2023 - Volume 2 - Summer - Flipbook - Page 17
Recommendations
-Privacy: Continued from page 16-
that a violation occurred.
The Agency may audit any business, service provider, contractor, or person to ensure compliance with
any provision of the CCPA. Audits may be announced
or unannounced. The Agency may select entities to
audit based on possible violations of the CCPA, or if
the subject of the audit is collecting or processing personal information in a way that presents a significant
risk to consumer privacy or security, or if the subject
of the audit has a history of noncompliance with any
privacy protection law.
Covered businesses should review the adequacy of
their procedures for the following:
• Mapping data flows and integrating new instances of data collection, use and sharing into that
map, with a special focus on “sensitive personal
information” as defined in the CPRA.
• Translating the output of data mapping efforts
into a compliant privacy policy, notices at collection, and other disclosures required under the
CCPA.
• Assessing whether the business sells or shares
personal information, with consideration for
how those terms are defined in the CCPA and its
implementing regulations.
• Processing and responding to consumer requests
to opt out of the sale or sharing of personal information or limit the use of their sensitive personal information.
• Processing consumer requests to access, correct
or delete their personal information.
• Establishing rules, procedures, and any exceptions necessary to ensure that the notices and
information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average
consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer.
• Ensuring that the business does not discriminate
against consumers who exercise their rights under the CCPA.
The California Attorney General retains jurisdiction prosecute violations of the CCPA, and can request that the Agency stay an administrative action or
investigation to allow the Attorney General to pursue
an investigation or civil action. However, the Attorney
General cannot file a civil action for a violation after
the Agency has issued a decision against an entity for
that same violation. Agency enforcement does not affect the private right of action provided for by the
CCPA, which remains limited to breaches of sensitive
personal information that result from a business’s failure to maintain reasonable security measures.
The Agency issued its first set of final regulations
on March 29, 2023, and recently announced that it is
launching a second round of rulemaking. However, a
California Superior Court recently ruled that enforcement of Agency regulations cannot begin until a year
after the rules were finalized. Therefore, the Agency’s regulations will not be enforceable until March
2024 at the earliest. Additionally, the Agency has not
issued final regulations in the areas of cybersecurity,
audits, risk assessments, and automated decisionmaking technology, which are among the key areas
requiring clarity.
Despite this, the Agency is already empowered to
enforce the text of the CCPA itself, as amended by the
CPRA, and the limited regulations previously promulgated by the Attorney General pursuant to the original
CCPA. Therefore, now is the time for businesses to
conduct a fresh review of privacy practices and ensure
compliance with the CCPA. To that end, it is important that any covered business, if it has not yet
done so, develop a mature data map to understand exactly what personal information it has about consumers, why it has that information, and where that information is stored.
Travis Brennan is a shareholder at Stradling and
leads the firm’s Privacy & Data Security practice. He
helps clients turn data privacy compliance into a business asset rather than a regulatory burden. Travis also
represents companies in commercial litigation, consumer class actions and government investigations concerning data privacy and security matters.
Lila Reiner is an associate in Stradling’s Litigation
practice group. Lila attended the UCLA School of Law
where she served as an Associate Editor of the UCLA
Law Review. Drawing on her diverse background and
prior work for the California Legislature, she brings a
creative and multi-disciplinary approach to solving
problems for clients.
17
