• CCPA & CPRA
  • Regulations

CCPA Enforcement: Key Insights from One Year

read

Introduction

The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020 and enforcement started on July 1, 2020. Although a coalition of 60 organizations was calling to delay the enforcement of CCPA due to COVID, the Office of the Attorney General (OAG) began sending out notices of noncompliance on July 1, 2021.

On July 19, 2021, Attorney General Bonta released a CCPA enforcement update and provided a list of 27 examples of enforcement actions the OAG had taken.

The release reported that “upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violation are either within the 30-day cure period or are under active investigation.”

Top Violations

Based on the sample provided by the OAG, we ranked the top violations in the following table.

#1 Violation: Non-Compliant Privacy Policy

More than half of the examples provided by the OAG focused on noncompliant privacy policies. It is important to note that these notices of noncompliance took many forms. 

In one example, a business did not provide notice of the required CCPA consumer right and did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. The business received a second violation because their updated privacy policy was “difficult to read” and contained “unnecessary legal jargon”. In response, the business significantly revised its privacy policy to address these concerns.

In several other examples, businesses posted privacy policies that did not provide notice of the required CCPA consumer rights. 

For more information on what’s needed in a CCPA privacy policy, view this blog.

#2 Violation: Lack of Request Methods

Six examples of enforcement actions out of the 27 were about processes surrounding Data Subject Access Requests (DSARs).

In one instance, a business that distributes children’s toys did not include the methods for consumers to exercise their CCPA rights to request to know and delete. The business also claimed in its privacy policy that it could charge a fee for processing a consumer’s request to know. After being notified of alleged noncompliance, the business updated its privacy policy to address these issues.

In another instance, an education technology company providing online learning platforms for schools, higher education, and businesses, had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights and did not include the methods for consumers to exercise their CCPA rights to request to know and delete. The business also did not have the “Do Not Sell My Personal Information” link on its internet homepage. After being notified of alleged noncompliance, the business updated its privacy policy to address these areas and added the “Do Not Sell My Personal Information” link to its homepage.

#3 Violation: Sale of Personal Information

In one example, a business maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping while neither imposing a service provider contractual relationship on these third parties nor processing consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.

In a different case, a business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business added a “Do Not Sell My Personal Information” link and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.

To access the full list of examples, simply visit this page. 

Key insights

While many insights could be drawn from these examples, we listed our 3 key takeaways.

First, the CCPA enforcement is not targeting any specific industry. While a large number of enforcement actions were targeting online businesses and data-driven organizations, other industries such as Automotive, Grocery Retail, Consumer Electronics or Children’s Toys Distribution were also on the list. 

Second, updating your privacy policy to cover key CCPA requirements should be the first step to show the regulator your organization covers the basics which are:

  • Include the CCPA notice in your privacy policy 
  • Disclose information about the use, collection, and sale of data 
  • Present the CCPA DSAR methods 
  • Provide consumers adequate information regarding opt-outs in your privacy policy
  • Explicitly state whether your business has sold or transferred any PI in the past 12 months 
  • Provide instructions in your privacy policy for authorized agents to submit DSAR 
  • Clarify obligations as a service provider vs business (if applicable)
  • Make sure your privacy policy is easy to read and understandable to the average consumer 

Finally, you will want to think about managing your privacy request flow end-to-end. Out of the 27 examples, 13 enforcement actions covered either the failure to publish an adequate “Do Not Sell My Personal Information” link or to manage the DSAR process. Check our complete DSAR guide that can help you to understand the key challenges in the DSAR process and the solutions you could implement. 

Conclusion

With the recent nomination of Ashkan Soltani to lead the California Privacy Protection Agency, enforcement is not only here to stay but is likely to increase as the agency starts building its team and resources. “I am eager to get to work to help build the agency’s team and begin doing the work required by the CCPA and the CPRA,” said Soltani.

The CPRA regulation has a one-year lookback period, meaning your business should be ready by January 1, 2022. Are you ready to comply with CPRA?

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo