CCPA Enforcement: It’s Here … And Beyond


By: Rick Bortnick

On July 1. California’s Attorney General (“OAG”) began enforcing the California Consumer Privacy Act (“CCPA”)  against Covered Entities, notwithstanding that California’s Office of Administrative Law (“OAL”) had yet to approve CCPA’s correlative regulations. That changed on August 14, when the OAG announced that it had approved CCPA’s final regulations, albeit it with what the OAL characterized as “non-substantive changes for accuracy, consistency, and clarity.”

OAL’s changes included a modification of the mandate requiring Covered Entities to include a “Do Not Sell My Info” link on their home page enabling consumers to “opt-out” and direct the Covered Entity not to sell their personal information. The OAL now requires Covered Entities to display a “Do Not Sell My Information” link rather than the shorthand “Do Not Sell My Info” phrase.

While the OAL’s deletion of the short-hand link is effective immediately, businesses have 30 days to cure any alleged violations from the date they receive a non-compliance letter.

In addition, the OAG withdrew four of the sections it previously had proposed as follows:

  1. removed guidance on how business may use previously collected information for a materially different purpose by obtaining express consent from consumers;
  2. removed guidance on how business substantially interacting with consumers offline should provide notice of right to opt-out via an offline method;
  3. removed guidance on how businesses can provide consumers methods for submitting opt-out requests; and
  4. removed a section addressing a Covered Entity’s ability to deny certain requests for authorized agents.

The OAG hit the ground running from the moment its authority to enforce CCPA incepted. The same day its enforcement authority went into effect, the OAG sent compliance letters to businesses across all sectors notifying the recipients of alleged CCPA violations.   

The Attorney General was not the only one eager to enforce CCPA. Within days, a putative class of consumers sued Walmart alleging it had violated CCPA’s security provision, been negligent under the California Customer Records Act, had committed unfair business practices, and breached the contract arising from Walmart’s privacy policy. According to the Walmart Complaint, “the dark web is replete with stolen Walmart accounts for sale”, including credit and payment card information. The Complaint further avers that Walmart’s online security systems are vulnerable to unauthorized intrusions. This suit comes on the heels of prior CCPA suits against Minted Inc., Zoom, TikTok, and

The named plaintiff also asserts that he had communicated with the alleged hackers and verified the available personal information belonged to Walmart’s customers, a highly uncommon allegation in class actions relating to alleged privacy incidents and cyber breaches.

Citing CCPA, the named plaintiff seeks class-wide damages of at least $100 but not more than $750 per affected consumer. For Walmart, this means that a potential class of two million Californians could result in $200 million to $1.5 billion in damages. While this would scale down for smaller businesses, even a business subject to the CCPA with 50,000 consumers would face damages ranging from $5 million to $37.5 million.

But that is far from the end of the risks and potential exposures that companies doing business and aspiring to do business in California may face. To the contrary, on November 3, California residents will vote on the proposed California Privacy and Rights and Enforcement Act, sometimes referenced as CCPA 2.0 (“CPRA”), a statute which would further enhance California consumers’ privacy rights. As proposed, CPRA imposes more robust privacy requirements on Covered Entities and increases the penalties they might be assessed for violations. The proposed legislation gathered over 600,000 (reportedly over 925,000) valid signatures, according to California’s Secretary of State. 

The enhanced privacy rights proposed in CRPA would bring California even closer to the European Union’s mandates, which are set forth in its General Data Protection Regulation, colloquially known as GDPR, currently the most robust privacy legislation in the world. 

Among other things, CPRA would impose new obligations with respect to personal information (“PI”) collected after January 1, 2023, save the right to access personal information collected on or after January 1, 2022.

Given consumers’ concerns about and sensitivity to the loss of their personal information, CPRA is expected to pass by an overwhelming margin.

In short, Covered Entities doing business or aspiring to do business with California residents should take all appropriate steps  to implement “reasonable security procedures and practices” (an undefined term) to be compliant with CCPA and its newly enacted regulations, and steel themselves for even more robust mandates upon the passage and enactment of CRPA. To start, businesses that sell the personal information of California residents should include a link on their home page to a separate notice page that includes a “Do Not Sell My Personal Information” tab advising users of their right to opt-out.

Moreover, Covered Entities should be careful to maintain and update, as necessary, proactive employee training and robust information security protections. This, of course, includes having attorneys, who carry the attorney-client privilege with them, train both employees who deal with the public, as well as those with access to personal data, on how to detect and avoid social engineering and other types of business email compromise attacks. A company’s reputation and viability might depend on it.  

If you have questions or would like more information, please contact Rick Bortnick at