California Privacy Enforcement: Whose Job Is It Anyway?

May 18, 2023 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Privacy Initiatives, BBB National Programs

On Jan. 1, the California Privacy Rights Act of 2020, a California ballot that amended the California Consumer Privacy Act of 2018, went into effect.

Consequently, Californians rang in the new year with new privacy rights, including the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information collected about them by businesses.

Beyond these new privacy rights, the CPRA also created the California Privacy Protection Agency, the first dedicated privacy regulator in the U.S.

The agency exists to fulfill one singular mission: protecting the privacy rights of Californians. Which is not an easy feat in what would be the world's fifth-largest economy.

The agency is governed by a five-member board consisting of privacy, technology, and consumer rights experts tasked with appointing and discharging officers, counsel, and employees.

In 2021, Ashkan Soltani, former chief technologist for the Federal Trade Commission, was appointed by the board as the agency's first executive director to develop the agency with 34 staff members and a $10 million budget. Over the next year, the agency plans to expand to 41 staff members.

To fulfill its mission, the agency has three primary responsibilities under the CCPA. These responsibilities are raising public awareness, and education, rulemaking, and enforcement.

The CCPA, as amended by the CPRA, will be enforced effective July 1. But the agency is not the only enforcer.

The CCPA will also continue to be enforced by the California Office of the Attorney General, which is housed under the California Department of Justice.

 

Which begs the question: Whose enforcement is it anyway?

On April 5, during the International Association of Privacy Professionals' global privacy summit, Stacey Schesser, supervising deputy attorney general for the California Department of Justice, and Soltani attempted to answer this very question in a candid discussion.

First, Schesser made it clear that the agency is an additional enforcer, and the OAG has superiority over the agency. And the CCPA, as amended by the CPRA, confirms this.

Specifically, Section 1798.199.90(c) of the CCPA provides that the agency must stop an administrative action or investigation if requested by the OAG and cannot resume the action or investigation unless the OAG subsequently decides not to pursue an investigation or civil action.

Second, Schesser attempted to draw a clear line of enforcement.

Specifically, she stated that the agency will handle administrative enforcement while the OAG will handle civil enforcement that will likely be more complex claims involving the CCPA, as well as other legal theories like false advertising.

Per Section 1798.155 of the CCPA, administrative enforcement is an action brought by the agency for violations of the CCPA that could result in a settlement or an administrative fine of $2,500 or $7,500, depending on the violation.

The administrative fines will be deposited into the Consumer Privacy Fund. However, Section 1798.199.90(a) of the CCPA outlines the OAG's civil enforcement as virtually identical.

The OAG may bring actions for violations of the CCPA, and these actions may result in a settlement or civil penalties of $2,500 or $7,500, depending on the violation. The civil penalties will also be deposited into the Consumer Privacy Fund.

Interestingly, only the OAG will be able to use the Consumer Privacy Fund to offset the costs incurred while pursuing its enforcement. The agency will not receive the same benefit.

But ultimately, the outcome of enforcement — whether it's from the agency or the OAG — is the same.

Seeking to further define the line, Soltani noted that the agency will be more technically active through technical sweeps and audits.

However, this additional line of enforcement demarcation does not track with recent actions taken by the OAG against Sephora in 2022 and for Data Privacy Day 2023. Both were undeniably technical.

Last year, the OAG brought the CCPA's first public enforcement action. On Aug. 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora Inc.

After conducting a sweep of online retailers, the OAG found, among several other issues, that Sephora failed to process opt-out requests submitted via Global Privacy Control.

GPC is a browser setting enabled by the user that notifies websites of the user's privacy preferences, including not to share or sell their data, by sending a signal to every website the user visits. Bonta explained:

Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.

Sephora effectively put businesses on notice that the OAG is watching, and continued noncompliance with the CCPA would not be tolerated or ignored.

Ahead of Data Privacy Day 2023, Bonta announced an investigative sweep of popular mobile apps on Jan. 27. Letters were sent to an undisclosed number of businesses with mobile apps that failed to comply with the CCPA.

Specifically, the OAG alleged these apps failed to process opt-out requests or did not offer a mechanism to stop the sale of consumer data.

Speaking directly to the tech industry, Bonta urged them to heed the warning of Sephora and "innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data."

Consequently, it is unclear how the OAG and the agency will straddle the line Schesser and Soltani attempted to draw, especially considering the budget disparities previously highlighted.

It is clear, however, that there is no risk of double jeopardy, as stated by Schesser. Per Section 1798.199.90(d), once the agency resolves an action, it is resolved.

The OAG may not pursue the company for the same violation. But it is very plausible for both the agency and OAG to pursue parallel proceedings against the same company for different violations at the same time — especially if the two continue to draw imaginary boundaries.

Parallel proceedings are simultaneous separate criminal, civil or administrative actions initiated by different agencies or branches of government against the same entity or individual based on shared or similar facts.

Parallel proceedings are favored by the U.S. Department of Justice, and the respective agencies or branches of government are encouraged to share information and cooperate with each other to achieve a favorable outcome.

The CCPA does not prevent parallel proceedings.

As such, for example, it is possible that the agency could pursue an administrative action based on violations focused on the technical requirements of the CCPA while the OAG pursues a civil or criminal action based on different CCPA violations that also highlight other legal theories — a less than ideal scenario.

Bottom line: "Whose enforcement is it anyway" is not an idle question.

Companies should take the necessary steps to comply with the CCPA, as amended by the CPRA, before the enforcement date takes effect to avoid costly actions from one or both enforcers.

These steps may include reviewing and updating privacy policies, staying aware of enforcement trends, and seeking opportunities to bolster compliance through independent accountability. Learn more about CPRA certification and verification

Originally published in Law360

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more