On January 27, California Attorney General Rob Bonta announced an “investigative sweep” of businesses with mobile applications for allegedly failing to comply with the California Consumer Privacy Act (CCPA). This ongoing sweep targets popular mobile applications in the retail, travel, and food service industries that fail to offer a mechanism for consumers to opt out of data sales or that fail to process consumer opt-out requests, including requests submitted via an authorized agent like Permission Slip.

As the AG’s most recent effort to enforce California’s stringent consumer privacy law, this new investigative sweep came on the heels of the AG’s August 2022 $1.2 million settlement with Sephora for allegedly failing to disclose it sold consumer personal information and failed to process opt-out requests via user-enabled global privacy controls. According to Bonta, his office focused on the idea that California “consumers have the right to stop the sale of their personal information.”

Since July 1, 2020, when enforcement of the CCPA began, many companies received notice-to-cure letters, warning of CCPA violations. In summer 2021, AG Bonta announced that 75% of the businesses that received a notice-to-cure letter complied within 30 days according to the CCPA; the remaining 25% either still fell within their 30-day statutory cure period or came under active AG investigation.

Critically, companies receiving new investigative letters can no longer rely on the CCPA’s 30-day cure period to correct violations. Effective January 1, the automatic 30-day cure period gave way to the California Department of Justice’s discretion to permit companies to cure on a case-by-case basis. Therefore, companies that receive notice-to-cure letters need to take immediate action and work with legal counsel to develop a strategy to respond and cure violations, if necessary.

Why It Matters

The breadth of AG Bonta’s sweeps serves as notice that no industry or business is immune from regulatory scrutiny. Their diversity may be due to the recently launched, interactive Consumer Privacy Tool through which consumers can draft noncompliance notices to companies. By essentially crowdsourcing preliminary investigation to the public, the OAG can expand its reach across a more varied industry base.

Companies that do business with California consumers need to make certain that they are engaging in defensible privacy practices as described by the CCPA and corresponding regulations. Companies must ensure that, at a minimum, they comply with fundamental privacy requirements under the CCPA, such as a readily available privacy policy, conspicuous notice of privacy rights, maintaining an easily accessible opt-out process on the company’s website, and consistent fulfillment of consumer opt-out requests. Failure to do so at this stage comes with significant risk.

Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry.
Clay Friedman – Co-leader
Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies.
Stephen Piepgrass
Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries.
Michael Yaghi
Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Ketan Bhirud
As a former government official at the state and federal level, Ketan leverages extensive experience in the public and private sectors to skillfully represent client interests.
Avi Schick
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Chris Carlson
Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia Jacobo
Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law.
Namrata Kang
Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation.
Whitney Shephard
Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021.
Daniel Waltz
An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.