It’s a stressful moment for any business leader: You’ve just received a written notice from the California Attorney General alleging violations of the California Consumer Privacy Act (CCPA), and you have 30 days to respond. For many, this may be the first time you’ve ever heard of the data privacy law. What do you do now?
There are two things you should do immediately. The first is to contact the Office of the Attorney General (OAG) directly to confirm that the notice is actually legitimate and not a scam. The second is to contact your business’s attorney. Every situation is different, and while this article provides helpful information, it is not a substitute for legal advice.
With that out of the way, here is some of the most important information you’ll need moving forward.
The CCPA is a state law designed to give California residents (“consumers”) more control over how their personal information is collected and used by businesses. It does so by creating a variety of legal obligations toward consumers, primarily falling into two categories: posting the required privacy notices and responding to consumers’ privacy requests. Read our Guide to the CCPA for more detailed information and to see if the CCPA applies to your business.
Businesses that fail to meet their obligations may face enforcement actions, including injunctive relief and civil penalties of up to $7,500 per violation. However, the law’s cure provision states that the OAG must first give businesses 30 days to fix any alleged violations and provide assurance that they won’t happen again in the future. This is called a cure notice, or sometimes an enforcement notice.
The most common violations of the CCPA occur when businesses fail to provide the required privacy notices to consumers.
Depending on the business’s practices, there may be additional notices required. For example, if a business sells consumers’ personal information, as defined by the CCPA, it must disclose this fact. It also must post a clear and conspicuous “Do Not Sell My Personal Information” link on its home page, sending consumers to the privacy notice and instructions for submitting a request to opt out. The only alternative is to cease any activities that qualify as a sale of personal information.
Posting CCPA-compliant privacy notices within 30 days is relatively easy, but only if the business already has a detailed data map. A data map helps businesses understand what personal information is being collected, whom it is collected from, and how it is used. It is the cornerstone of CCPA compliance and informs everything in the privacy notices.
In addition to keeping consumers informed, businesses have a duty to respond to CCPA privacy requests in a timely manner. Businesses must provide two methods of submitting privacy requests, at least one of which corresponds to how the business usually interacts with consumers. For example, an online retailer must provide at least one online method. They have 45 days to comply with requests to know and delete, though this can be extended for another 45 days if reasonably necessary. They have 15 days to comply with a request to opt out.
Responding to privacy requests can be quite complex. All of the rules have nuances and exceptions that businesses need to be aware of in advance. If you’ve received a CCPA cure notice related to privacy requests, the OAG will want to see evidence of a system in place for dealing with requests in the future.
There is a separate type of cure notice that is mentioned in the CCPA, one that is sent by a consumer in the event of a cybersecurity breach. Though the CCPA does not create a private right of action for consumers to enforce their privacy rights, it does allow them to sue businesses when their non-encrypted and non-redacted personal data is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. In this case, consumers can recover statutory damages of up to $750, or actual damages, whichever is greater.
Before consumers can avail themselves of the CCPA’s private right of action—likely in the form of a class-action lawsuit—they must first send a written statement to the business giving them 30 days to cure any violation, if a cure is possible. The California Privacy Rights Act (CPRA) clarifies that implementing data protection measures after a breach will not cure the violation.
For businesses that are starting CCPA compliance from scratch, one of the key takeaway points is that you can’t fix violations by implementing just some of the law’s requirements. Compliance means meeting a complex series of interconnected legal obligations, and the OAG will seek assurance not just that you’ve fixed all immediate issues, but also that no further violations will occur in the future.
For example, if the cure notice alleges that your business is violating the CCPA by not having a “Do Not Sell” link on its homepage, the fix is not so simple as just adding the link. First you must update the privacy notices to reflect your business’s selling practices, then devise a system for responding to requests to opt out. You can’t do either of those things without creating a data map and determining which disclosures of information qualify as selling and which fall under the service provider exemption. Fully implementing these changes within the 30-day cure period will not be easy.
The quickest path to CCPA compliance is using a software automation tool like TrueVault Polaris. TrueVault Polaris walks businesses through every step of CCPA compliance, starting from nothing and going all the way to responding to your first privacy request and beyond. The whole process can be finished in as little as two weeks.
If your business has received a 30-day notice, don’t delay. Contact us today to get started with your compliance strategy.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.