California Attorney General Targets “Low-Hanging Fruit” for CCPA Non-Compliance

The California Consumer Privacy Act enforcement period began July 1, and two months later, numerous firms have received letters from the attorney general’s office about noncompliance. Multiple major companies, including Walmart, Sephora, and Ring, have been hit with class-action lawsuits.

But there’s no great mystery or nefarious agenda tied to the companies that have been targeted as this point, says Dan Clarke, president at IntraEdge. To avoid meeting the same fate, companies need to adhere to the fundamentals of the nation’s first major statewide privacy law. Clarke spoke with Street Fight to explain.

CCPA enforcement so far has targeted retailers. What do you make of that?

I don’t think CCPA enforcement targeted retailers, specifically. CCPA enforcement, instead, is targeting companies that have a high volume of traffic and strong customer reach. In this case, it coincides with retailers. The amount of customer interaction a business has is often a determinant of the  number of privacy requests and complaints a company may receive from customers exercising their privacy rights.

What companies do you expect CCPA enforcement to affect next?

It’s speculated that California’s Attorney General Xavier Becerra will go after the low-hanging fruit, rather than targeting a specific industry. CCPA enforcement will be centered on egregious violators — for example, those that do not have a prominent privacy policy link on their website, no “do not sell my data” button, and no visible mechanisms to allow customers to exercise their privacy rights. The attorney general is paying close attention to the customer complaints received online; however, those complaints aren’t public, and the only proxy of those with the most complaints are those publicly posted on Twitter.

There’s been a lot of discussion about whether CCPA rules are fair and whether enforcement would disproportionately affect mid-size players without the legal armies of the big players. How is that playing out so far?

Currently, those that have received 30-day notices to cure are businesses that did not have visible privacy notices on their websites, nor a prominent mechanism or process to collect privacy requests. These notices are actively being sent to non-compliant companies, and the notices encourage companies to contact the attorney general’s office to open a dialogue about how to improve their policies. Becerra has already viewed thousands of complaints submitted online and has advised companies to pay attention to what their consumers are saying on Twitter.

What can companies proactively do to comply with CCPA?

Companies must implement a privacy-first strategy to comply with the approved final regulations under the CCPA. At a minimum, this means having a visible compliance strategy with an up-to-date notice that provides customers with a prominent “do not sell my information” link (where applicable) on their website, an opt-out of the sale of data option, and a mechanism for customers to exercise their privacy rights. If customers can’t exercise their privacy rights due to egregious violations, it’s much easier to enforce a fine for non-compliance.

Tags:
Joe Zappa is the Managing Editor of Street Fight. He joined Street Fight as a contributing writer in 2015, has compiled the daily newsletter since 2016, and has spearheaded the newsroom's editorial operations since 2018. Shoot him an email at jzappa@streetfightmag.com.