Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”
Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.
Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.
CA Privacy Regulators: Potential Fines “Significant”, Injunctive Remedies Also Being Considered
To date, companies weighing the risk of selective or otherwise incomplete compliance with the CCPA and other privacy laws no doubt look to the $1.2 million settlement in a case by the CA OAG against a well-known cosmetics retailer.
At the Summit, Supervising Deputy Attorney General (“SDAG”) Stacey Schesser, spoke about how the CA OAG has its eye on a broader legal strategy, pursuant to which OAG will cite to CCPA violations as an unlawful predicate for a violation of California’s unfair competition law, Business and Professions Code § 17200 (“UCL”). In doing so, CA OAG will be able to seek remedies under both the CCPA (injunctive relief, civil penalties of $2,500 per violation or $7,500 for each intentional violation) and UCL (injunctive relief, restitution, civil penalties of $2,500 per violation). Notably, remedies or penalties granted under UCL are cumulative to both each other and any remedies or penalties available under other state laws, meaning that obtaining remedies under UCL would not displace any other remedies that might exist, and therefore, regulators may recover under UCL in addition to recoveries under other laws, such as the CCPA. In addition, SDAG Schesser noted that the CA OAG can enforce both state laws and certain federal laws and can use tools such as subpoenas, interrogatories, and lawsuits to achieve their enforcement goals.
Alongside SDAG Schesser, Michael Macko – Deputy Director of Enforcement at the California Privacy Protection Agency (“CPPA” or “Agency”) – spoke in depth regarding both administrative cease and desist orders (which he pointed out were akin to injunctions) and administrative fines. As it regards to the latter, Deputy Director Macko paused before speaking, and spoke clearly to the room about the potential administrative fines available under the CCPA warning businesses: “Don’t be fooled…the numbers are quite significant,” explaining the ability of the regulators to seek a fine of up to $7,500 per violation, and emphasizing that the Agency is typically “looking at hundreds or even thousands of violations” in any given investigation.
His points on administrative cease and desist power also make clear that companies should consider non-monetary relief as part of privacy and security risk. The menu of non-monetary, administrative relief available, and that has been lodged by both state and Federal regulators recently ranges significantly, from one-time and ongoing administrative tasks and addressing the alleged non-compliance, to taking action or being prevented from continuing activities that could threaten a company’s existence.
Examples of Injunctive Relief Sought by Regulators:
- Carrying out administrative tasks such as providing annual reports with specific information, including third-party data recipients and their status (e.g., service provider) (CA OAG)
- Addressing compliance with provisions which were alleged not to be complied with (CA OAG)
- Taking action or being prohibited from business-critical activities:
- Deletion/disgorgement of data and/or algorithms (WeightWatchers FTC Case)
- Permanent prohibitions from sharing data with third parties for advertising purposes (FTC health-related cases)
- Requirements to obtain affirmative express consent for sharing data with third parties for any purpose
- Seeking deletion of data by third-party recipients
- Providing notice to affected consumers
- Being subject to ongoing compliance monitoring and certifications for a number of years (the FTC’s default is 20 years)
- Providing notice of the enforcement to company stakeholders (including new owners, employees, etc.) on an ongoing basis (The FTC typically requires 20 years)
The Regulators’ Enforcement Priorities
At the Summit, SDAG Schesser discussed that the CA OAG’s top CCPA enforcement priorities include requirements that have been in place since the CCPA’s inception, such as:
- having in place compliant privacy notices,
- properly effectuating the right to opt-out of the sale and sharing of personal information, and
- privacy issues affecting children, such as the sale and disclosure of data of children under 16 and under 13 years old.
When referring to these longstanding requirements, SDAG Schesser noted that businesses can look to prior CA OAG press releases, investigative sweeps (such as the CA OAG’s sweep focusing on providers of streaming services’ and employers’ compliance with the CCPA), and enforcement examples for guidance on the CA OAG’s areas of focus and how the office has interpreted the CCPA in the past.
Further, Deputy Director Macko spoke of the Agency’s top enforcement priorities, which include:
- How businesses are operationalizing privacy notices in practice as compared to what is being communicated to the public (noting that the Agency’s review of privacy notices are not just a box-checking exercise for technical compliance with the law)
- How businesses are operationalizing CCPA requests and responding to requests received, from both a business and technical perspective
- Whether companies are properly implementing the right to delete, and
- Accessibility for those with disabilities
In addition, SDAG Schesser and Deputy Director Macko discussed that although the CCPA no longer has a cure period, both CA OAG and the Agency will consider different factors in their investigations including, but not limited to: (1) whether there was a violation; (2) whether the investigation target can demonstrate good faith efforts to comply with CCPA requirements; (3) the target’s posture throughout the investigation; and (4) whether there are appropriate equitable remedies available.
CA OAG and the Agency are also looking into how businesses are “operationalizing” CCPA requirements, emphasizing that they are looking beyond public-facing compliance efforts, such as posted privacy notices, and into how businesses are implementing their CCPA compliance program requirements internally, for example, whether businesses are actually processing do not sell request and opt-out consumers out of the sale/share of their personal information.
The regulators also explained that now they will look at compliance with the CPRA amendments as well as ad tracking. To assess ad tracking, they will rely on their in-house technicians and experts, as well as technologies, including commercially available tools.
It was noted that investigations will not be limited to the above areas, but rather, these are priorities.
Stay tuned for more on this topic from Privacy World. Please feel free to reach out to the authors or your SPB relationship attorney for more information or with any questions.