This is the second article in a three-part series where Ankura privacy experts analyzed the 40 examples of non-compliance with the California Consumer Privacy Act (CCPA) published by the California Office of Attorney General (OAG) in June 2021 and August 2022. The first article included metrics on specific areas of CCPA non-compliance. This second article focuses on the industries that were targeted by the OAG and our third article will focus on the trends that we observed between the 27 examples provided by the OAG in June 2021 versus the 13 examples provided by the OAG in August 2022.

Analysis of Targeted Industries 

In September 2021, Ankura published an article summarizing the 27 illustrative examples and the associated industries. Our analysis showed that across the initial 27 illustrative examples from 2021, 19 different industries were represented, and that data brokers, grocery retailers, social media, video game, and online event sales were the industries most targeted.

Ankura examined each of the 40 instances of non-compliance provided by the OAG in 2021 and 2022 and for each of the examples of non-compliance, identified the industries set forth below in Table 1.  

Key Takeaways

Upon review of the most recent examples of non-compliance, what jumped out to us was the introduction of two new industries, Healthcare and Financial Technology. This is significant because the CCPA provides exemptions for data covered by the Health Insurance Portability and Accountability Act (HIPAA) which is primarily applicable to healthcare-oriented organizations and data covered by the Gramm-Leach-Bliley Act (GLBA) which is primarily applicable to financial services organizations. 

Below is a summary of the relevant specific examples published by the CA OAG:[1]

•  Healthcare, Medical Device, and Telehealth
  • “A business that matched open appointments with patients seeking COVID-19 vaccinations incorrectly treated some consumer requests to know as requests to delete and permanently deleted consumers’ personal information.”
  • “A medical device manufacturer and seller collects consumers’ personal information on its website. The business limited a consumer’s rights under the CCPA by requiring consumers to accept the business’s privacy policy and terms of service in order to exercise their rights under the CCPA. The business’s privacy policy stated, among other things, that a consumer was limited to one request every 12 months. The business’s disclosures regarding its sale of data were also confusing, and the business did not provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising.”
  • “A business that provides a platform for virtual healthcare services also had a separate public-facing website that collected personal information and is subject to the CCPA. The business’s link to its notice at collection sent consumers to the beginning of its privacy policy instead of the relevant section. The business’s privacy policy also failed to describe the information a consumer must provide in order to make a verifiable consumer request, list the categories of personal information collected or disclosed in the past twelve months, and list the categories of third parties for each category of personal information disclosed for a business purpose."
• Financial Services and Products
  • “A business that offers financial services to minors, including those aged 13 to 16 years old, operated a mobile app that failed to notify consumers at or before the point of collection about the categories of personal information the business collected, and the purposes used. It also did not explicitly state in its privacy policy whether it sold personal information.”
  • “A technology platform that provides financial products for businesses and consumers did not allow consumers to submit opt-out requests or requests to know via authorized agents. The platform also failed to ensure that those handling consumer inquiries were informed of CCPA requirements or how to direct consumers to exercise their CCPA rights.”

Interestingly, one area of compliance that may remain under HIPAA's scope is related to tracking technologies. On December 1, 2022, the U.S. Department of Health & Human Services (HHS) issued a bulletin providing guidance that HIPAA regulated entities that collect personal information via tracking technologies may be governed by HIPAA because that personal information is indicative that the individual has received or will receive health care services or benefits from the covered entity. That said, HIPAA has similar compliance obligations relating to the use of tracking technologies and covered entities should become familiar with those requirements. [2]      

Our final article in this series will focus on trends we observed in the enforcement actions from 2021 versus those new examples published by the OAG in August 2022.

[1] https://oag.ca.gov/privacy/ccpa/enforcement. Retrieved October 25, 2022.

[2] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html  Retrieved December 12, 2022.