The California Attorney General on Friday announced a new investigative sweep under the California Consumer Privacy Act (CCPA). The announcement marks the third year in a row in which the Attorney General’s office has initiated a significant enforcement or regulatory initiative on Data Privacy Day[1]. This year, Attorney General Bonta’s team is focusing on B2C mobile apps in several industries that allegedly fail to enable or process consumer opt out requests, or privacy requests submitted by authorized agents.
This sweep highlights two areas of risk. The first is the ability for mobile apps to receive and process consumer privacy requests that consumers transmit via automated digital tools. The second is the need to carefully apply the more stringent purpose limitation and data minimization standard enacted through the California Privacy Rights Act to mobile app data. The California Attorney General is clearly expressing a recognition of the uniquely sensitive nature of the data available to businesses through consumer use of mobile devices. We recommend businesses categorize mobile app data accordingly.
We have direct experience successfully advising and defending clients who receive notices of violation from the California Attorney General, including under the CCPA. We expect the Attorney General’s office to continue to be active in enforcement, even as the California Privacy Protection Agency finalizes its initial proposed regulations under the CCPA and moves toward an enforcement posture. For questions, contact your attorney on our Privacy, Cyber & Data Strategy Team.
[1] This year, technically the last business day before Data Privacy Day, which is recognized internationally each year on January 28th.
