A year into the enforcement of the California Consumer Privacy Act (CCPA), the state’s Office of Attorney General (OAG) has focused its attention on inadequate notices about consumer rights, compliance with “do not sell my personal information” requests, and missing provisions in contracts with service providers.
No public fines have yet been levied, and, according to Attorney General Rob Bonta, 75 percent of its complaints have been cured — including about 30 examples listed on the OAG’s website. This list includes unnamed companies in nearly every industry, from social media, dating, entertainment, and data brokers to grocery retailers and car sellers.
One of the most recent developments is the OAG’s determination that businesses honor global privacy controls (GPC), which enable users to signal through a browser extension that they want to opt-out of the sale of their information when visiting a website. For example, a consumer electronics company recently changed its practices after the OAG notified the company that it was not honoring a GPC and was sharing consumer data with third-party advertisers using trackers on its website.
Below are five insights into the Attorney General’s enforcement of the CCPA:
1. PROVIDING CONSUMERS WITH A NOTICE OF RIGHTS
Under the CCPA, companies must inform California customers about the information they collect, consumer rights, and how to exercise those rights—including the right to know, the right to delete, and the right to opt-out of the sale of personal information, among other things.
2. MAINTAINING FUNCTIONAL “DO NOT SELL MY PERSONAL INFORMATION” LINKS
Another actively enforced area of the CCPA is the required “do not sell my personal information” link that must be displayed for customers who wish to opt-out of the sale of their information. The OAG has questioned companies about missing links even when they do not sell personal information but failed to explicitly state that on their website, as required by the CCPA.
The non-compliance included completely missing links or links that did not work, forms that were not clear, and companies that did not include a “Do Not Sell My Personal Information” link on each of their different websites. For example, in two cases, the OAG suggested that companies could not avoid the requirement to post a Do Not Sell link by simply directing customers to a third-party trade association tool that manages online advertising. The OAG also called out a media conglomerate for not allowing customers to use a central portal to opt-out of all of the media company’s properties.
The OAG’s discussion of “Do Not Sell My Personal Information” links also offers insight into the OAG’s broad interpretation of the definition of “sale,” which is defined in the statute as communicating a consumer’s personal information to another business or third party “for monetary or other valuable consideration.” In the summaries, the AG described the following as sales:
- When a “business also exchanged personal information about users’ online activities with various third-party analytics providers”
- When “personal information . . . was exchanged for targeted advertising”
- When a business “maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping”
3. TIMELY ANSWERS TO CONSUMER REQUESTS
The case summaries also highlight the need for businesses to timely respond to consumer requests and to not make the process overly onerous. In general, a business must fully respond to a request to know or delete within 45 days and a request to opt-out as soon as feasibly possible but no later than 15 business days after the business receives the request . Consumers are also allowed to make requests to know and delete through authorized agents and businesses can’t charge a fee or generally require a notarized affidavit to verify identity.
The OAG sent letters of non-compliance to one company for not timely acknowledging and responding to CCPA requests, another for requiring authorized agents to submit a notarized verification, and one more for claiming that it could charge money for consumer requests.
4. CONTRACTING IN LIMITS FOR SERVICE PROVIDERS
A number of the OAG’s examples make clear that companies should not overlook the details of their contractual relationships with service providers. In general, a business can transfer data to a service provider without triggering the CCPA’s sales requirements so long as appropriate limits are placed on the service provider’s re-use of the data.
In one case, a social media company was prompted to add CCPA-specific addendums to its contracts after the OAG found that the existing contracts did not properly limit the service provider’s additional use and disclosure of personal information obtained from the social media company. In another case, the OAG clarified that an ad network that normally acted as a service provider could also be considered a business in other contexts—triggering the need to comply with the full slate of consumer rights.
5. ACCURATELY CALCULATING THE CURE PERIOD
The OAG and companies appear to have taken full advantage of the 30-day cure period built into the CCPA, but it is a reminder that the clock can start even before the OAG reaches out. A violation of the CCPA can only happen if a business fails to cure an alleged violation within 30 days “after being notified” (that period will be discretionary when the California Privacy Rights Act takes effect in 2023).
In one case, the OAG interpreted the cure period to start when a consumer advocacy organization published a report that highlighted a company’s deficient “Do Not Sell My Personal Information” link. And the OAG created a tool in July 2021 that allows consumers to send their own complaints directly to businesses, noting “the notice you send may satisfy the prerequisite.” As of July 17, this tool is limited to drafting notices to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their website. But this tool may be updated to address additional CCPA violations.