In brief:
- California’s trend in CCPA enforcement seems clear: the state is applying an expansive reading of consumer private right of action and the definition of “sale” of data.
- California’s AG sent enforcement letters in July, clarifying that the state views collection of cookies as fitting within the CCPA’s definition of a data “sale”.
- If California’s current enforcement trends continue, most businesses will quickly opt for compliance software over paying violations.
The California Attorney General’s office has stepped up enforcement activities related to the California Consumer Privacy Act (CCPA). So far, the trend seems clear: the state is applying an expansive reading of consumer private right of action and the definition of “sale” of data.
“Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” said California Attorney General, Rob Bonta.
On July 19, 2021, Bonta’s office reported on the first year of enforcement activity and encouraged Californians to take advantage of consumer rights provided by the CCPA. Among the challenges for businesses seeking to comply with CCPA is that there are two different types of penalties – statutory penalties which carry a cost of $2,500-$7,500 per violation; and consumer private right of action, which carry penalties of $250-$750 per incident per violation.

The California AG’s office reported that 75% of businesses receiving enforcement letters have cured violations during the breach period, thus avoiding penalties. Examples of notices to cure, as reported on the State of California Department of Justice website, include:
- A business that manufactures and sells cars failed to notify consumers of the use of personal information when collecting personal information from consumers seeking to test drive vehicles at a dealership location, in addition to other omissions in its privacy policy. After being notified of alleged noncompliance, the business implemented a notice at collection for personal information received in connection with test drives and updated its privacy policy to include required information.
- A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers. After being notified of alleged noncompliance, the company amended its privacy policy to include a Notice of Financial Incentive.
- A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or effectuated. The business explained its response processes and submitted detailed plans showing that it updated its CCPA consumer response procedures to include timely receipt confirmations and responses to future requests.
- An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage and disclosed that a user clicking an “accept sharing” button when creating a new account was sufficient to establish blanket consent to sell personal information. After being notified of alleged noncompliance, the business added a clear and conspicuous “Do Not Sell My Personal Information” link and updated its privacy policy with compliant sales disclosures.
Also in July, the state sent enforcement letters to social media sites, data brokers, advertisers and ad tech firms clarifying the state’s position on the subject of cookies. Digiday reported the enforcement activity clarifies the state’s “position that data tracking for advertising and analytics purposes, including cookie-based tracking, fits within the CCPA’s definition of a data sale.” Many lawyers see this as an expansive interpretation of the CCPA’s definition of sale, and it comes with potentially a high price tag if the state assesses fines on a per-cookie basis.
Another trend of California’s enforcement actions suggests a broad interpretation of consumers’ private right of action. In a legal analysis of CCPA lawsuits by the Norton Rose Fulbright law blog, Jeffrey Brian Margulies discusses actions brought agains Zoom and Ring. “Notwithstanding the failed attempts to expand the private right of action in the legislature, the plaintiffs’ bar is asking courts to recognize a broader private right of action that also applies to a more expansive definition of personal information,” Marguiles writes.He got son to explain that Zoom is facing eight related consumer class actions in the Northern District of California, alleging Zoom violated the CCPA for sharing user information with Facebook for the purpose of targeted advertising.Similar claims have been made against Ring for allegedly failing to provide consumers notice of Ring’s collection and sharing of personal information and of the right to opt out. Court rulings on these legal actions could have strong implications for how far the consumer private right of action extends under CCPA.
Trends in CCPA enforcement activities are clearly tilting towards more stringent enforcement with expansive interpretations of the law.
While consumers may be happy to read this, businesses will likely be concerned. Most businesses have yet to implement comprehensive CCPA compliance strategies for their data systems. For businesses selling products and services to California residents, they will want to pay close attention to Bonta’s enforcement activities, with an eye towards where their compliance vulnerabilities may be. It is clear that California has stepped up enforcement activity and is trending toward an expansive interpretation of the law.
The compliance cost consideration is whether it will cost more to pay the fines or to pay for compliance software that will help them avoid fines.
If California’s current enforcement trends continue, most businesses will quickly opt for compliance software over paying violations.
One comment