California Privacy Enforcement: Whose Job Is It Anyway?

May 18, 2023 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Privacy Initiatives, BBB National Programs

On Jan. 1, the California Privacy Rights Act of 2020, a California ballot that amended the California Consumer Privacy Act of 2018, went into effect.

Consequently, Californians rang in the new year with new privacy rights, including the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information collected about them by businesses.

Beyond these new privacy rights, the CPRA also created the California Privacy Protection Agency, the first dedicated privacy regulator in the U.S.

The agency exists to fulfill one singular mission: protecting the privacy rights of Californians. Which is not an easy feat in what would be the world's fifth-largest economy.

The agency is governed by a five-member board consisting of privacy, technology, and consumer rights experts tasked with appointing and discharging officers, counsel, and employees.

In 2021, Ashkan Soltani, former chief technologist for the Federal Trade Commission, was appointed by the board as the agency's first executive director to develop the agency with 34 staff members and a $10 million budget. Over the next year, the agency plans to expand to 41 staff members.

To fulfill its mission, the agency has three primary responsibilities under the CCPA. These responsibilities are raising public awareness, and education, rulemaking, and enforcement.

The CCPA, as amended by the CPRA, will be enforced effective July 1. But the agency is not the only enforcer.

The CCPA will also continue to be enforced by the California Office of the Attorney General, which is housed under the California Department of Justice.


Which begs the question: Whose enforcement is it anyway?

On April 5, during the International Association of Privacy Professionals' global privacy summit, Stacey Schesser, supervising deputy attorney general for the California Department of Justice, and Soltani attempted to answer this very question in a candid discussion.

First, Schesser made it clear that the agency is an additional enforcer, and the OAG has superiority over the agency. And the CCPA, as amended by the CPRA, confirms this.

Specifically, Section 1798.199.90(c) of the CCPA provides that the agency must stop an administrative action or investigation if requested by the OAG and cannot resume the action or investigation unless the OAG subsequently decides not to pursue an investigation or civil action.

Second, Schesser attempted to draw a clear line of enforcement.

Specifically, she stated that the agency will handle administrative enforcement while the OAG will handle civil enforcement that will likely be more complex claims involving the CCPA, as well as other legal theories like false advertising.

Per Section 1798.155 of the CCPA, administrative enforcement is an action brought by the agency for violations of the CCPA that could result in a settlement or an administrative fine of $2,500 or $7,500, depending on the violation.

The administrative fines will be deposited into the Consumer Privacy Fund. However, Section 1798.199.90(a) of the CCPA outlines the OAG's civil enforcement as virtually identical.

The OAG may bring actions for violations of the CCPA, and these actions may result in a settlement or civil penalties of $2,500 or $7,500, depending on the violation. The civil penalties will also be deposited into the Consumer Privacy Fund.

Interestingly, only the OAG will be able to use the Consumer Privacy Fund to offset the costs incurred while pursuing its enforcement. The agency will not receive the same benefit.

But ultimately, the outcome of enforcement — whether it's from the agency or the OAG — is the same.

Seeking to further define the line, Soltani noted that the agency will be more technically active through technical sweeps and audits.

However, this additional line of enforcement demarcation does not track with recent actions taken by the OAG against Sephora in 2022 and for Data Privacy Day 2023. Both were undeniably technical.

Last year, the OAG brought the CCPA's first public enforcement action. On Aug. 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora Inc.

After conducting a sweep of online retailers, the OAG found, among several other issues, that Sephora failed to process opt-out requests submitted via Global Privacy Control.

GPC is a browser setting enabled by the user that notifies websites of the user's privacy preferences, including not to share or sell their data, by sending a signal to every website the user visits. Bonta explained:

Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.

Sephora effectively put businesses on notice that the OAG is watching, and continued noncompliance with the CCPA would not be tolerated or ignored.

Ahead of Data Privacy Day 2023, Bonta announced an investigative sweep of popular mobile apps on Jan. 27. Letters were sent to an undisclosed number of businesses with mobile apps that failed to comply with the CCPA.

Specifically, the OAG alleged these apps failed to process opt-out requests or did not offer a mechanism to stop the sale of consumer data.

Speaking directly to the tech industry, Bonta urged them to heed the warning of Sephora and "innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data."

Consequently, it is unclear how the OAG and the agency will straddle the line Schesser and Soltani attempted to draw, especially considering the budget disparities previously highlighted.

It is clear, however, that there is no risk of double jeopardy, as stated by Schesser. Per Section 1798.199.90(d), once the agency resolves an action, it is resolved.

The OAG may not pursue the company for the same violation. But it is very plausible for both the agency and OAG to pursue parallel proceedings against the same company for different violations at the same time — especially if the two continue to draw imaginary boundaries.

Parallel proceedings are simultaneous separate criminal, civil or administrative actions initiated by different agencies or branches of government against the same entity or individual based on shared or similar facts.

Parallel proceedings are favored by the U.S. Department of Justice, and the respective agencies or branches of government are encouraged to share information and cooperate with each other to achieve a favorable outcome.

The CCPA does not prevent parallel proceedings.

As such, for example, it is possible that the agency could pursue an administrative action based on violations focused on the technical requirements of the CCPA while the OAG pursues a civil or criminal action based on different CCPA violations that also highlight other legal theories — a less than ideal scenario.

Bottom line: "Whose enforcement is it anyway" is not an idle question.

Companies should take the necessary steps to comply with the CCPA, as amended by the CPRA, before the enforcement date takes effect to avoid costly actions from one or both enforcers.

These steps may include reviewing and updating privacy policies, staying aware of enforcement trends, and seeking opportunities to bolster compliance through independent accountability. Learn more about CPRA certification and verification

Originally published in Law360

Suggested Articles


CARU in the 90s and 00s: Privacy & the Internet

The Children’s Advertising Review Unit (CARU) Privacy Guidelines helped form the foundation of COPPA. The arrival of Y2K brought with it an accelerated pivot from traditional advertising to online advertising and experiences, and new challenges in privacy compliance. Read about CARU's notable cases in children’s data privacy.
Read more

Why Trust is Essential to Success in Business

Trust cannot be imposed by the government, nor can it be proclaimed by a single company operating in a vast marketplace, and that has been true for decades. The building blocks of trust must come not just from businesses themselves but ideally from the industries of which they are a part.
Read more

Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

U.S. companies in the Data Privacy Framework Program (DPF) program recertify each year with the Department of Commerce to assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. Here are 5 tips for making it a smooth process.
Read more

The Evolution of CARU: Laying the Foundation in the 70s and 80s

For the last 50 years, companies marketing to children have held each other to a high ethical standard. The Children’s Advertising Review Unit (CARU) was established in 1974 as the U.S. mechanism of independent self-regulation for protecting children from deceptive or inappropriate advertising. Spanning decades, CARU’s early cases reflect the evolution of the children’s advertising and marketing space.
Read more