As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?
In this blog post, we summarize key takeaways from enforcement-related developments from this summer, starting with the California Superior Court’s June 30 order delaying enforcement of the CCPA (as amended by the CPRA) regulations, all the way through the appeal of the enforcement delay by the Office of the Attorney General of California (CalAG), with some enforcement moves by the CalAG, California Privacy Protection Agency (CPPA or Agency) and Colorado Attorney General (CO AG) in between. Further below, we dive into the CPPA’s enforcement focus and continued work on regulations, along with the CO AG’s notice of application letters. Companies that are subject to the CCPA/CPRA, CPA and other state privacy laws should continue to apply the privacy compliance programs they developed in preparation for July 1, or continue working towards compliance, or else they risk being the subject of enforcement actions in the near future.
- CalChamber Faces Off with CPPA and CalAG Over Enforceability of CPRA Regulations. On June 30, the eve of the July 1 enforcement date of the CPRA amendments to the CCPA, the California Superior Court ordered a stay in enforcement of the initial CPRA regulations promulgated by the Agency on March 29, 2023. On August 4, the CalAG, on behalf of the Agency, appealed the superior court’s decision, contending that the California Chamber of Commerce (CalChamber) failed to submit evidence of actual harm or prejudice to its members resulting from enforcement of the regulations, and that prohibiting enforcement of requirements that businesses have been aware of since 2020 harms consumers. It remains to be seen how the Court of Appeal will respond to the CalAG’s petition, but as of the date of this publication, the initial CPRA regulations are not enforceable until March 29, 2024, at least by the CPPA (which was the only party to the suit and the corresponding order). The statutory provisions, however, remain enforceable, as do potentially the original CCPA regulations in so far as they are not overridden by the CPRA (though this remains an uncertain matter, but the CPPA’s position is that they are enforceable). For the remaining regulations that the CPPA is required to promulgate, but has not yet issued, the court’s order provides that such regulations shall also be subject to an enforcement delay of one year. Regardless, as detailed next, the CalAG and the Agency have both indicated they will enforce the CCPA’s requirements using other enforcement tools unaffected by CalChamber’s suit.
- CO AG Hints at Enforcement Focus Via “Notices of Application.” On July 12, the CO AG announced it sent “Notice of Application” letters to various businesses. The CO AG has provided three examples of such letters on the CPA resource page. The example letters themselves point out that they are not notices of violation but rather notices of application and highlight various compliance obligations. Though not explicitly stated, it can be inferred that the CO AG intends for the notices of application to put businesses on notice of their CPA obligations so that they can continue working towards compliance, beginning with the areas identified in each of the notices. Though each notice highlights varying compliance obligations, the top obligations emphasized by each of the notices are: (1) honoring consumer rights; (2) complying with Colorado Privacy Act (CPA) controller obligations (e.g., obligation to provide consumers with a compliant privacy notice); and (3) obtaining affirmative opt-in consent prior to processing data in a manner that presents a heightened risk of harm to consumers (e.g., processing of sensitive data). These compliance areas and many of the ones listed in the notices are broad and have more granular requirements enumerated in the CPA and its implementing regulations. See our recent blog post on how to comply with CPA requirements, including the requirement to conduct and document a data protection assessment prior to processing sensitive data and other use cases that present heightened risk of harm to consumers.
- CalAG Pushes Forward with CCPA Enforcement, Focused on HR Data. On July 14, the CalAG, which has the authority to enforce the CCPA alongside the Agency, announced an investigative sweep of employers’ compliance with the CCPA, emphasizing the enforceability of the statutory provisions notwithstanding the aforementioned delay in regulatory enforcement. As a reminder, employee, applicant and other human resources data came into full scope of the CCPA as of this January 1 (not July 1).
- CPPA Deputy Director of Enforcement Says, “No Vacation” From Enforcement. On July 14, the CPPA held a board meeting during which it warned that despite the delay in enforcement of the CPRA regs, there will be “no vacation” from enforcement of the statutory provisions of the CCPA (as of January 1, 2023), and existing CCPA regulations (i.e., those promulgated previously by the CalAG). To that end, Michael Macko, the CPPA’s Deputy Director of Enforcement highlighted an enforcement focus on privacy policies, right to delete and consumer requests fulfillment and procedures. Deputy Director Macko warned that even with the recent court decision staying enforcement of 1798.185(a) regulations, the CPPA continues to have authority to enforce the CCPA (as amended by the CPRA) earlier CCPA regulations and any regulations that were discretionary under the CCPA. Businesses should therefore expect vigorous enforcement by the CPPA pursuant to these authorities throughout the year. Further, the CPPA expects “robust compliance” with 1798.185(a) regulations by March 29, 2024.
- CPPA Reviews Privacy Practices of Connected Vehicles. The CPPA announced on July 31 announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. Referring to CVs as “connected computers on wheels” that “are able to collect a wealth of information via built-in apps, sensors and cameras,” the CPPA’s Executive Director, Ashkan Soltani, conveyed that the Agency is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.
CPPA Launches Consumer Complaint Portal, FAQs; Provides Overview of Enforcement Process
As to enforcement updates, the CPPA discussed the following:
- Consumer complaint portal now live.
The CPPA has launched its web-based Consumer Complaint Portal and the FAQs for the Portal. Consumers my direct their privacy-related consumer complaints to the Portal. Consumers may also submit complaints via the agency phone line or by filling out a complaint form and submitting the form by mail to the CPPA. The Board raised concerns regarding accessibility of the Portal, particularly for Californians whose primary language is not English. The CPPA staff advised they are working on translating the website and are currently exploring accessibility offerings as part of their IT roadmap, including dynamic accessibility offerings in order to accommodate different languages and also individuals with vision impairment.
- Overview of enforcement process by CPPA General Counsel.
Administrative proceedings will operate like a mini trial. The Enforcement Division of the CPPA will act as the prosecutor, and the regulated business that is the target of the investigation is the defendant. Both parties will have an opportunity to present evidence and arguments regarding whether a CCPA violation occurred.
Process overview. At a high level, the CPPA Administrative Enforcement process will operate as follows:
- Enforcement Division conducts investigation of suspected CCPA violations. Targets may not always be aware that an investigation is going on.
- After, the Enforcement Division will file a Notice of Probable Cause Proceeding. This Notice will provide the target with notice that the CPPA is alleging they violated the CCPA.
- The Legal Division will then conduct a Probable Cause Hearing and make findings.
- The Enforcement Division will file an Accusation with the Office of Administrative Hearings (OAH) that complies with the California Administrative Procedures Act.
- An OAH Administrative Law Judge will hear the matter and render a proposed decision.
- The CPPA Board confer in a closed session to vote on whether to adopt, amend or reject the proposed decision.
CPPA Continues Work on Outstanding Regulations
As to outstanding regulations, the Agency’s CPRA Rules Subcommittee explained that given the complexity of the remaining topics, it is reluctant to commit to submitting complete proposed regulations covering all outstanding topics by the Board’s September meeting but expect to at least have something for cybersecurity audits by that time. We provide a high-level review of the key points of the Subcommittee’s presentation below.
- CPPA signals intent to harmonize CCPA requirements with existing frameworks.
The Subcommittee explained that in drafting the regulations, it is reviewing and considering different frameworks, guidance and resources with the goal of creating CCPA requirements that are interoperable with existing frameworks in order to minimize compliance burdens on businesses of all sizes. If successful, the CPPA would help businesses realize compliance efficiencies. For instance, as to cybersecurity audits, businesses that must comply with the CCPA would be able to use existing cybersecurity audits to meet some or all of the CCPA requirements. If the existing cybersecurity audit does not meet all of the CCPA requirements, then the business must work on addressing those gaps (rather than starting from scratch) in order to demonstrate compliance.
- Potential additional thresholds.
The Board also discussed potentially drafting rules creating additional thresholds that must be met before obligations to conduct cybersecurity audits and risk assessments and implement ADMT requirements are triggered. The Subcommittee previewed that the additional thresholds would be interoperable with the requirements of other laws, such as the CPA and the European Union’s General Data Protection Regulation and may require consideration of the business size and whether a business is a data broker or otherwise significantly engage in sale and sharing of personal information. As to ADMT, the Subcommittee discussed potentially recommending requirements for, among others, ADMT used in furtherance of activities that result in legal or similarly significant effects (e.g., provision or denial of financial or lending services, employment, healthcare services, etc.).
CO AG Begins CPA Enforcement, Commits to Providing Informational CPA Resources to Covered Businesses, Colorado Consumers
On July 12, 2023, the CO AG’s Office announced it started enforcement of the CPA, which went into effect on July 1, 2023. In furtherance of the CO AG’s enforcement strategy, the Colorado Department of Law (DOL) sent letters to businesses that must comply with the CPA providing information regarding companies’ legal obligations under the CPA.
Unlike the letters sent by the CalAG, which requested information regarding companies’ CCPA compliance as to HR data, the letters sent by the CO AG are “notices of application” sent to businesses, data brokers and businesses that process sensitive personal data to provide such entities with information regarding the CPA’s applicability and requirements, and to urge businesses to “assess whether the CPA applies to [their] business, and if so, ensure that [the business is] in full compliance with its terms.”
In general, the CPA applies to “controllers”, which are: (1) either (a) conducts business in Colorado (i.e., businesses generally) or (b) produces, targets or delivers commercial products or services targeting Colorado residents (i.e., data brokers); and (2) either (a) controls or processes the personal data of 100,000 consumers or more during a calendar year or (b) that controls or processes the personal data of 25,000 or more consumers and derives revenue or receives a discount on the price of goods or services from the sale of personal data. C.R.S. § 6-1-1304(1).
Each of the notices of application offer insight into what CPA requirements the CO AG may focus on when enforcing against a specific type of entity (i.e., businesses generally vs. data brokers) and depending on the type of data involved (i.e., personal data vs. sensitive data) as follows:
- Businesses that must comply with the CPA have numerous obligations. The notice of application for businesses generally suggests that, as to businesses generally, the CO AG will prioritize the business’s compliance with its obligations to: (1) honor consumer rights; (2) comply with its CPA controller obligations; (3) obtain consent prior to processing sensitive personal data; (4) conduct data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers; and (5) to follow the CPA’s requirements for vendor relationships, as set forth in C.R.S. § 6-1-1305.
- The CPA requirements for businesses generally also apply to data brokers, but the notice of application for data brokers suggests that, as to data brokers, the CO AG will prioritize how data brokers comply with their CPA obligations pertaining to: (1) honoring consumer rights; (2) providing consumers with a reasonably accessible, clear and meaningful privacy notice; (3) collecting only personal data which is adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed; (4) obtaining consent before processing personal data for purposes that are not reasonably necessary to or compatible with the processing purposes specified in the business’s privacy notice; (5) obtaining consent before processing sensitive data; and (6) complying with the CPA requirements for vendor relationships, as set forth in, as set forth in C.R.S. § 6-1-1305.
- The notice of application to the processing of sensitive data suggests that, as to the processing of sensitive data, the CO AG will focus on whether businesses are obtaining a consumer’s (or the consumer’s parent/guardian if the consumer is a child) affirmative opt-in consent prior to processing that consumer’s sensitive personal data without using dark patterns. The notice also clarifies that processing personal data through tracking technologies (i.e., pixels) is a type of processing of sensitive data.
Although the CO AG highlights the above areas of compliance focus, businesses that must comply with the CPA have additional obligations. Furthermore, many of the areas of enforcement focus (e.g., honoring consumer rights and complying with CPA controller obligations) listed in the notices have more granular requirements. Privacy World has more information regarding how to comply with CPA requirements. Likewise, the CPA has additional requirements for the processing of sensitive data. For example, because processing sensitive data is a type of processing that presents a heightened risk of harm to the consumer, a business must conduct and document a data protection assessment prior to processing sensitive data.
Prior to January 1, 2025, authorities seeking to enforce the CPA (i.e., the Colorado Attorney General or local District Attorneys) must issue a notice of violation and provide an opportunity to cure potential violations to covered businesses. CPA enforcement authorities may bring an enforcement action only when the business fails to cure the alleged violations within 60 days of its receipt of a notice of violation. CPA violations are deemed to be a deceptive trade practice under Colorado State law and are subject to penalties.
The CPA resource page is accessible via coag.gov/cpa that includes information regarding individuals’ rights and businesses’ obligations under the CPA, FAQs and educational webinars created by DOL staff. Questions regarding the CPA may be submitted via an online portal at coag.gov/cpa and CPA-related complaints may be submitted via coag.gov/file-complaint.