Information obtained from the July 2024 California Privacy Protection Agency (CPPA) board meeting puts a spotlight onto the growing enforcement activity in the California privacy space. Here's a focused look at the active investigations and how companies can prepare:
Active Investigations and Growing Enforcement
Michael Macko, Deputy Director of the CPPA's Enforcement Division, revealed that the agency is currently engaged in “double digit” investigations. This indicates a significant increase in enforcement activity compared to the three public enforcement actions brought by the California Attorney General's Office to date. The 2,176 consumer complaints filed within the last twelve months with CPPA provides one explanation, in addition to a likely growing enforcement appetite as the CPPA builds out and matures its investigative and enforcement mechanisms.
These investigations can be time-consuming and costly for parties that are ill-prepared to deal with them. They can take many months, are often intrusive, and can even sometimes lead to litigation.
How to be Prepared for a CPPA Investigation
The best way to prepare for a CPPA investigation is to develop and implement robust compliance controls, policies, and procedures. CPPA has highlighted areas of focus and priorities in their growing enforcement strategy:
- Review Privacy Notices and Policies: Perform at minimum an annual review of privacy notices and policies to ensure they are keeping up with the dynamic privacy legal landscape.
- Strengthen Deletion Request Processes: Implement robust systems to honor consumers' right to delete their personal information. Businesses should evaluate their processes end-to-end to ensure requests are being handled timely and effectively.
- Improve Consumer Request Handling: Review and optimize procedures for handling all types of consumer requests, including access and opt-out requests. The CPPA has disclosed an effort to “get under the hood” of businesses to see how requests are being handled – signaling more intrusive technical investigations.
- Opt-Out Mechanisms: CPPA says it is focusing on businesses who decline opt-out requests “without additional verification” or fail to provide an opt-out mechanism all together. Avoid requiring unnecessary verification for opt-out requests.
- Dark Patterns: CPPA warns businesses that it is taking aim at the use of “dark patterns.” Businesses should review user interfaces to ensure they don't use “dark patterns” that hinder consumers from exercising their rights.
- Vulnerable Populations: CPPA is especially focusing efforts on businesses that work with the data of vulnerable populations. Pay special attention to data practices affecting children, elders, and other vulnerable groups. CPPA is prioritizing protection of sensitive groups and data involving things such as reproductive rights, religion, race, and gender.
How to Get Ahead of Enforcement
Monitor Enforcement Advisories: Stay informed about CPPA enforcement advisories and act on them promptly. These advisories highlight issues observed by the Enforcement Division and serve as putting the regulated businesses on notice for potential compliance issues. When you see an advisory, it is an opportunity for self-critical assessment. Ignoring or not acting on enforcement advisories may be used against you to prove intent and state of mind, which are considerations for enhanced administrative fines and penalties.
Be Cooperative: If contacted by the CPPA, respond in a timely manner and demonstrate good faith efforts to comply. This approach can facilitate a more cooperative relationship with regulators and potentially lead to reduced penalties, should your investigation go sideways. Most investigations start with evidence gathering, where a business may receive a call or an inquiry to provide basic information about a consumer complaint and resolution. More formally, CPPA may send a business a subpoena or other legal process for information. Protecting your interests with good legal consultation is crucial.
By focusing on CPPA priorities, your business can better position itself to withstand potential CPPA investigations, as well as demonstrate your commitment to compliance with California privacy laws.
Kronenberger Rosenfeld remains committed to helping clients navigate these complex regulatory waters to build robust privacy programs, and to prepare and handle enforcement issues along the way. If you need assistance for your business, contact our firm using our online case submission form here.