In advance of International Data Privacy Day, California Attorney General Rob Bonta announced on January 27, 2023, that his office had initiated an “investigative sweep” of businesses that may not be complying with the California Consumer Privacy Act (CCPA). According to the announcement, the investigation is focused on 1) retail, travel, and food service apps that either do not honor consumer opt-out requests or do not provide the appropriate mechanisms for consumers to stop the sale of their data; and 2) businesses that fail to process consumer requests submitted via an authorized agent.
In light of AG Bonta’s announcement, companies doing business in California may want to re-assess whether they are subject to the CCPA, including the provisions of that law that have been amended by the California Privacy Rights Act (CPRA), and whether their policies and practices comply with the law. Indeed, with the CPRA having taken effect on January 1, 2023, covered businesses should understand that the scope of the CCPA is now much broader than before. For example, the CPRA gave consumers additional rights (e.g., the right to correct and the right to opt-out of sharing), removed exemptions for certain categories of personal information (e.g., business-to-business data and employment-related data), and imposed additional requirements on covered businesses.
The CPRA also created the California Privacy Protection Agency (CPPA), a new regulatory body dedicated exclusively to privacy regulation. The CPPA will have full administrative-enforcement authority over the CCPA as of July 1, 2023, and the agency has been actively engaged in rulemaking activity since its creation. Coincidentally, the CPPA published additional rulemaking materials last week and is likely to undertake significant enforcement efforts in the second half of this year. Now is therefore an opportune time for covered businesses to review their compliance efforts and prepare for any regulatory changes that may be coming.