California Attorney General Xavier Becerra has already sent warning notices to online companies over alleged violations of the state's new privacy law, a state official said Thursday.
Companies that receive the notices will have 30 days to come into compliance, or risk lawsuits by the state.
The California Consumer Privacy Act gives state residents the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
The measure went into effect in January, but wasn't enforceable until July 1.
Among other provisions, the law requires online businesses to place a “do not sell” button on their websites, if the businesses sell consumer data.
“The initial swath of letters looked at businesses that all operated online, and had to come into compliance with respect to statements or mechanisms that they had to make available,” California deputy attorney general Stacey Schesser said Thursday at an International Association of Privacy Professionals event.
She added that businesses that sell consumers' information, but don't have a “do not sell” link, “should make sure to cure that as quickly as possible.”
The names of warning recipients haven't been made public. But Schesser said the authorities looked at consumer complaints, including complaints made publicly on Twitter, when deciding which businesses to warn.
The Association of National Advertisers heard that some of its members received warnings, according to Dan Jaffe, ANA group executive vice president for government relations.
The CCPA regulations haven't yet been finalized, so Becerra's office can't yet enforce those -- including a proposed regulation that would require companies to honor browser-based “do-not-sell” commands.
Instead, enforcement for now is limited to text of the bill. But the think tank Future of Privacy Forum suggests that the line between the regulations and the text of the bill is sometimes blurry.
“It would be wise for companies to carefully review the proposed regulations,” the Future of Privacy Forum writes. “Although in some cases the draft regulations appear to create new obligations or restrictions that do not exist in the text of the CCPA ... in many cases the regulations are intended to clarify existing law.”