Just over one year ago, on July 1, 2020, the California attorney general began enforcing the California Consumer Privacy Act. To mark the one-year anniversary of enforcement actions, California Attorney General Rob Bonta provided an update on his office’s CCPA enforcement efforts over the past year (and published an accompanying press release).
As part of his update, the Office of the Attorney General released 27 examples of enforcement actions, which include descriptions of the alleged noncompliance and the steps businesses took in response. While the OAG cautioned that the examples do not include all the facts of the situation, the examples provide insight into the enforcement process and the AG’s current priorities.
Lastly, the AG announced the availability of a Consumer Privacy Interactive Tool, which aims to help consumers notify businesses that they may not be complying with the CCPA. The tool helps consumers generate a notice of noncompliance that the consumer can email directly to a business. The tool is currently limited to drafting notices to businesses that do not provide an easy-to-find “Do Not Sell My Personal Information” link on their websites or mobile apps but may be expanded to generate notices of other violations in the future.
Here are some of the key takeaways from the attorney general’s announcements:
1. The Office of the Attorney General is sending notices of noncompliance to businesses across industries
The 27 examples of enforcement actions revealed that the Office of the Attorney General is sending notices of noncompliance to businesses across various industries. Notices of noncompliance have been sent to businesses that operate primarily online, such as online platforms, email subscription platforms and online retailers, but also to businesses with a significant offline presence, including a grocery retailer, an automotive company and a distributor of children’s toys. The automotive company, for example, collected personal information from consumers who test drove vehicles, but it failed to provide a notice at or before collection, as required by §1798.100(b).
2. The Office of the Attorney General appears particularly focused on ensuring that privacy policies include the required disclosures, but the notices of noncompliance include a broad range of issues
A majority (14) of the 27 examples of enforcement actions included “Non-Compliant Privacy Policy” as an issue. Examples of deficiencies include not including the required notices of the CCPA consumer rights (e.g., to know, delete), not stating whether the business had sold personal information, and not including information regarding the collection and use of consumer personal information.
Notably, in one example, a business revised its privacy policy to address deficiencies but received a second notice of noncompliance because “the updated privacy policy was not easy to read or understandable to the average consumer, e.g., contained unnecessary legal jargon.” The CCPA regulations require that privacy policies are “easy to read and understandable to consumers,” and that they should “use plain, straightforward language and avoid technical or legal jargon.” §999.308(a)(2).
The attorney general also appears focused on ensuring that consumers can easily opt out of the sale of their personal information. Seven examples addressed specifically called out the lack of a clear and conspicuous (or any) “Do Not Sell My Personal Information” link or a noncompliant opt-out process. The examples made clear that the attorney general is taking the position that directing users to third-party trade association’s tools designed to manage online advertising and/or directing users to their mobile device settings are not compliant approaches to meeting the requirement to allow consumers to opt out of the sale of their personal information.
The enforcement actions also show that the AG is enforcing some of the less-publicized aspects of the CCPA. For example, a business received a notice of noncompliance after failing to provide a “Notice of Financial Incentive” to consumers who were required to provide personal information to participate in a company’s loyalty program, as required by §1798.125(b)(2).
3. The Office of the Attorney General appears to be taking the position that that the “30-day cure window” can be triggered by notice from a consumer or other third party; businesses should take notices of noncompliance from all sources seriously
The CCPA specifies that “[a] business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance”. §1798.155(b).
The AG’s press release suggested that an email from a consumer, including one generated by the AG’s new interactive tool that generates notice of noncompliance, can start the 30-day cure window (“This email [generated from the new, online tool] may trigger the 30-day period for the business to cure their violation of law.”). The examples of enforcement actions also appeared to take the position a business was put on notice of an alleged violation when a consumer advocacy organization published a report describing potential noncompliance (“Publication of the report provided notice of CCPA non-compliance to the business, in addition to a notice provided by the Attorney General’s Office.”).
Given that consumers are increasingly aware of and utilizing their rights (the AG’s press release noted that some companies have reported receiving millions of consumer requests), businesses should prepare to receive an increasing number of notices of noncompliance directly from consumers and should investigate the merits of such notices when they receive them.