Print PDF
California AG Announces CCPA Investigative Sweep

In advance of International Data Privacy Day, California Attorney General Rob Bonta announced on January 27, 2023, that his office had initiated an “investigative sweep” of businesses that may not be complying with the California Consumer Privacy Act (CCPA). According to the announcement, the investigation is focused on 1) retail, travel, and food service apps that either do not honor consumer opt-out requests or do not provide the appropriate mechanisms for consumers to stop the sale of their data; and 2) businesses that fail to process consumer requests submitted via an authorized agent.

In light of AG Bonta’s announcement, companies doing business in California may want to re-assess whether they are subject to the CCPA, including the provisions of that law that have been amended by the California Privacy Rights Act (CPRA), and whether their policies and practices comply with the law. Indeed, with the CPRA having taken effect on January 1, 2023, covered businesses should understand that the scope of the CCPA is now much broader than before. For example, the CPRA gave consumers additional rights (e.g., the right to correct and the right to opt-out of sharing), removed exemptions for certain categories of personal information (e.g., business-to-business data and employment-related data), and imposed additional requirements on covered businesses.

The CPRA also created the California Privacy Protection Agency (CPPA), a new regulatory body dedicated exclusively to privacy regulation. The CPPA will have full administrative-enforcement authority over the CCPA as of July 1, 2023, and the agency has been actively engaged in rulemaking activity since its creation. Coincidentally, the CPPA published additional rulemaking materials last week and is likely to undertake significant enforcement efforts in the second half of this year. Now is therefore an opportune time for covered businesses to review their compliance efforts and prepare for any regulatory changes that may be coming.

Please contact Patrick Emerson McCormick, CIPP/US or another member of Lewis Roca’s Data Protection and Cybersecurity team for more information about the CCPA/CPRA and other state privacy and cybersecurity laws that may affect your organization.

Tags: Data Privacy and Cybersecurity
  • John C. Gray, CIPP/US
    Of Counsel

    John Gray is Of Counsel in Lewis Roca’s Litigation Practice Group and leads the firm’s Data Privacy and Cybersecurity Group.  He is also a member of the firm’s AI Task Force.

    As a litigator, John has more than a decade of experience in Arizona, California, and other forums across the ...

  • Patrick Emerson McCormick, CIPP/US

    Patrick is an associate in the firm's Litigation Practice Group. Patrick is a Certified Information Privacy Professional (CIPP/US) and assists clients on how to best protect themselves from data breaches, and how to respond if one occurs. His litigation practice focuses on corporate ...

About This Blog

Lewis Roca is immersed in your industry and invested in your success. We share insights and trends that can affect your business.





Recent Posts

Jump to Page

How Can We
Help You?

By using this site, you agree to our updated Privacy Policy and our Terms of Use.