.png)
.png)
The enforcement division of the California Privacy Protection Agency (CPPA) is actively investigating over ten businesses suspected of violating state privacy laws.
Michael Macko, the CPPA's deputy director of enforcement, shared these updates during a recent board meeting. The agency, established under the 2020 California Privacy Rights Act (CPRA) to expand the protections of the California Consumer Privacy Act (CCPA), has been operational for a year.
Macko stated that the number of ongoing investigations is "in the double digits," but the names of the businesses and specific details will remain confidential unless enforcement action is taken, which may not happen for several months. "It would be unfair to businesses otherwise," Macko explained, adding, "we’re following the facts wherever they may lead."
The enforcement team comprises 12 members, including former federal prosecutors, chief privacy officers from Fortune 500 companies, litigators from major law firms, and technologists. Their investigations are often initiated by consumer complaints, which, according to Macko, "inform us, inspire us, and motivate us." He noted that these complaints help the agency identify trends and gaps that may require further regulation.
"We review every consumer complaint we receive," Macko emphasized, noting that consumers typically turn to regulatory authorities as a "last ditch effort." Between July 6, 2023, and June 30, 2024, the CPPA received nearly 2,200 complaints. The enforcement division evaluates each complaint to determine which ones to investigate, aiming to effect positive change for the maximum number of California residents.
Approximately half of the complaints in the past year were related to California consumers’ right to request the deletion of their personal data by companies operating in the state. Around 41 percent of the complaints concerned individuals’ right to opt out of having their personal data collected. Most complaints lead to the CPPA contacting the business involved, urging them to resolve the issue.
"We are all better off if businesses comply with the law. The reality is that sometimes stronger medicine is in order," Macko stated. During the enforcement phase, the division gathers and analyzes evidence, and businesses that cooperate and communicate with the CPPA tend to reach better resolutions. "We are all better off if businesses comply with the law. The reality is that sometimes stronger medicine is in order," Macko reiterated.
If a comprehensive investigation is necessary, the division may request documents or issue subpoenas. Should the investigation warrant litigation, it begins with a probable cause hearing before an administrative law judge and culminates with a decision by the CPPA board on whether regulations were violated.
Macko outlined several enforcement priorities for the CPPA, including targeting businesses that sell or share personal information without providing clear notice and opt-out options.
The agency is also vigilant against "dark patterns" that prevent individuals from exercising their privacy rights. This term is clearly defined in California regulations, Macko noted.
Additionally, the CPPA is particularly concerned with violations affecting vulnerable populations, such as data related to reproduction, religious practices, race, and gender. The agency is also focused on ensuring that residents’ requests to opt out of data collection are honored and that individuals do not have to disclose excessive personal information to make such requests.
In April, the CPPA issued an enforcement advisory to inform Californians of their rights and alert businesses to common complaints. "There are more advisories to come" this year, Macko said, noting that these advisories serve as warnings to businesses and opportunities for companies to assess their compliance. Ignoring such warnings can "influence a business’s exposure to an administrative fine" and affect the severity of the fine, he added.
Over the past year, the CPPA has focused on building its enforcement division, including establishing infrastructure and hiring staff. Looking ahead, the agency aims to improve efficiency in handling complaints and investigations. "I suspect it will be another dynamic year," Macko concluded.
By fLEXI tEAM
Comments