February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

California AG Releases Important CCPA Enforcement Information and Announces an Online Consumer Reporting Tool

To note the one year anniversary of the California Consumer Privacy Act (CCPA) enforcement date, California Attorney General Rob Banta held a press conference on July 19, 2021 to share key information about enforcement efforts and announce a new consumer privacy tool. He also praised businesses for their prompt compliance efforts and urged consumers to be proactive about their privacy rights.

Attorney General Banta began by sharing compliance data, which his office deemed satisfactory, if not encouraging: “To date, 75% of businesses that received a notice to cure addressed the alleged CCPA violations within the 30-day window. The remaining 25% are either within their 30-day window or are under an active investigation.”

Enforcement Profiles

The California Department of Justice began enforcing the CCPA on July 1, 2020, when it first started to notify businesses of potential non-compliance. The CCPA gave businesses 30 days to cure or fix the alleged violations. Notices to cure have been issued to a wide variety of organizations including retailers, manufacturers, social media platforms, data brokers, marketing companies, businesses handling children’s data, media outlets, and others. To help businesses and consumers better understand the enforcement efforts and successes to date, he also provided four detailed examples of the alleged CCPA violations his office had addressed in the last year.

  • In one recent example, users of a social media platform complained that the company was slow in responding to CCPA requests, and consumers were not notified that their requests had been received or, in fact, completed. After receiving the AG’s notice to cure, the business promptly fixed its platform and further corrected its response measures.

  • In another enforcement example, an online dating app was forcing users to accept sharing of their personal information whenever they signed up for online dating service. The platform also did not have the required “do not share” link. After receiving notice of violation and working collaboratively with the AG’s office, the company cured the violations and added the required link.

  • A car manufacturer failed to notify its consumers of the use of their personal information that it collected whenever they signed up for test drives. After the AG’s notice of violation, the company implemented a notice at collection and further updated its privacy policy to include the requisite information.

  • Finally, a grocery chain required consumers to provide their personal information in exchange for participation in its loyalty program. Yet it failed to provide a notice of a financial incentive to participating consumers. Upon receiving a notice of the violation, the company promptly took corrective action.

Attorney General Banta emphasized that these examples “are really encouraging,” as they show that “businesses are motivated and able to comply with the law.” Given that the vast majority of businesses are reportedly willing to comply with the CCPA, the AG’s office is predominantly focusing on ensuring compliance rather than penalizing businesses. “We don’t want any ‘gotchas’ here,” he reiterated.

Reminder of CCPA Consumer “Rights”

The AG also encouraged California consumers to be more proactive about exercising their CCPA rights and reporting the violations: “The CCPA is only as good as the people who participate in it. In order to have control of your personal data, you must act.” Attorney General Banta explained that the CCPA rights are not self-executing, and individuals must opt out and ensure that they use the opt-out feature as they see fit. “It’s never too late,” he concluded, to use the rights and tools provided by the CCPA.

Broadly speaking, the AG reminded consumers of the following rights under the CCPA: the right to know, the right to delete, the right to opt out, rights for minors under 16, the right to non-discrimination. We have reported on these rights in greater detail here and have written extensively about the CCPA here. Yesterday’s press release confirmed that the AG’s office is laser-focused on protecting consumers’ CCPA rights and is actively thinking of new ways to help individuals protect their personal information.

Consumer Reporting Tool for “Do Not Sell” Opt-Outs

To make reporting even easier, the AG office therefore launched a new online Consumer Privacy Interactive Tool that allows consumers to directly notify businesses that they do not appear to comply with the CCPA. This tool was launched yesterday and is already available on the AG’s website, though it still has limited reporting capabilities and is being further developed. The tool asks consumers to answer several basic questions and then generates information that can then be emailed to the businesses. Importantly, reports submitted using this tool may by used by the AG’s office to trigger a 30-day notice letter to the business. Additionally, the AG’s website has an online complaint form where consumers can submit a CCPA complaint about businesses they believe are in violation of the CCPA.


There are two key takeaways from yesterday’s announcement. First, it is important to note that the AG’s office is heavily focused on the CCPA enforcement, albeit with the goal of ensuring compliance rather than penalizing businesses. Second, with the release of the new privacy reporting tool, businesses need to be hyper aware of notices of violations that can trigger the 30-day cure period and must be prepared for an increase of reports of potential violations.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 201

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Natalie Prescott, Mintz Levin Law Firm, Litigation Attorney
Practice Group Associate

Natalie’s practice focuses on a wide range of litigation matters.

Prior to joining the firm, Natalie worked as the co-founder and trial lawyer for a boutique litigation firm that focuses on state and federal litigation. She also spent many years as a litigation associate at one of the world’s largest law firms, where she received extensive consumer litigation, trial, and appellate experience.

Previously, Natalie served as a judicial law clerk for the Honorable Roger T. Benitez of the United States District Court of the...

858 -314-1534