In July, the office of the attorney general of California marked the one-year anniversary of its enforcement of the California Consumer Privacy Act by issuing a press release to tout its “successful enforcement efforts.” Also well-publicized, in the same announcement, the office unveiled a new Consumer Privacy Tool to enable consumers to directly notify eligible businesses of perceived “Do Not Sell My Personal Information” link deficiencies. Although the press release teased four examples of notices to cure CCPA violations the office issued to unnamed companies, they also quietly published 27 enforcement overviews to highlight the curative actions taken in response to such letters.
No dates are included within the attorney general’s enforcement case examples, but as numerous companies found out at the time, the attorney general’s office began sending out notices of alleged noncompliance on the very first day of CCPA enforcement, July 1, 2020. That the CCPA allows businesses to fix curable violations “within 30 days after being notified of alleged noncompliance,” is a welcome allowance of the law and a luxury not afforded starting Jan. 1, 2023, with the effective date of the successor California Privacy Rights Act. What follows are 10 takeaways from the examples the office of the attorney general provided, which may serve as reminders for businesses in their internal planning and operational compliance considerations.
1. Privacy notices reign supreme. The most remarked upon area of alleged deficiency in the examples pertain to inadequate transparency. Most of the shortcomings were vanilla in nature, e.g., not providing notice of or methods for exercising the required CCPA consumer rights, or not explicitly stating whether the business had sold personal information in the past 12 months. However, the office included indications that it is evaluating privacy notices as more than a checkbox exercise, which is relevant in light of the CCPA requiring businesses to undertake notice updates at least once every 12 months.
In one instance, the office found even after a company’s initial update of its privacy notice following a notice letter, “the updated privacy policy was not easy to read or understandable to the average consumer, e.g., contained unnecessary legal jargon.” This prompted the business to receive a “second notice that the updated privacy policy did not comply with the CCPA regulations.” Accordingly, companies may benefit from a refreshed look at CCPA regulation Section 999.305(a) in relation to readability, which includes rules regarding screen size, foreign languages and disabilities access. The office’s example may also lead some companies to assess the readability of their policies through methods like Flesch Reading Ease scale calculators.
Another example acts a reminder for brick-and-mortar organizations that the CCPA applies to offline as well as online PI collection. In this case, an automotive company collected PI from consumers who test drove vehicles at the business without providing in-person notice. The office related that the business subsequently “implemented a notice at collection for (PI) received in connection with test drives, whether collected online or in-person.” As well, issues with confusing or missing instructions regarding authorized agents appear throughout the examples, along with the office’s implied takeaway that there is no notarization requirement for the use of authorized agents.
2. Don’t sleep on mobile. Despite the ubiquity of mobile devices in our lives, there has been a relative scarcity of headline-grabbing mobile enforcement actions emanating out of Europe and elsewhere. The CCPA regulations account for any doubt here with explicit requirements in relation to mobile applications, and the office of the attorney general of California does not wish for businesses or consumers to overlook this fact. In one example, it took a location data broker to task for directing consumers to their mobile device settings to effectuate their opt-out choices, such that part of that company’s updates included clarifying that adjusting mobile device settings would limit future tracking but not constitute a CCPA opt-out request.
3. The cure period may begin based on published reports. In an eye-opening admission, the office of the attorney general of California indicated that a publicly published report may be able to provide notice of a CCPA violation, thereby kicking off the 30-day cure period for a business. After a consumer advocacy group published a report about a data broker not offering a “Do Not Sell My Personal Information” link on its website, the attorney general’s office indicated somewhat ambiguously “(p)ublication of the report provided notice of CCPA non-compliance to the business, in addition to a notice provided by the Attorney General’s office.” Whether or not the coupling of the notice is required in order for the published report to provide notice, it is nonetheless evidence that public reports can provide inspiration for attorney general enforcement letters and likely also has implications for the new Consumer Privacy Tool, the generated email of which the office of the attorney general said “may trigger the 30-day period for the business to cure….” Businesses would be well-advised to not necessarily wait for a letter from the attorney general before attempting to fix alleged instances of CCPA noncompliance, however brought to their attention.
4. Everyone is fair game. A clear subtext of the office of the attorney general’s decision to list the industry for each enforcement case, however high-level, is that it is casting a wide net in relation to calling out violations and no in-scope business is immune. Examples of the companies receiving letters include a(n): email marketing service provider, social media network and app, children’s online event seller, online dating platform, ad tech intermediaries, a children’s toy distributor, classified ads platform, mass media and entertainment business, data brokers, online pet adoption platform, mobile games developer, electronics seller, ticket seller, digital agency, ed tech platform for schools and clothing retailer. The top listed industry? Grocery retailers, including a grocery chain that did not a provide a Notice of Financial Incentive for consumers participating in its loyalty program.
5. Beware of non-CCPA-specific targeted advertising opt-outs. In the early days of the CCPA, many companies took to citing self-regulatory industry interest-based advertising opt-out tools as their sole method for allowing opt-out to “sales” to third parties under the CCPA. The office of the attorney general of California does not agree with this approach, at least in the absence of a CCPA-specific framework, and notified at least two companies their failure to display a DNSMPI link coupled with basing its CCPA sale opt-outs on an unnamed third-party trade association’s tool amounted to alleged noncompliance.
6. Analytics cookies do not automatically equal business purpose/service provider exemptions. The attorney general’s office indicated, notwithstanding the CCPA’s “business purpose” definition includes “providing analytic services,” it does not view a business “exchang(ing) (PI) about users’ online activities with various third-party analytics providers” to necessarily equate to sharing with a service provider. This resulted in one social media platform choosing to “remove all third-party trackers from its app and website.
7. Global Privacy Control enforcement is active. The office released a case example to hit home on what has been alluded to all year via the then-outgoing attorney general’s tweet and subsequently updated FAQs — namely, that user-enabled browser signals sent using the Global Privacy Control standard represent a valid and enforceable request to opt out of sale under the CCPA. Additionally, the office has been sending letters to many other companies inquiring as to their GPC signal-honoring efforts.
8. The nuances required for CCPA forms and mechanisms. Do you get annoyed when a webform you wish to submit does not work? The California attorney general’s office does too, and it related this several times over regarding defective CCPA mechanisms. However, the office highlighted more implied nuanced areas too, such as calling out companies whose opt-out webforms did not include PI “that was exchanged for targeted advertising;” a media conglomerate that “required consumers to submit multiple, separate requests to opt-out of the sale of their (PI) on each website in its portfolio;” and clarifying clicking an “accept sharing” button when creating a new account is insufficient to establish blanket consent to sell PI. Failure to have clear descriptions of the opt-out process was also a common theme.
9. Tailor what is requested for verification. In what may amount to an implicit reminder for businesses to review CCPA regulation Section 999.323 regarding the rules for verifying consumer requests, the office pointed out as alleged noncompliance a data broker required “copies of government identification and a bill showing the consumer’s address” before honoring sale opt-out requests. The same business incorrectly required consumers to create an account as a precondition to submitting a consumer request. Another company incorrectly stated in its privacy notice that it could charge a fee for processing a consumer’s request to know, presumably with no reference to the CCPA’s “manifestly unfounded or excessive” request qualification.
10. Build those child opt-in mechanisms. Again showing the office’s attention to the mobile environment, a mobile app game maker that used software development toolkits from a third-party advertising platform was called out after making available the PI of its players — including minors aged 13 to 15 years old — without an opt-in mechanism for minors. Illustrating the indirect link to COPPA, after being notified of its alleged noncompliance, the game maker removed the ad software and added age-gating and parental verification features.
Conclusion
With the office of the attorney general of California’s enforcement warning examples now issued, it remains to be seen this year and next what formal enforcement actions may be around the corner. The examples at least offer some insight into the likely areas of emphasis and how the regulator is thinking about compliance, which proactive businesses can use to benchmark and recalibrate against as needed.
Photo by Matthew Hamilton on Unsplash