California Privacy Enforcement Moves Forward With Rulemaking on Horizon
Privacy In Focus®
Big changes are underway in California privacy, with a brand new privacy agency, forthcoming new privacy rules due by July, and a new comprehensive privacy framework going into effect in January 2023. As businesses subject to California privacy laws gear up for these big changes, they must continue to focus on California Consumer Privacy Act (CCPA) obligations, which the California Attorney General (AG) is continuing to actively enforce.
Below, we provide updates on the forthcoming CPPA rulemaking, as well as recent enforcement activity from the AG.
Change and Delay at the CPPA
In November 2020, the California Privacy Rights Act (CPRA), passed by ballot initiative, established a new agency: the California Privacy Protection Agency (CPPA or Agency). The CPPA has rulemaking and enforcement authority over the CPRA, and the CPRA requires extensive new rulemakings.
Pre-rulemaking activities have already begun, and while the statute calls for final rules to be adopted by July 2022, it appears that the CPPA will need more time. At a February 17 board meeting, Executive Director Ashkan Soltani announced that the Agency does not expect to meet the original July 1 deadline. Draft regulations may be under consideration in fall of 2022, and it appears they may not be finalized until closer to the end of the year.
Despite These Changes, the AG Is Forging Ahead with CCPA Enforcement, Including Its Most Recent Loyalty Program Sweep
Since CCPA enforcement began in July 2020, the AG has enforced a wide range of CCPA provisions. The AG’s website provides the following illustrative examples of its enforcement actions, which are launched when the AG sends notices of alleged noncompliance to companies:
- Privacy policy requirements
- The AG has notified companies that privacy policies must notify consumers of their CCPA consumer rights and methods for exercising them.
- Notice at collection requirements
- The AG targeted an automotive business that allegedly failed to provide consumers with a notice that their data was being collected.
- Do-not-sell requirements
- The AG required a media conglomerate to streamline its opt-out requests when it initially required customers to submit multiple requests across its websites.
- Requirement with respect to service provider contracts
- A social media network had to update its contracts with service providers to prevent the latter from retaining, using, or disclosing personal information for purposes not specified in the contracts.
Most recently, the AG announced a sweep to enforce notice requirements associated with operating loyalty programs. On Friday, January 28, AG Rob Bonta announced an investigative “sweep” of businesses operating loyalty programs in California. Under the CCPA, businesses can offer financial incentives, including loyalty programs, but must provide a notice of financial incentive in accordance with the specific requirements under the current CCPA regulations. See 11 C.C.R. § 999.307. According to the January 28 announcement, the AG sent notices of noncompliance to “businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information,” apparently without adequate notice. This is not the first time the AG has focused on this issue. Previously, the AG engaged in enforcement activity against a grocery chain that offered a loyalty program without a notice of financial incentive.
This latest sweep, along with the AG’s consistent enforcement, should put companies on notice that the California AG is paying close attention to compliance and trends, and will continue to be an important player in the California privacy landscape.
With that said, it is important for covered businesses to understand that the enforcement landscape will become even more complex with forthcoming CPRA changes. Notably, under the new framework, both the new CPPA and the AG can enforce the privacy laws.
***
Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Please reach out to any of the authors with questions.
© 2022 Wiley Rein LLP
