On July 1st, the States of California, Colorado and Connecticut had their respective data privacy laws become eligible for enforcement. In the weeks since we’ve already seen two of these States send out letters requesting information and warning that enforcement is beginning.
California
This year on January 1st, 2023, the employee data exemption for the California Privacy Protection Act (CCPA) expired. In light of this – the California Attorney General has sent letters to a number of letters to large California employers requesting information on how the companies comply with the law regarding handling of employee and job applicant data. It is very possible that enforcement action will result from this sweep – as California no longer has a cure period.
It should be noted that the California AG actively does enforcement sweeps of the CCPA. This was how Sephora was caught, and how mobile application developers came under investigation earlier this year.
Colorado
Meanwhile over in the Centennial State, employers in Colorado started to receive letters from the Colorado Attorney General educating companies on their new legal obligations. The AG was quick to warn that should they become aware of organizations (Colorado’s Act also applies to non-profits) they would be prepared to act for enforcement.
The letters will focus on obligations around collection and use of sensitive data, particularity around consent. Additionally in focus is the ability to allow consumers to opt-out of targeted advertising and profiling. Currently Colorado does have a cure period prior to enforcement, but this will sunset in the future.
Next Steps
Both of these States have issued press releases and effectively warned that enforcement is on the table going forward. Companies subject to either law should be aware that enforcement sweeps are a possibility and be prepared to respond quickly to any request for information. In the short term, ensuring your documentation is in order is likely a prudent course of action as timelines to respond may be shorter than expected, and effort to generate the documentation may be far larger then anticipated should it not already exist.