Not since the disappearance of Amelia Earhart, have people wondered more. Which companies were the early targets of the California Attorney General’s enforcement of the California Consumer Privacy Act (“CCPA”) and on what basis? This week, we got a partial answer.
On July 19, the California Attorney General released an enforcement report and launched a new interactive tool through which consumers can draft a “non-compliance” notice to companies that allegedly lack a “Do Not Sell My Personal Information” link on their websites or mobile apps. Based on the CCPA enforcement actions reported, continuing your company's efforts to comply with the CCPA, no matter your industry, will be important in the coming months.
The good news is that most companies receiving violation notices are successfully curing their alleged CCPA violations. The Attorney General’s Office reported that in the first year of enforcement, 75% of the companies that received CCPA non-compliance notices cured the alleged violation, while the remaining 25% are still within the 30-day cure period or are under continuing investigation. The California Attorney General did not give details regarding each non-compliance notice and did not provide a total number of enforcement actions taken. However, he did provide 27 examples of instances in which his Office sent non-compliance notices and the company cured the alleged violations.
The 27 enforcement examples released by the California Attorney General show that early CCPA enforcement targeted a variety of industries on a number of different aspects of CCPA non-compliance. Recipients of non-compliance notices included an online dating company that allegedly sold personal information and lacked a “Do Not Sell My Personal Information” (“DNSMPI”) link, a grocery chain which allegedly did not provide a notice of financial incentive to consumers participating in a loyalty program, and an automotive company that allegedly collected information from consumers who test drove vehicles without providing a notice at collection. Other industries targeted included children’s toys, email marketing, social media, online event planning, education technology, advertising technology, online classified ads, media, pet, data broker, manufacturing, retail, video game, and clothing.
Of the more than a dozen CCPA issues represented in the 27 enforcement examples, the majority centered on the adequacy of a company’s privacy policy, such as whether consumers were provided methods to exercise CCPA rights such as the right to know and delete, whether a list of categories of personal information was disclosed, and whether a statement affirming or disclosing if a company sold personal information in the last 12 months was included. The enforcement examples also touch on consumers’ ability to exercise CCPA rights without barriers. The California Attorney General instructed companies to remove a requirement to provide notarized verification as part of the rights request process, to cease charging a fee for processing CCPA requests to know, to remove verification requirements in connection with requests not to sell personal information, and to revise policies to ensure the average consumer understands the text.
The report also highlights the use of cookies, pixels, and other trackers on websites and mobile apps and clarifies the requirement in connection with many cookies and trackers for website or mobile app operators to: enter data processing agreements with cookie/tracker providers, provide DNSMPI rights in connection with cookies/trackers, or remove cookies and other trackers from their websites and mobile apps.
To further ease consumer burdens in making CCPA requests and reports, the California Attorney General created the Consumer Privacy Interactive Tool, a tool that helps consumers draft a non-compliance notice to send to companies. This tool asks consumers guided questions based on the CCPA and then generates a notice for consumers to send to an allegedly non-compliant company. The California Attorney General will have access to the violations reported through the tool and may take action based on them. So far, the tool is limited to complaining about failure to post a DNSMPI link but may include other CCPA violations in the future. With the launch of this tool, companies which are not required to have a DNSMPI link will likely receive an increase in unwarranted consumer complaints regarding the CCPA.
The California Attorney General’s enforcement update solves some of the mysteries of CCPA enforcement, but questions remain. The outcome for the 25% of companies that are still within the 30-day cure period or are involved in an on going investigation is unclear, as the California Attorney General’s Office may sue some of these companies. Another consideration is that the California Attorney General will eventually share CCPA enforcement responsibility with the newly established California Privacy Protection Agency (“CPPA”). The CPPA will administratively enforce the California Privacy Rights Act and the CCPA, while the California Attorney General will retain civil enforcement authority over these statutes. Thus, while the California Attorney General’s first-year update is helpful, the update may not be instructive once the CPPA assumes administrative enforcement power in July 2023.
With CCPA enforcement underway and a non-compliance notice tool available to consumers, companies should remain vigilant in seeking to comply with the CCPA. Your Dorsey privacy counsel is available to assist in proactive CCPA compliance steps and in responding to consumer requests and CCPA enforcement notices.