It may appear as if The California Privacy Protection Agency (CPPA) has been in hibernation mode.
Other than sporadic enforcement of the California Consumer Protection Act (CCPA) led by the state’s attorney general, whose office shares enforcement powers with the CPPA, it’s been mostly quiet on the western front.
Since the law came into effect more than four years ago, we’ve seen only two major settlements: one with Sephora in 2022 and one with DoorDash in February.
But don’t let that fool you. The bear is awake and it’s got an appetite.
‘Primed and ready’
The Supreme Court in California recently reinstated the agency’s full enforcement authority, which had been temporarily delayed after a lawsuit attempting to postpone enforcement was overturned in February.
Meanwhile, the CPPA has spent the past eight months staffing up, including hiring technologists, litigators, people with industry experience, experts in administrative proceedings, the former chief privacy officer of a Fortune 500 company and the former in-house counsel at a large tech company.
“We are primed and ready to go,” said Michael Macko, the agency’s deputy director of enforcement.
Macko was speaking to a room full of ad tech lawyers at an IAB event in Washington, DC, on Tuesday devoted to public policy and legal issues. He jokingly referred to himself as being “in the lion’s den.”
It’s sobering to hear a regulator say their office is “primed and ready” for enforcement, but it’s unlikely that any of the “lions” in the room were overly surprised by that pronouncement.
The California Privacy Protection Agency was quite literally created with a mandate to protect consumer privacy and enforce the CCPA with vigor.
But publicly calling out a company for violations, which Macko acknowledged can be a “blunt tool,” isn’t the only way to spur compliance in an industry.
Next up: enforcement advisories
Which is why the CPPA plans to periodically publish what it refers to as enforcement advisories that highlight specific provisions within the CCPA and other related regs.
You can think of an enforcement advisory as a gentle reminder of important aspects of the law – combined with a warning shot of sorts that more than hints at the agency’s enforcement priorities.
But the main purpose of an advisory is actually to avoid enforcement where possible. “This is our way to encourage voluntary compliance,” Macko said.
An advisory might emphasize a certain consumer right or address an issue that’s come up multiple times through the agency’s consumer complaint system. For example, Macko said the CPPA gets a heck of a lot of complaints about companies that don’t appear to be implementing opt-out requests properly.
Take the concept of data minimization, which was the subject of the agency’s first-ever enforcement advisory, released on Tuesday.
Data minimization is a core concept within the CCPA. It’s the practice of not hoarding data and only collecting and storing the personal information that’s necessary to complete a certain task.
There’s the potential for real harm when companies collect more information than they need, including data governance challenges and a greater risk of exposure in the event of a data breach.
But the CPPA’s enforcement division has noticed companies not applying the data minimization principle – and in some cases even flouting it in the name of compliance.
For instance, the CPPA has observed companies going overboard with their processing of consumer opt-outs by asking people to provide “excessive and unnecessary personal information.”
Say someone wants a company to delete their name and email address. Is it really necessary to ask that person to share their social security number or driver’s license number to verify their identity?
According to the advisory, that’s the type of question a business should ask itself before collecting gratuitous PII.
The many flavors of enforcement
The advisories will hopefully help companies avoid unwanted attention from the CPPA. But they aren’t a substitute for enforcement actions.
“You’re going to see a lot more engagement from us on the investigative side,” Macko said.
And enforcement and outreach can come in many forms and flavors.
Sometimes, it’s as simple as a phone call from a regulator or a casual email with a question or two about a business practice. Or a business might receive a narrative letter with questions, a request for documents or an informal information request.
In some cases, a letter may arrive enclosing a consumer complaint and an invitation to the business to respond – and if you get a letter like that, it’s not nothing. “We don’t send those out for every complaint,” Macko said. “There’s something that got our attention.”
And then there’s even less welcome correspondence, which can also arrive in the form of a subpoena for documents.
“We use all of those things,” Macko said.
Which may sound scary, but the worst-possible response in any scenario is to ignore a regulator’s outreach or fail to engage.
“Don’t let the anxiety about what will happen next prevent you from engaging,” Macko said. “The fear is usually that a regulator will use the information against you, but, more often than not, these kinds of engagements lead to more credibility with the regulator.”
Oh, and don’t get so caught up in building better mouse traps that you forget about the spirit of the law – which the ad tech industry has a tendency to do.
The agency is on the lookout for compliance shortcuts.
“We’re not looking for workarounds; we’re looking for meaningful compliance,” Macko said. “And it’s not an answer to say that a particular ecosystem is too complex to comply; that’s not a satisfactory response.”
