Agreed - why don't they focus on enforcement or open up small claims?

It seems so obviously the best way to use government funds in a way only government can. What is preventing them from passing changes that make more aggressive enforcement possible?

To have a material impact on the violators, we need the ambulance chaser lawyer equivalents for class action lawsuits to see $$$. The individual victim will receive less than a successful small claims suit, but a few $K paid out to sufficiently motivated individuals in small claims is effectively $0 to these companies. A few class action awards of millions to 10s of millions each, will at least show up on their balance sheets. I suspect it will still not be enough (we will soon know since other states' recently passed privacy laws which provide for private action).

What we really need to do is outlaw data collection and "sharing". If the service being provided does not require the company to know e.g., your location data (and has not received an explicit opt-in [for that single specific data type to be collected] that auto expires in n months), there should be massive GDPR style fines if the company is found to have collected location data. Unlikely to happen (in the US) as authoritarians in law enforcement and their supporters love to use private companies to do an end-run around 4th amendment protections that would make the data they are buying illegal, if they had collected it themselves.

I'd love to hear someone with expertise in the law opine on whether a pro-privacy DA could use existing laws like anti-stalking laws to prosecute these companies and their execs-- I'm thinking of the way RICO laws have been used so creatively over the last few decades.

My understanding is that a lot of companies choose to make the response GDPR-compliant rather than bothering with a separate process for the CCPA (there are other similar laws in other jurisdictions too so just having one process compliant with the most onerous set of rules can be appealing), but they don't actually have to if they don't want.

It is worse than providing a slightly non-compliant response in an (illegal) attempt to streamline their efforts. E.g., my first CCPA request to LexisNexis resulted in nothing. I had to contact their legal department to get them to comply. Their process works now.

A lot of companies that do comply, do so obviously begrudgingly. E.g., they will make you repeatedly fill out a long web form for each right you wish to exercise under the CCPA, instead of allowing you to just enter e.g., your identifying information once, and just check off each right you wish to exercise. It is malicious compliance.

Serius XM's CCPA web form, in addition to malicious design, was broken-- it simply did not work, and the number they listed to call _for CCPA requests_ turned out to be a general support number where none of the Indian call center folks even knew what a CCPA request was*.

*SeriusXM account was created by the dealer when purchasing a new car against my explicit request for them to not register me for any of the introductory "free" accounts listed as perks for the vehicle. SeriusXM (among other things) collects and sells your GPS location data-- a streaming service has no legitimate reason to collect your GPS location. I suspect they also pay dealerships a commission for signups, as the dealer had to go to extra effort to ignore my request.