CCPA Enforcement: Key Insights from One Year
The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020 and enforcement started on July 1, 2020. Although a coalition of 60 organizations was calling to delay the enforcement of CCPA due to COVID, the Office of the Attorney General (OAG) began sending out notices of noncompliance on July 1, 2021.
On July 19, 2021, Attorney General Bonta released a CCPA enforcement update and provided a list of 27 examples of enforcement actions the OAG had taken.
The release reported that “upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violation are either within the 30-day cure period or are under active investigation.”
Based on the sample provided by the OAG, we ranked the top violations in the following table.
More than half of the examples provided by the OAG focused on noncompliant privacy policies. It is important to note that these notices of noncompliance took many forms.
In several other examples, businesses posted privacy policies that did not provide notice of the required CCPA consumer rights.
#2 Violation: Lack of Request Methods
Six examples of enforcement actions out of the 27 were about processes surrounding Data Subject Access Requests (DSARs).
#3 Violation: Sale of Personal Information
In one example, a business maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping while neither imposing a service provider contractual relationship on these third parties nor processing consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.
In a different case, a business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business added a “Do Not Sell My Personal Information” link and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.
To access the full list of examples, simply visit this page.
While many insights could be drawn from these examples, we listed our 3 key takeaways.
First, the CCPA enforcement is not targeting any specific industry. While a large number of enforcement actions were targeting online businesses and data-driven organizations, other industries such as Automotive, Grocery Retail, Consumer Electronics or Children’s Toys Distribution were also on the list.
- Disclose information about the use, collection, and sale of data
- Present the CCPA DSAR methods
- Explicitly state whether your business has sold or transferred any PI in the past 12 months
- Clarify obligations as a service provider vs business (if applicable)
Finally, you will want to think about managing your privacy request flow end-to-end. Out of the 27 examples, 13 enforcement actions covered either the failure to publish an adequate “Do Not Sell My Personal Information” link or to manage the DSAR process. Check our complete DSAR guide that can help you to understand the key challenges in the DSAR process and the solutions you could implement.
With the recent nomination of Ashkan Soltani to lead the California Privacy Protection Agency, enforcement is not only here to stay but is likely to increase as the agency starts building its team and resources. “I am eager to get to work to help build the agency’s team and begin doing the work required by the CCPA and the CPRA,” said Soltani.
The CPRA regulation has a one-year lookback period, meaning your business should be ready by January 1, 2022. Are you ready to comply with CPRA?