AG Bonta Issues New Investigative Sweep of Mobile Application Companies

Ketan Bhirud, Christopher Carlson, Clayton Friedman, Natalia Jacobo, Namrata Kang, Susan Nikdel, Stephen Piepgrass, Avi Schick, Whitney Shephard, Trey Smith, Ashley Taylor Jr., Daniel Waltz, Michael Yaghi
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

[co-author: Susan Ryan]

On January 27, California Attorney General Rob Bonta announced an “investigative sweep” of businesses with mobile applications for allegedly failing to comply with the California Consumer Privacy Act (CCPA). This ongoing sweep targets popular mobile applications in the retail, travel, and food service industries that fail to offer a mechanism for consumers to opt out of data sales or that fail to process consumer opt-out requests, including requests submitted via an authorized agent like Permission Slip.

As the AG’s most recent effort to enforce California’s stringent consumer privacy law, this new investigative sweep came on the heels of the AG’s August 2022 $1.2 million settlement with Sephora for allegedly failing to disclose it sold consumer personal information and failed to process opt-out requests via user-enabled global privacy controls. According to Bonta, his office focused on the idea that California “consumers have the right to stop the sale of their personal information.”

Since July 1, 2020, when enforcement of the CCPA began, many companies received notice-to-cure letters, warning of CCPA violations. In summer 2021, AG Bonta announced that 75% of the businesses that received a notice-to-cure letter complied within 30 days according to the CCPA; the remaining 25% either still fell within their 30-day statutory cure period or came under active AG investigation.

Critically, companies receiving new investigative letters can no longer rely on the CCPA’s 30-day cure period to correct violations. Effective January 1, the automatic 30-day cure period gave way to the California Department of Justice’s discretion to permit companies to cure on a case-by-case basis. Therefore, companies that receive notice-to-cure letters need to take immediate action and work with legal counsel to develop a strategy to respond and cure violations, if necessary.

Why It Matters

The breadth of AG Bonta’s sweeps serves as notice that no industry or business is immune from regulatory scrutiny. Their diversity may be due to the recently launched, interactive Consumer Privacy Tool through which consumers can draft noncompliance notices to companies. By essentially crowdsourcing preliminary investigation to the public, the OAG can expand its reach across a more varied industry base.

Companies that do business with California consumers need to make certain that they are engaging in defensible privacy practices as described by the CCPA and corresponding regulations. Companies must ensure that, at a minimum, they comply with fundamental privacy requirements under the CCPA, such as a readily available privacy policy, conspicuous notice of privacy rights, maintaining an easily accessible opt-out process on the company’s website, and consistent fulfillment of consumer opt-out requests. Failure to do so at this stage comes with significant risk.

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide