California begins CCPA enforcement on July 1, 2020

The California Attorney General began enforcement of the California Consumer Privacy Act on 1 July 2020, six months after the law's operative date. This enforcement startment marked the beginning of active regulatory oversight and potential penalty exposure for businesses subject to CCPA requirements.

Enforcement Authority Framework

Exclusive enforcement under CCPA rests with the California Attorney General, with civil penalties up to $2,500 per violation and $7,500 per intentional violation. The AG's exclusive authority distinguishes CCPA from GDPR's decentralized enforcement model and from state consumer protection laws allowing private attorney general actions.

Cure period provisions initially required the AG to provide 30-day notice before filing enforcement actions, allowing businesses opportunity to cure alleged violations. This provision was then modified by CPRA, which eliminated the mandatory cure period and granted the new California Privacy Protection Agency concurrent enforcement authority.

Investigative powers enable the AG to issue subpoenas, conduct examinations, and require production of documents relevant to CCPA compliance investigations. Businesses should prepare response procedures for potential AG inquiries.

Consumer Rights Compliance

Access request handling requires businesses to respond to verifiable consumer requests within 45 days, with a 45-day extension available for complex requests. Response must provide requested personal information in portable, commonly used formats.

Deletion request procedures must enable consumers to request deletion of their personal information, subject to statutory exceptions for legal obligations, security, and certain business purposes. Businesses must direct service providers to delete consumer data upon request.

Opt-out mechanisms for sale of personal information require clear, conspicuous "Do Not Sell My Personal Information" links on websites. Businesses must honor opt-out requests and cannot require consumers to create accounts to exercise opt-out rights.

Non-discrimination provisions prohibit businesses from denying goods or services, charging different prices, or providing different quality based on consumer privacy rights exercise, unless price differentials reflect actual value of consumer data.

Notice Requirements

Privacy policy disclosures must describe categories of personal information collected, purposes of collection and use, consumer rights, and verification procedures. Policies must be updated annually and clearly identify the date of last update.

Collection notices at or before collection must inform consumers of personal information categories being collected and purposes for which they will be used. These notices differ from general privacy policies by providing point-of-collection transparency.

Financial incentive notices are required when businesses offer loyalty programs or other incentives involving personal information. Notices must explain material terms, explain how incentive value relates to personal information value, and describe opt-in procedures.

Service Provider Compliance

Written contracts with service providers must prohibit retention, use, or disclosure of personal information except as specified for business purposes. Contracts should address consumer request handling, security requirements, and subcontractor restrictions.

Third-party oversight requires businesses to understand whether transfers constitute "sales" requiring consumer opt-out rights. Businesses should conduct vendor assessments to determine appropriate contractual frameworks.

Enforcement Priorities

Early AG enforcement focused on large technology companies, data brokers, and businesses with significant consumer data handling. The AG also pursued businesses with inadequate opt-out mechanisms and insufficient privacy policy disclosures.

If you are affected, conduct compliance assessments against CCPA requirements, implement strong request response processes, and maintain documentation demonstrating good faith compliance efforts to mitigate enforcement risk.