With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information.
Enforcement updates. At the press conference, California Attorney General Rob Bonta summarized the first year of enforcement of the CCPA and provided specific examples of actions businesses have taken to rectify alleged violations following receipt of a notice of noncompliance. The notice triggers a 30-day period for the business to cure the alleged violation, which is a prerequisite to the OAG bringing an enforcement action. Examples of actions taken by businesses include:
- A social media platform that explained and updated its response processes to include timely request receipt confirmations and request responses;
Mr. Bonta noted that to date, 75% of businesses that receive a notice to cure address the CCPA violation. The other 25% are either still within their 30-day cure window or under an active investigation.
Following the press conference, the OAG also published an illustrative list of 27 enforcement case examples summarizing situations in which it sent a notice of alleged noncompliance and steps taken by the businesses in response. Although the summaries contain few identifying details, they provide additional insight into the OAG’s enforcement priorities. For instance, seventeen of the 27 case examples involved non-compliant privacy policies.
Global privacy control. A number of the case summaries also focused on proper opt-out disclosures and methods, such as the use of global opt-out settings. In August 2020, the OAG finalized CCPA regulations that require businesses to honor user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information. The OAG updated its CCPA FAQs in late June 2021 to state that the Global Privacy Control (GPC), a technical standard that can automatically transmit a do-not-sell request when consumers visit a website, “must be honored . . . as a valid consumer request to stop the sale of personal information” by businesses that collect personal information from consumers online and sell personal information.
In one enforcement case example, an electronics seller failed to process consumers’ requests to opt out that were submitted via a user-enabled universal opt-out signal, such as the GPC, among other alleged compliance issues. After being notified of alleged noncompliance, the business “worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.”
Another summary described how a location data broker’s opt-out process improperly directed consumers to use their mobile device settings to effectuate their opt-out choices and failed to state whether the provided request webform allowed consumers to opt out of the sale of their personal information. After being notified of alleged noncompliance, the data broker updated its opt-out webpage and clarified that adjusting mobile device settings would limit future tracking but would not effectuate a CCPA opt-out request.
The mandate on honoring requests submitted via universal opt-outs like the GPC has generated considerable discussion. In a July 28 letter to the OAG, a coalition of advertising industry groups raised concerns about how the mandate conflicts with the approach taken in the California Privacy Rights Act (CPRA), according to which businesses “may elect” to either provide a clear and conspicuous DNS link or allow consumers to opt out via an “opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications to be set forth in regulations.” This CPRA provision becomes operative in January 2023. In the meantime, absent further guidance from the OAG, covered businesses should make sure they have processes in place to respond to requests sent via universal opt-out mechanisms like the GPC.
Consumer privacy interactive tool. During the press conference, Mr. Bonta also unveiled a new Consumer Privacy Interactive Tool (CPIT) allowing consumers to draft notices of noncompliance for businesses that they believe may have violated the CCPA’s requirement to allow consumers to opt out of the sale of their personal information. The tool asks a series of guided questions to confirm whether the business in question is subject to the CCPA, sells personal information, provides an appropriately clear and conspicuous DNS link, provides an interactive form by which consumers may submit opt-out requests, requires consumers to create an account in order to opt out, and/or requires consumers to submit more personal information than is necessary to direct the business to not sell their personal information. If the answers provided indicate that the business is not in compliance with the CCPA, the tool generates a draft notice of noncompliance that the consumer may then send to the business.
According to Mr. Bonta, and as confirmed later in a press release, this notice “may trigger” the 30-day period for the business to cure the alleged violation. If changes have not been made to the business’ alleged noncompliance after 30 days from the date the notice was sent, consumers can file a consumer complaint to the OAG. Although the CPIT is currently limited to drafting notices to businesses that do not post an easy-to-find DNS link on their website, the tool may be updated in the future to include additional potential CCPA violations.
It is not clear yet the impact the CPIT will have on future CCPA enforcement by the OAG, especially given that information can be entered into the tool anonymously and there is no accountability mechanism for ensuring the information entered is accurate. Additionally, the ability to cure violations is scheduled to go away in January 2023, when the rest of the CPRA’s updates to the CCPA enter into effect. Nevertheless, businesses should prepare for the possibility of receiving noncompliance notices generated through the CPIT and review their privacy policies and procedures to ensure such notices are addressed within the 30-day cure period.