In early July, California Superior Court Judge James P. Arguelles held that the regulations adopted by the California Privacy Protection Agency (the CPPA) on March 29 2023, which implemented key provisions of the California Consumer Privacy Act (the CCPA), could not be enforced until March 2024.
For many companies, the first reaction to the decision was one of relief. The relief will be short lived. Ashkan Soltani, Executive Director of the CPPA, said after the ruling that “significant portions” of the privacy protections under the CCPA can be enforced as of July 1. And the CCPA’s Deputy Director of Enforcement recently said “There’s no vacation here from enforcement,” emphasizing three areas of focus: privacy notices and policies; consumers’ right to delete personal information; and the handling and implementation of consumer requests.
- We expect that the CPPA will focus on clear examples of privacy policy non-compliance. For example, the CCPA will compare a company’s public-facing privacy policy with its implementation of the policies, to see if what the company says reflects what it actually does.
- Because the CPPA sees the consumer right to delete their personal information as “well-established” and “long-standing,” as well as one of the rights most desired by consumers, the CCPA will seek to ensure that companies implement smooth experiences for consumers exercising their rights.
- Finally, the significance of the handling and implementation of consumer requests should not be underestimated. It’s an area that’s created a lot of challenges for companies, and in view of the agency’s enforcement initiatives there is no time to lose in implementing a CCPA-compliant process.
While the CPPA is still building its enforcement team, companies should anticipate early enforcement of at least these provisions of the CCPA. Companies should act now to ensure both that their privacy policies are up to date and accurate, and that they have established the procedures for responding to consumer requests and implementing consumer rights.
Authors:
Michael A. Gold, Chair, Cybersecurity and Privacy Group
Robert E. Braun, Co-Chair, Cybersecurity and Privacy Group
JMBM’s Cybersecurity and Privacy Group is known both for legal expertise and for command of technology. We provide clients comprehensive coverage of all substantive areas of data security and privacy, including information technology, financial, health, employment and personal privacy, litigation and technology transactions. Our expertise allows us to interface effectively with both the C-Suite and also with information technology managers at both a strategic and granular level.
This update is provided to our clients, business associates and friends for informational purposes only. Legal advice should be based on your specific situation and provided by a qualified attorney.