The Office of the Attorney General (AG) of California began enforcing the California Consumer Privacy Act (CCPA) more than a year ago and has since released a set of enforcement case examples it has pursued against businesses. The examples are anonymous and not a complete list of all enforcement cases, but the descriptions may provide helpful guidance to businesses subject to the law. Even those businesses that generally deal in exempt personal information may find value in reviewing the examples because they demonstrate the AG’s enforcement strategy and enforcement priorities and give some indication of how the AG interprets provisions of the law.
Is There a Cure Period for Alleged Noncompliance?
Yes, the AG’s release notes that businesses currently have 30 days to cure alleged noncompliance after receipt of a notice of alleged noncompliance. However, businesses should be aware that this 30-day cure period will end in 2023, when the CCPA changes as a result of the California Privacy Rights Act that was approved by California voters last year.
Takeaway: There is a 30-day cure period, but it expires in 2023.
Sending Data for Online Advertising and Analytics: Is It a “Sale” to a Third Party or Sharing with a Service Provider?
A striking number of the examples focus on the use of data for targeted advertising and analytics purposes. In several examples, the AG referenced businesses engaging in targeted advertising that involved the exchange of personal information the AG characterized as a “sale” of personal information requiring opt-out rights and disclosures. In one example in particular, the AG referred to a retailer using third-party tracking technology on its website that shared data with advertisers about consumers’ shopping activities. The AG faulted the business for not setting up a service provider relationship with the advertiser recipient.
Takeaway: Businesses should thoroughly analyze who is receiving their data and how the relationship is characterized, including for online marketing and analytics purposes. Businesses engaging service providers need to be reminded to enter into service provider agreements that contractually prohibit the service provider from retaining, using, or disclosing personal information outside of what is permitted by the law.
Third-Party Trackers: What Data Is Being Analyzed, and How Can Consumers Decline Their Use?
One example referenced the use of third-party trackers employed for site analytics purposes. However, the AG does not provide details about the nature of the data that is of concern for this example. In particular, how such data meets the definition of personal information under the CCPA is unknown at this point. Another example indicates that implementing a “global privacy control” browser extension that permits site visitors to decline to permit third-party online trackers, like cookies, to collect data might be required.
Takeaway: Businesses that have third-party trackers, like cookies, present on their websites should consider whether providing opt-out rights or setting up service provider relationships is an appropriate response.
Opt-Out: What Is an Effective Means?
In other examples, the AG implied that a business does not comply with opt-out requirements for online advertising simply by referring consumers to third-party trade association opt-out tools, perhaps referencing tools made available by the Network Advertising Initiative and the Digital Advertising Alliance.
Takeaway: Businesses subject to the CCPA sale opt-out rights should ensure that they do not employ verification procedures, like requiring government identification and a consumer bill, before granting an opt-out request.
The Business Is a Financial Institution Under the GLBA: Does the Business Still Need to Think About CCPA Compliance?
Yes. For example, auto dealers should consider personal information they collect that is not regulated by the Gramm-Leach-Bliley Act (GLBA) and is subject to the CCPA, as one enforcement example references a dealer who collected personal information from consumers taking test drives without providing a Notice at Collection.
Takeaway: Financial institutions should conduct data inventories to assess whether they collect or disclose data sets that are subject to the CCPA.
Privacy Program: What Do the Policies Say?
In looking across the examples, it is clear that the AG is focused on ensuring that privacy policies accurately and completely describe a business’s practices for processing personal information, including what information is collected, how it is used, and how it is shared.
Takeaway: Businesses should ensure that their privacy programs are integrated across the enterprise and capture all data practices, as well as changes to those practices. The examples also indicate that the AG pays attention to complaints submitted to it by consumers, so it is important that businesses have a good complaint-management program and are responsive to consumer complaints.
The Privacy Program Has Been Implemented: The Business Is Done, Right?
No. Businesses should be reminded that they may not be able to set a CCPA compliance program in place and leave it alone. The CCPA will change in 2023 as a result of the California Privacy Rights Act, adding new requirements to businesses subject to the law and transferring enforcement authority to a new agency, the California Privacy Protection Agency. The agency is also beginning a rulemaking exercise to roll out regulations to reflect changes to the CCPA. And as time goes on, as is the case with these enforcement examples, we will continue to learn more about CCPA interpretation by regulators and enforcement priorities.
Takeaway: As with all good compliance programs, businesses should implement routine review of their CCPA compliance program to ensure that legal updates are captured and adjustments are made for both changes to business practice and changes to the law, with appropriate consideration given to consumer complaints and requests.
Taking note of these examples now may help businesses get ahead of the game for their own CCPA compliance. Off. of the Att’y Gen., State of Cal. Dep’t of Just., CCPA Enforcement Case Examples (listing enforcement case examples).
Copyright © 2021 Hudson Cook, LLP. All rights reserved. Reprinted with express permission from Hudson Cook, LLP.
Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).