CCPA Enforcement in Its First Year
The California Consumer Privacy Act (CCPA) officially became enforceable on July 1, 2020, and according to the California Attorney General, actual enforcement began on that very same day. Just over a year later, the Office of the Attorney General (OAG) has recently released a list of examples of the enforcement actions it has taken against businesses and how they were resolved.
The report reveals that CCPA enforcement has been surprisingly aggressive. The OAG thoroughly investigated the businesses’ privacy practices and even their contracts. It also indicated that many cases came to its attention as a result of consumer complaints.
None of the businesses in these examples were fined for their alleged violations, but that’s because they were all able to take advantage of the current law’s mandatory 30-day cure period to fix any issues. That changes on January 1, 2023, when the California Privacy Rights Act (CPRA) goes into effect. At that point, the newly created California Privacy Protection Agency (CPPA) may give businesses time to cure their violations, but is not required to do so.
Reviewing the OAG’s list of examples, we’ve identified the major issues that seem to trigger enforcement of the privacy law.
It comes as no surprise; businesses that had taken no steps to become CCPA compliant were commonly targeted for enforcement. A large part of compliance involves posting notices and links where anyone can see them, so a state official can easily check to see if the required information is available on a business’s website, mobile app, or brick-and-mortar store. There are several examples in the report of businesses that failed to post their data-privacy practices, inform California residents of their privacy rights, and include a “do not sell my personal information” link where it was required.
“Do Not Sell” Links
The OAG paid particular attention to businesses that had not posted a “Do Not Sell My Personal Information” link on their homepage or app. In many cases, the state determined that these businesses were engaging in activities that are considered to be selling personal information under the CCPA, and had failed to make any of the required disclosures or offer an opt-out mechanism. In other examples, however, where the business was not selling personal information, the OAG still sent a cure notice because the business had failed to clearly state this fact in its privacy notice.
A more surprising area of CCPA enforcement so far is the emphasis on service providers. Disclosing personal information to a service provider is not considered a sale, as long as the service provider’s contract prohibits it from retaining, using, or disclosing personal information for any purpose other than providing its service. Where service providers only process information on behalf of a business, they do not have the same CCPA obligations as businesses. In some cases, the OAG alleged that the contracts involved did not contain the necessary privacy assurances, so the service providers had to update their contracts or else be treated as a business. In another case, a company was alleged to be operating as a service provider in some contexts, and a business in others; it was therefore required to become CCPA compliant in those areas where it acted as a business. One business was required to update its contracts with its service providers or else potentially be required to treat all those disclosures as selling personal information.
There still seems to exist a gray area in the CCPA: Do all disclosures of personal information to third parties (i.e., not service providers) constitute “selling,” or is there a middle ground where a third party receives personal information but it’s not considered a sale? The examples provided by the OAG do not clarify this issue, but do indicate the state has at least staked out an aggressive position on what is considered a sale of personal information.
Inadequate Privacy Request Processes
Making Californians aware of their CCPA rights and responding to consumer requests are major components of compliance. Several businesses in the report received cure notices because their processes for handling privacy requests had serious flaws. For example, one business was alleged to not have been responding to requests in a timely manner, and also not sending any confirmation to consumers that their request had been received.
Because giving consumers control over the sale of their personal information is a big part of the CCPA, the OAG gave a lot of attention to opt-out requests in particular. Problems included:
Requiring verification of the consumer’s identity before processing the request, even though verification is not required for opt-outs
Directing consumers to a “third-party trade association’s tool to manage advertising” (possibly referring to the Digital Advertising Alliance) rather than providing its own opt-out process
Forcing consumers to opt out separately at multiple websites owned by the same business
Not clearly communicating whether a tool such as a web form would opt the consumer out of all sales
Suggesting that changing an app’s privacy settings would effectuate an opt out, even though it did not
Failing to get affirmative consent before selling the personal information of consumers between the ages of 13-15
Where allowing the sale of personal data was a precondition for taking part in a customer loyalty program, failing to provide a notice of financial incentive
Not processing a consumer request to opt out submitted via a global privacy control (GPC)
In-Person Collection of Personal Information
Websites and mobile apps may be the most common places to collect personal information, but the CCPA applies to in-person collection as well. One business, an automotive company, collected personal information from consumers who took vehicles out for test drives, but failed to make the required disclosures when it did so. After receiving a cure notice, the business implemented a system for providing notice at collection, and made a toll-free number available for processing privacy requests.
A Simpler Path to CCPA Compliance
One message from the Attorney General’s report is clear: CCPA enforcement will be robust. As the initial breaking-in period comes to a close and the CPPA takes over in its dedicated regulator role, the most likely scenario is that enforcement will pick up in pace and the state will start handing out hefty fines. Businesses that have held off on implementing CCPA compliance should take notice.
Getting compliant can be a complex task, one that may take an in-house employee or team off their regular duties for months. Hiring consultants or a law firm, on the other hand, comes with a price tag that starts in the tens of thousands of dollars. TrueVault Polaris provides an alternative. As a compliance automation tool, it provides expert guidance to your in-house team, helping them make your operation CCPA compliant in less time and at a lower cost. Contact our team to learn more.