Beginning next month (as early as July 1, 2020), the California Attorney General's office can begin enforcing the California Consumer Protection Act (CCPA), which was enacted January 1, 2020.

Among other obligations, CCPA requires covered businesses to make specific disclosures in their public-facing privacy notices. Under CCPA, a privacy policy must:

• Identify the categories of personal information collected, used and shared by the business in the last 12 months, along with category descriptions that provide a meaningful understanding of the information being collected;
• Describe the purpose for the collection, use and sharing of personal information and the sources from which the personal information is collected;
• Disclose categories of personal information sold (under CCPA’s definition of sale) in the past 12 months and the categories of third parties to whom personal information is sold;
• Explain that, subject to certain exceptions, CCPA provides consumers with the right to know what personal information a business has about them, the right to delete that personal information and the right to tell a business that it can no longer sell that information;
• Provide information about how consumers can contact the business to exercise their privacy rights per CCPA’s requirements;
• Describe any financial incentives offered to consumers in exchange for their personal information, including the business’s valuation of the data; and
• State whether the business has actual knowledge that it sells the personal information of minors under 16 years of age.

The Attorney General may enforce CCPA violations after a 30-day notice and cure period seeking penalties of up to $2,500 per violation or up to $7,500 per intentional violation. While the statute and regulations are silent as to what constitutes a violation, it is possible that a business could be exposed to significant fines when factoring in each impacted customer and each non-compliant act.