California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) officially became enforceable on July 1, 2020, and according to the California Attorney General, actual enforcement began on that very same day. Just over a year later, the Office of the Attorney General (OAG) has recently released a list of examples of the enforcement actions it has taken against businesses and how they were resolved.
The report reveals that CCPA enforcement has been surprisingly aggressive. The OAG thoroughly investigated the businesses’ privacy practices and even their contracts. It also indicated that many cases came to its attention as a result of consumer complaints.
None of the businesses in these examples were fined for their alleged violations, but that’s because they were all able to take advantage of the current law’s mandatory 30-day cure period to fix any issues. That changes on January 1, 2023, when the California Privacy Rights Act (CPRA) goes into effect. At that point, the newly created California Privacy Protection Agency (CPPA) may give businesses time to cure their violations, but is not required to do so.
Reviewing the OAG’s list of examples, we’ve identified the major issues that seem to trigger enforcement of the privacy law.
Read our Complete Guide to the CCPA.
It comes as no surprise; businesses that had taken no steps to become CCPA compliant were commonly targeted for enforcement. A large part of compliance involves posting notices and links where anyone can see them, so a state official can easily check to see if the required information is available on a business’s website, mobile app, or brick-and-mortar store. There are several examples in the report of businesses that failed to post their data-privacy practices, inform California residents of their privacy rights, and include a “do not sell my personal information” link where it was required.
Privacy notices must be written in “plain, straightforward language and avoid technical or legal jargon.” The OAG has taken this requirement seriously and considers the use of confusing language to be a violation of the CCPA. One business received a first cure notice for its lack of a CCPA-compliant privacy policy, only to then receive a second cure notice because the updated policy was “not easy to read or understandable to the average consumer, e.g., contained unnecessary legal jargon.”
The OAG paid particular attention to businesses that had not posted a “Do Not Sell My Personal Information” link on their homepage or app. In many cases, the state determined that these businesses were engaging in activities that are considered to be selling personal information under the CCPA, and had failed to make any of the required disclosures or offer an opt-out mechanism. In other examples, however, where the business was not selling personal information, the OAG still sent a cure notice because the business had failed to clearly state this fact in its privacy notice.
A more surprising area of CCPA enforcement so far is the emphasis on service providers. Disclosing personal information to a service provider is not considered a sale, as long as the service provider’s contract prohibits it from retaining, using, or disclosing personal information for any purpose other than providing its service. Where service providers only process information on behalf of a business, they do not have the same CCPA obligations as businesses. In some cases, the OAG alleged that the contracts involved did not contain the necessary privacy assurances, so the service providers had to update their contracts or else be treated as a business. In another case, a company was alleged to be operating as a service provider in some contexts, and a business in others; it was therefore required to become CCPA compliant in those areas where it acted as a business. One business was required to update its contracts with its service providers or else potentially be required to treat all those disclosures as selling personal information.
There still seems to exist a gray area in the CCPA: Do all disclosures of personal information to third parties (i.e., not service providers) constitute “selling,” or is there a middle ground where a third party receives personal information but it’s not considered a sale? The examples provided by the OAG do not clarify this issue, but do indicate the state has at least staked out an aggressive position on what is considered a sale of personal information.
Making Californians aware of their CCPA rights and responding to consumer requests are major components of compliance. Several businesses in the report received cure notices because their processes for handling privacy requests had serious flaws. For example, one business was alleged to not have been responding to requests in a timely manner, and also not sending any confirmation to consumers that their request had been received.
Because giving consumers control over the sale of their personal information is a big part of the CCPA, the OAG gave a lot of attention to opt-out requests in particular. Problems included:
Websites and mobile apps may be the most common places to collect personal information, but the CCPA applies to in-person collection as well. One business, an automotive company, collected personal information from consumers who took vehicles out for test drives, but failed to make the required disclosures when it did so. After receiving a cure notice, the business implemented a system for providing notice at collection, and made a toll-free number available for processing privacy requests.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.