It’s been nineteen months since the California Consumer Protection Act (CCPA) went into effect, and California is revealing the effectiveness as the legislation, and releasing a new tool to let consumers report violations directly to the state.
On July 19th, California Attorney General Rob Bonta held a press conference to demonstrate the effectiveness of the CCPA and introduce the new Consumer Privacy Tool, which allows individuals to report violations of the law.
Cure Periods Increase CCPA Compliance
Under the CCPA a non-compliant business is given a 30-day “cure period” following notice of non-compliance from the California Attorney General, during which the business is given the chance to cure the alleged non-compliance without penalty.
According to AG Bonta, 75% of businesses that received notice of a CCPA violation responded by bringing their data practices into compliance within the 30-day cure period. As for the remaining 25% of alleged CCPA violators, they are “either within their 30-day window or under an active investigation,” said Bonta.
"We've sent quite a few [violations],” said Bonta, “but the good news is when we send out notices to cure we get a response."
The AG went on to outline, without naming names, several real-world examples of compliance violations and how they were resolved within the cure period.
In one example, users of a social media platform complained that the company was slow to respond to CCPA requests, and those users were not notified that their CCPA requests had been received or completed. After receiving a notice to cure from the CA DOJ, the business walked the AG’s office through their process and fixed their procedures.
In another example, an online dating app forced users to accept sharing of their personal information when signing up for the service. The company did not have the “Do not sell my personal information” link that every company must display if they engage in that practice. The company created the link once contacted by the California Attorney General’s office.
“Businesses are motivated and able to comply with the law,” said Bonta. “My belief is that the vast majority of businesses really want to comply and will comply,” he continued. “They want to know how to comply, and once they know how, they do.”
Bonta's office has also published a separate list of 27 notice examples with descriptions.
Cure Periods to Expire When CPRA Takes Effect
While the 30-day cure period currently offered by the CCPA has helped many companies come into compliance without penalties, it should be noted that once the CPRA supersedes the CCPA on January 1st, 2023, businesses will no longer be offered a cure period. That means violations of the law will result in immediate penalties-- — up to $2,500 per violation or $7,500 per intentional violation involving personal information. It is of the utmost importance that businesses take CCPA and CPRA compliance seriously and implement the necessary tools and processes for compliance as soon as possible.
California’s New Consumer Privacy Tool
In addition to touting the effectiveness of the CCPA, Bonta also used his press conference to unveil a new online tool which will let consumers report violations of the CCPA directly to the State. For now, the new Consumer Privacy Tool is limited to reporting instances of missing or unclear "Do Not Sell My Personal Information" buttons on companies' websites, but the tool may be updated to include other potential CCPA violations.
The tool "asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business," said Bonta.
This notification from consumer to business may trigger the 30-day cure period, according to Bonta, but he did not give a clear delineation of when the notification does or does not mark the beginning of the cure period and why.
“I'm not saying to use it or not to use it, but it's there to be used," Bonta said. "If you don't want your information to be sold, you have to act. For those out there that think your information won't be sold automatically because of the CCPA, that's not true. You have to take that step and click that button on those websites."
How Ensighten Can Help
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California citizens control over the data that companies collect on them, control over the privacy of that data, and the ability to require that organizations manage their data responsibility.
To stay compliant with these laws, you can't rely on vendors that offer nominal compliance or privacy management through simple workflow mechanisms that rely on connections to additional systems, to enact any policy put in place and greatly aggravate data leakage vulnerabilities. Ensighten's comprehensive solution enforces privacy preferences and requests in real-time without the need to interact with any other supply chain technology, therefore eliminating the risk of data leakage.
With Ensighten Consent Management Plus (CMP+), you can set up opt-out of sale links for California consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Ensighten CMP+ is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.
Request a demo to see how Ensighten can help your organization meet compliance with the Colorado Privacy Act.
Want to know more about CCPA/CPRA? Check out these resources: