Major Privacy Law Enforcement Announcements by CPPA and California and Colorado Attorneys General

California Superior Court Stays Some Areas of Enforcement

By now, you have likely heard about the California Superior Court decision delaying enforcement until March 29, 2024, of the California Privacy Protection Agency regulations issued on March 29, 2023. The CPPA’s regulations supplement the California Consumer Privacy Act, and the CPRA amendments, which became effective January 1, 2023. The Court’s June 30 decision delaying enforcement of the new regulations was the result of a challenge brought by the California Chamber of Commerce.

CPPA Deputy Director of Enforcement Responds to Court Decision

At the Friday, July 14 CPPA Board meeting, Michael Macko, the new Deputy Director for Enforcement, made clear that businesses do not get a “free pass from enforcement” as a result of the Court’s decision to delay enforcement of the new CPPA regulations. He reiterated the broad scope of its enforcement powers in effect now and presented the Enforcement division’s priorities.

Expect “Vigorous Enforcement” By the CPPA This Year

Deputy Director Macko stated that we should expect “vigorous enforcement this year” of obligations on the books for several years” to protect the public. He noted the CCPA, as amended, continues to be enforceable as the Court’s decision didn’t delay enforcement of the obligations of the law, which became effective Jan 1, 2023, and enforceable on July 1, 2023. Nor did the Court decision impact enforcement of the original regulations issued by the California Attorney General’s office supplementing the CCPA in its original form prior to amendment.

This means the CPPA and the AG, who share enforcement powers, have the immediate power to enforce both the law, as amended, and the original regulations, just not the March 29, 2023-issued regulations.

CPPA Enforcement Division’s Guiding Principles

Deputy Director Macko noted that the Enforcement division will be guided by the following principles:

• Protect vulnerable populations: children, the elderly, vulnerable or marginalized populations
• “Aggressive enforcement” as violations can be “black and white” but with the use of sound prosecutorial discretion about which cases to bring and when to bring them, taking into consideration:
  • The nature of the harm(s) to consumers
  • Good faith efforts by the business
  • The size and resources of the business

CPPA Enforcement Division’s Enforcement Priorities

Deputy Director Macko noted that the Enforcement division has identified the following enforcement priorities, but that those identified below are not the only areas of enforcement and that priorities will evolve:

1. Privacy Policies and Notices
   • Reviewing to ensure compliance
   • Explicit obligation in the law, not new or onerous
   • A gateway, foundational issue of business function
   • Whether the business collecting and using data consistent with what they say to consumers
2. Right to Deletion
   • A well-established right (older than the right to correction)
   • Look at how businesses are complying
3. Implementation of Consumer Requests
   • How are businesses complying when they receive a request?
   • When consumers make a request (such as Opt-out), what are businesses doing?
   • How are they actually operationalizing the law’s requirements?
   • What barriers are businesses introducing to prevent consumers from exercising their rights

Enforcement Division Expects “Rigorous Compliance” to New Regulations Starting March 29, 2024

Director Macko noted that the new regulations, the enforcement of which has been stayed until March 29, 2024, for the most part, provide clarity and do not impose new rules. He noted the Enforcement division “expects to see rigorous compliance” with the new regulations by March 29, 2024.

Vendor Due Diligence: An Important Component of a Privacy Program Subject to Enforcement.

Now that we are in the enforcement phase of California, Colorado, Connecticut and Virginia state privacy laws, companies must, in addition to ensuring they are compliant with the various state privacy laws, also continue their vendor due diligence efforts.

Contracts Required by the CCPA, as Amended, Must Address Vendor Obligations

Under the CCPA, “a business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, … that grants the business “rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with” the business’ obligations under the CCPA. (See §1798.100(d)(3)).

The requirement that businesses have written contracts containing particular terms granting a business the right to take “reasonable and appropriate steps” to ensure the party with whom it shares data uses the information consistent with the CCPA is a statutory requirement the CPPA Enforcement Division and the CA AG have the power to enforce immediately.

The CCPA further provides that a business won’t be liable for misuse by a party with whom they have the proper contract provided, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. (See §§1798.145.(i)(1) and (2)).

The actual knowledge standard is clear, but what constitutes “reason to believe”? This is an area where the new regulations provide detailed guidance. As noted by Deputy Director Macko, the new regulations provide clarity on how to operationalize and accomplish the obligations embodied in the law.

Regulation 7051(c) and 7053(6)(b) clarify that whether a business conducts due diligence of its service providers, contractors or third parties factors into whether the business has “reason to believe.”

§7051(c) states:

Whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations. For example, depending on the circumstances, a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA and these regulations at the time the business disclosed the personal information to the service provider or contractor.

§7053(6)(b) parallels ¶7051(c) and covers third parties.

Vendor Compliance is a Common Component of Many State Privacy Laws

California is not alone in creating mechanisms for companies to ensure vendor compliance. Such vendor compliance obligations are a common component of most state privacy laws.

Colorado, Connecticut, Virginia, Texas, Florida, Indiana, and Montana state privacy laws, and the bill passed in Delaware awaiting the governor’s signature, all have very similar requirements for specific contractual language in agreements between controllers and processors which (1) require processors “to make available to the controller all information necessary to demonstrate compliance with the obligations of” the relevant state law, and (2) to require processors to “allow for, and contribute to, reasonable” audits and inspections or assessments by the controller.

California Attorney General Continues Enforcement on Compliance with CCPA Regarding Employment and Applicant Data

Also of note on Friday, July 14, 2023, the California Attorney General announced it had initiated a new investigative sweep, sending letters to large California employers to inquire about their compliance with the CCPA regarding the personal information of employees and job applicants. As noted above, the CA AG shares enforcement powers with the CPPA, and continues what it describes as its “robust enforcement” of the CCPA.

Colorado Attorney General Initiates Enforcement

Attorney General Phil Weiser announced through a series of letters to businesses, sent the week of July 12, that the Colorado Department of Law will begin enforcing the recently enacted Colorado Privacy Act. The new data privacy law went into effect on July 1.

AG Weiser considers his department’s “enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy. Our enforcement of this important law will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts,” said Weiser. “These letters will help make businesses aware of the law and direct them to educational resources to help them comply. And, if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

Particular areas of focus in enforcement concern obligations regarding the collection and use of sensitive data, including the requirement to obtain consumer consent prior to collecting sensitive data, and the obligation to allow consumers to opt out of targeted advertising and profiling.

SafeGuard Privacy Helps Address All Areas Subject to Enforcement

Companies are advised to continue their CCPA compliance efforts to the law, and the new regulations, as building or modifying a privacy program and operationalizing those changes takes time.

Our platform provides helpful information as to which of the requirements of the new regulations are the same as the original regulations promulgated by the CA AG, – and therefore are still enforceable – which have been modified, and which are brand new, making it easy to mature your privacy program to meet the compliance obligations under the law and the regulations.

Contact SafeGuard Privacy for more information: hello@safeguardprivacy.com