Takeaways from the Latest CCPA Enforcement Summary

It’s been just over a year since the last major report on enforcement of the California Consumer Privacy Act (CCPA), but it’s clear that state officials have been busy. California Attorney General Rob Bonta recently released an updated list of enforcement case examples, along with the major announcement that makeup retailer Sephora had agreed to a $1.2 million settlement with the state for CCPA violations.

Here are some of the key takeaways from the new report.

Deep Linking

There are multiple instances where a failure to provide “deep links” (i.e., links to specific sections of a privacy policy and not just the top of the page) are flagged as potential CCPA violations. This is in keeping with the general CCPA philosophy that privacy disclosures should be accessible and easy to read.

Disclosure of Financial Incentives

Rewards programs and the accompanying disclosures of financial incentives continue to be a focus of enforcement. The case examples stress the need to obtain consumers’ consent prior to enrolling them in a program where they provide personal information in exchange for a financial incentive, and also to disclose the material terms of the program. The meaning of “material terms” has been clarified to include how the business will use the data, such as for customer profiling or targeting promotional offers.

Providing Data in Exchange for Services

Under the CCPA, exchanging consumers’ personal data for “monetary or other valuable consideration” is considered a sale. While the monetary part is clear—trading data for money meets most people’s definition of a sale—what constitutes “other valuable consideration” is left vague (perhaps intentionally so). The latest enforcement examples make it clear that disclosing personal information “in exchange for services like advertising or analytics” is considered a sale. There is still room for interpretation as to what “in exchange for” means, but any free SaaS products that don’t offer service provider documentation are probably up for heightened scrutiny.

Exercising Consumer Rights

Allowing consumers to make privacy requests is an indispensable component of CCPA compliance, so it’s no surprise the authorities gave it plenty of attention. Among the alleged violations related to privacy requests were:

• Requiring consumers to accept the privacy policy before exercising their rights
• Confusing language, such as double negatives, that made it difficult for consumers to understand which options they were choosing
• Opt-out mechanisms that required too many steps
• Sending consumers to a “third-party trade association’s tool” to manage their advertising preferences instead of offering a direct opt-out
• Failing to train staff on how to respond to CCPA requests

Take the Uncertainty Out of CCPA Compliance

The latest report from the Attorney General proves that CCPA enforcement remains robust, but also shows just how complex compliance can be. Without in-house privacy experts or an expensive consulting firm to assist them, many businesses just put off compliance indefinitely.

TrueVault Polaris gives those businesses access to the expertise they need to handle data privacy compliance without the expense of a law firm or new hire. Through a guided software experience designed by attorneys, businesses can become CCPA compliant in as little as a few hours. With built-in automation, privacy-request workflows, and other customizable tools, Polaris also simplifies the task of staying compliant.

Contact our team to learn more and schedule a demo.