Recently, the Office of the Attorney General of California announced three major updates that 1) added to the California Consumer Privacy Act's (CCPA) opt-out rules related to the sale of personal information, 2) made it easier for consumers to participate in enforcing the CCPA, and 3) unveiled other focus areas of CCPA enforcement activities.

First, the California Attorney General's office now mandates that covered businesses honor the Global Privacy Control (GPC) by treating it as a request by a consumer who has implemented the control to not sell the consumer's personal information. The GPC is a browser- or extension-enabled global opt-out setting developed by an independent group of stakeholders that allows users to automatically signal their privacy preference to participating websites. In light of this mandate, businesses that have implemented a CCPA "Do Not Sell My Personal Information" opt-out mechanism should also evaluate implementing the GPC.

Second, the California Attorney General's office launched a new Consumer Privacy Tool that helps consumers draft a notice of noncompliance to businesses that allegedly violated the CCPA. According to the Attorney General, the notices sent by consumers may trigger the 30-day CCPA cure period. Therefore, businesses should be on the lookout for consumers' notices and cure any compliance deficiencies promptly if the substance of the notice is valid.

Lastly, the California Attorney General's office published examples of CCPA noncompliance notices, including one notice to a company that allegedly failed to implement GPC. Businesses should take the enforcement trend into account in building and maintaining their CCPA compliance systems.

Global Privacy Control

The California Attorney General's office recently updated the Frequently Asked Questions (FAQs) section on its CCPA website. The CCPA FAQs now state that the Global Privacy Control (GPC) "must be honored by covered businesses as a valid consumer request to stop the sale of personal information."¹ The California Attorney General's office has also reportedly sent out at least 10 enforcement letters to companies in the past three weeks, reiterating the mandate on honoring the GPC.²

The GPC is an initiative by a group of publishers, privacy advocacy organizations, and technology companies like The New York Times, the Electronic Frontier Foundation, and DuckDuckGo.³ The GPC seeks to streamline consumers' opt-out requests. Theoretically speaking, the GPC allows users to automate the opt-out process, instead of manually submitting such requests for each website. It operates via browsers that have implemented GPC, such as the DuckDuckGo Privacy Browser or a browser extension like Abine Blur.⁴ When a consumer enables GPC, the browser sends an opt-out signal to participating websites visited by the user.⁵ The websites receiving the GPC opt-out signal can then honor the user preference by treating the user as though they had submitted a CCPA "Do Not Sell My Personal Information" request.⁶ Therefore, in order to honor the user preference, websites need to first implement the GPC technical specification to recognize the signal and instruct their systems on how to react accordingly.⁷

Regulatory Basis for Requirement to Honor GPC

The CCPA § 1798.135 currently requires a covered business that "sells" California residents' personal information to implement a "Do Not Sell My Personal Information" link on its internet homepage and privacy policy. The "Do Not Sell" link must lead to a webpage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information. Adding to the statutory requirements, § 999.315(c) of the CCPA Regulations requires businesses that collect personal information online to honor user-enabled global privacy controls. Such controls include a browser plug-in or privacy setting that signals the consumer's choice to opt out of the sale of their personal information. Under the CCPA Regulations, businesses must treat those signals as a valid CCPA "Do Not Sell" request.

A number of commenters objected to this regulatory requirement during the rulemaking process for the CCPA Regulations, in particular citing concerns that the requirement was too vague or lacked statutory authority. Nevertheless, the California Attorney General's office rejected these concerns and stood firm in its position that it had the authority to impose a requirement for businesses to honor user-enabled global privacy controls even if the CCPA Regulations did not define a specific technical standard for industry adoption.

Possibility of New Opt-Out Laws

The California Attorney General's requirement to implement the GPC is not likely set in stone. Other emerging state privacy statutes, such as the California Privacy Rights Act (CPRA) and the Colorado Privacy Act (ColoPA)—both of which take effect in 2023—mandate that covered entities implement new opt-out requirements. These laws may supersede or conflict with the California Attorney General's requirement to honor the GPC.

The CPRA directs the California Privacy Protection Agency (CPPA), a newly-formed independent agency tasked with regulating and enforcing the CPRA, to issue a host of implementing regulations. The CPPA has the authority to define a technical standard for an opt-out preference signal with its own unique requirements. Under § 1798.185(a)(19), such an opt-out tool must be free of defaults constraining or presupposing a consumer's intent. The opt-out tool must also allow consumers to "selectively consent" to an individual business's "sale" of their personal information or "use or disclosure" of their sensitive information. These requirements are not compatible with the current version of the GPC, however, which does not provide these granular options and has been implemented as enabled by default by some browser providers. Moreover, while the CCPA Regulations currently require businesses to honor user-enabled global privacy controls, § 1798.135(b)(3) of the CPRA makes clear that honoring such controls is one option for complying with the CPRA's requirement to provide a means for consumers to opt out of the sale or "sharing" of their personal information and limit the use of their sensitive personal information. Thus, the current requirement to honor such controls in § 999.315(c) of the CCPA Regulations will ultimately need to be withdrawn or modified unless the California legislature modifies the CPRA before it takes effect on January 1, 2023. The deadline for the CPPA to finalize regulations is in less than a year—by July 1, 2022.

ColoPA also bestowed rulemaking authority on the Colorado Attorney General to delineate one or more user-selected universal mechanisms for communicating the consumer's desire to opt out of the processing of personal data for targeted advertising or the sale of personal data.⁸ ColoPA § 6-1-1313(2)(e) also states that the mechanisms must be "as consistent as possible with any other similar mechanism required by law or regulation in the United States." While ColoPA's right to opt-out of the "sale" of personal data significantly overlaps with the CCPA's and CPRA's equivalent right, ColoPA offers an independent right for consumers to opt out of the processing of personal data for targeted advertising purposes. Similarly, while the CPRA offers consumers a right to limit the use of their sensitive personal information, ColoPA requires businesses to obtain consent before processing a consumer's sensitive data and the two statutes have very different definitions of what constitutes "sensitive data." Thus, while there will possibly be some overlap between the opt-out mechanisms created under ColoPA and the CPRA, there will also very likely be divergence in the options offered absent legislative activity to better harmonize the statutes. Also of note is that ColoPA § 6-1-1306(1)(a)(IV) makes it optional for businesses to honor the opt-out mechanisms defined by the Colorado Attorney General until July 1, 2024, at which point honoring the mechanisms becomes mandatory. The Colorado Attorney General's office must finalize the rules detailing the technical specifications for the opt-out mechanism or mechanisms by July 1, 2023.⁹

It remains to be seen whether the GPC can adapt to be compatible with the future regulations issued by the CPPA and the Colorado Attorney General's office.

Consumer Privacy Tool and Other Enforcement Updates

On top of sending out enforcement letters mandating the GPC in the past three weeks, the California Attorney General's office also made other critical enforcement announcements. On July 19, 2021, California Attorney General Rob Bonta held a press conference to provide an update on the California Department of Justice's enforcement efforts on the CCPA.¹⁰ During the conference, Attorney General Bonta discussed two topics: 1) a new Consumer Privacy Tool launched by the Attorney General's office to help consumers draft notices of CCPA noncompliance to send to businesses; and 2) examples of noncompliance notices sent to covered businesses.

A New Consumer Privacy Tool

The Attorney General's office unveiled a new Consumer Privacy Tool, which consists of an interactive Q&A form on the Attorney General's website designed to help consumers draft a notice of noncompliance to businesses that allegedly violated the CCPA.¹¹ Under the CCPA, companies are in violation if they fail to cure any alleged violation "within 30 days after being notified of alleged noncompliance." Of particular note, the Attorney General is taking the position that a notice of noncompliance sent by a consumer begins the 30-day cure period under the CCPA, stating "While consumers cannot sue businesses for most CCPA violations, sending a notice of noncompliance is useful. The Attorney General may sue businesses that violate the CCPA if they do not cure any CCPA violation within 30 days of being notified of noncompliance. The notice you send may satisfy that prerequisite." If challenged, it is questionable whether a court would find that consumer notices do in fact trigger this 30-day period. Nonetheless, given this position by the Attorney General, businesses should be on the lookout for notices of noncompliance sent by consumers and promptly cure any compliance deficiencies if the substance of the notice is valid.

The Consumer Privacy Tool is currently limited to drafting notices for a missing or non-conspicuous "Do Not Sell My Personal Information" link on a business's website. The current version of the tool is titled v1.0; the website states that future versions may allow drafting notices for other types of potential CCPA violations.

Examples of Noncompliance Notices

Attorney General Bonta highlighted a few examples of noncompliance notices in the press conference. Examples included businesses being slow to respond to CCPA requests; omitting the notice of financial incentive; failing to provide a privacy notice at collection; and forcing consumers to share their personal information with third parties when signing up for a service.

The Attorney General's office also published additional examples of CCPA enforcement cases on its website, including:¹²

• Issues related to being a service provider. Examples include failing to update service provider contracts and failing to update terms of service to clarify the entity's obligations as a service provider.
• Issues related to privacy policies. Examples include failing to provide a notice of consumer rights and service providers that also function as covered businesses failing to post CCPA-compliant privacy policies.
• Issues related to exercising consumer rights. Examples include failing to provide a toll-free number for submitting requests; charging fees for requests; and requiring a notarized agent to exercise rights.
• Issues related to sales of personal information. Examples include failing to provide a "Do Not Sell My Personal Information" link on the business's website; requiring consumers take additional steps to opt out by directing consumers to a third-party trade association's tool designed to manage online advertising; not honoring the GPC; and sharing the consumers' personal information with third-party analytic providers, which the Attorney General alleged constituted sales, without providing required notices or opt-out methods to consumers.

In the press conference, Attorney General Bonta announced that about 75 percent of the businesses that received the noncompliance notices amended their practices within the CCPA's 30-day cure period. He also stated that the remaining 25 percent were either still within the 30-day cure period or under investigations.

Conclusion

The California Attorney General's office's three recent CCPA announcements should provide motivation for covered businesses to re-evaluate and update their CCPA compliance programs. The Attorney General's mandate on honoring the GPC endorses the movement toward a global opt-out mechanism. Future regulations under the CPRA and ColoPA are likely to expedite, but also possibly complicate, this trend. The launch of a new Consumer Privacy Tool by the California Attorney General's office also shows that the California Department of Justice is concentrating its efforts on enforcing CCPA opt-out rules. We recommend businesses evaluate implementing the GPC and be vigilant about consumer noncompliance notices to get a head start on the new and upcoming opt-out rules and enforcement activities. Businesses should also consider the CCPA enforcement trend, as evidenced by newly published examples of CCPA noncompliance notices, in building and maintaining their privacy compliance programs.

[1] Office of the Attorney General of California, Frequently Asked Questions (FAQs): What is the GPC?, https://oag.ca.gov/privacy/ccpa.

[2] See Kate Kaye, California’s Attorney General Backs Call for Global Privacy Control Adoption with Fresh Enforcement Letters to Companies, Digiday (July 16, 2021), https://digiday.com/marketing/californias-attorney-general-backs-call-for-global-privacy-control-adoption-with-fresh-enforcement-letters-to-companies/.

[3] See Global Privacy Control, Organizations, https://globalprivacycontrol.org/#org.

[4] See Global Privacy Control, About, https://globalprivacycontrol.org/#about.

[5] Id.

[6] Id.

[7] See Global Privacy Control, Frequently Asked Questions, https://globalprivacycontrol.org/#contact.

[8] § 6-1-1313(2).

[9] Id.

[10] See California Department of Justice, Attorney General Bonta Provides Update on CCPA Enforcement Efforts, YouTube (July 19, 2021), https://www.youtube.com/watch?v=C2gk8hHlgAw.

[11] See State of California Department of Justice Office of the Attorney General, Consumer Privacy Interactive Tool (July 17, 2021), https://oag.ca.gov/consumer-privacy-tool.

[12] See State of California Department of Justice Office of the Attorney General, CCPA Enforcement Case Examples (July 19, 2021), https://oag.ca.gov/privacy/ccpa/enforcement.