.

Questions may have existed prior to the enforcement date surrounding the California AG’s proactiveness surrounding the CCPA, but those can be put to rest with the whisperings of 30-day right to cure letters starting to arrive from the AG’s office. Businesses must review information sharing and AdTech practices and implement the appropriate measures to ensure they can honor the right to opt-out of the sale of personal information requests or adequately defend that personal information is not being sold. Further, businesses must ensure the privacy policy contains the required disclosures and allows the consumer to make rights requests and. Last, last but certainly not least, businesses need to proactively monitor the online environment for privacy complaints. While these are the key steps a business can take to mitigate the risk of receiving one of the California AG’s letters, businesses should also be aware of other CCPA obligations outside of the website and begin working towards CCPA compliance overall with any applicable requirements.

If your business receives a notice of a potential violation of the CCPA from the California AG’s office, make sure that you reply within the 30 days provided by the CCPA. Further, these letters request that recipients outline not only what they did to resolve any potential violations but also what they are going to do in the future to prevent the violation from occurring again, so be sure to include future assessments, legal opinions, and technology implementations that are on the business’s CCPA compliance roadmap.

If you have any questions about the CCPA and building a privacy program, check out our CCPA Playbook that provides in-depth recommendations and tips for operationalizing a CCPA privacy program, or email us at  connect@compliancepoint.com.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.