It’s been just over a year since the last major report on enforcement of the California Consumer Privacy Act (CCPA), but it’s clear that state officials have been busy. California Attorney General Rob Bonta recently released an updated list of enforcement case examples, along with the major announcement that makeup retailer Sephora had agreed to a $1.2 million settlement with the state for CCPA violations.
Here are some of the key takeaways from the new report.
There are multiple instances where a failure to provide “deep links” (i.e., links to specific sections of a privacy policy and not just the top of the page) are flagged as potential CCPA violations. This is in keeping with the general CCPA philosophy that privacy disclosures should be accessible and easy to read.
Rewards programs and the accompanying disclosures of financial incentives continue to be a focus of enforcement. The case examples stress the need to obtain consumers’ consent prior to enrolling them in a program where they provide personal information in exchange for a financial incentive, and also to disclose the material terms of the program. The meaning of “material terms” has been clarified to include how the business will use the data, such as for customer profiling or targeting promotional offers.
Under the CCPA, exchanging consumers’ personal data for “monetary or other valuable consideration” is considered a sale. While the monetary part is clear—trading data for money meets most people’s definition of a sale—what constitutes “other valuable consideration” is left vague (perhaps intentionally so). The latest enforcement examples make it clear that disclosing personal information “in exchange for services like advertising or analytics” is considered a sale. There is still room for interpretation as to what “in exchange for” means, but any free SaaS products that don’t offer service provider documentation are probably up for heightened scrutiny.
Allowing consumers to make privacy requests is an indispensable component of CCPA compliance, so it’s no surprise the authorities gave it plenty of attention. Among the alleged violations related to privacy requests were:
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
