The California Attorney General (“AG”), Rob Bonta, recently announced a much-awaited report on the Office of Attorney General’s enforcement of the California Consumer Privacy Act of 2018 (“CCPA”).1 The AG’s press release: (i) summarized 27 CCPA enforcement efforts undertaken by the AG in the past year; and (ii) announced the launch of a new Consumer Privacy Interactive Tool that is available on the AG’s website. The tool enables users to generate notices of alleged noncompliance that they can send to companies. In addition, the AG’s website has been updated to include “CCPA Enforcement Case Examples.” This Dechert OnPoint summarizes these developments and offers some key takeaways.
Update on First Year of CCPA Enforcement Activity
The AG reported that the California Department of Justice began notifying businesses of their alleged noncompliance on July 1, 2020, the date on which the CCPA became enforceable. Businesses have a statutorily mandated 30-day period to cure alleged violations before enforcement can commence (though this provision is modified by the California Privacy Rights Act2 (“CPRA”) which empowers the AG to offer a cure period in its discretion when the CPRA enters into force in 2023). The AG reported that 75% of businesses that received a notice of alleged violation cured the violation within the 30-day period while the other 25% remain within the 30-day period or are “under active investigation.” A review of the case examples shows that that the notices were issued to entities across industries (e.g., online advertising, automotive, media conglomerates, an online dating platform, education technology) and across topics.
The 27 case examples are good indicators of the AG’s priorities and how the AG is conducting CCPA enforcement. In this first wave of enforcement activity the AG appeared to zero in on cases involving non-compliant privacy policies and allegations related to sales of personal information (“PI”), including alleged failures to post a “Do Not Sell My Personal Information” link. Notices of alleged noncompliance were also issued on other “hot” CCPA compliance topics, including to: (i) a social media network that allegedly failed to put CCPA-specific language in its service provider contracts; (ii) a social media company that allegedly was not timely responding to consumer requests; and (iii) an automotive industry company that allegedly failed to deliver a notice at collection for information collected both online and in-person.
Global Privacy Control. The CCPA Frequently Asked Questions (“FAQs”) on the AG’s website indicate that the Global Privacy Control (“GPC”) is one acceptable method that a business can make available for consumers to opt-out of sales of PI. The GPC is a technical solution that the FAQs describe as a “stop selling my data switch” that is designed to “enhance consumer privacy rights” and allows consumers to “broadly signal[ ] their opt-out request” rather than “making requests on multiple websites on different browsers and devices.” While the CCPA Regulations already require businesses to treat user-enabled global privacy controls as valid opt-out requests, the FAQs now specify that “[u]nder law, [the GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” Consistent with this FAQ, the case examples illustrate that the AG sent a notice alleging that a business was noncompliant because it did not process opt-out requests that consumers “submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC.”
Launch and Encouraged Use of Consumer Privacy Interactive Tool
The new Consumer Privacy Interactive Tool enables individuals to play a role in enforcement. The tool prompts users to answer a series of questions. Depending on the responses, the tool will either provide the user additional information about the CCPA or generate a template “notice of noncompliance.” The user can then email the notice to the relevant company. The tool currently focuses on alleged noncompliance regarding a target business’s failure to post an “easy-to-find Do Not Sell My Personal Information link” on its website.3
The apparent general availability of the tool raises questions about whether the tool will be used by non-California residents, and whether individuals are even capable of responding to some of the threshold questions in the tool (e.g., whether the target meets the CPPA revenue or volume of processing triggers or its CCPA status). There is the added burden of effectively requiring the recipients of these notices, and the AG’s office, to sift through complaints that may not be covered by the CCPA (e.g., those submitted by non-California consumers or to companies not subject to the CCPA).
Without a mechanism to verify whether the person submitting a notice of noncompliance is a California consumer or whether the company about whom information is submitted is, in fact, subject to the CCPA, companies that receive complaints generated by the tool are well-advised to carefully consider the actions they take in response. Two factors enhance this note of caution. First, the AG states that the notice generated by the tool and sent by consumers to a company “may satisfy” the statutorily mandated notice requirement that triggers the 30-day cure period. Second, the AG discloses that it will collect the information a consumer “provide[s] in the tool to assist us in investigating and enforcing the law."4 While consumer protection authorities typically rely on consumers to assist in identifying instances of noncompliance and wrongdoing, we expect companies and industry groups to question whether the statutory text of the CCPA permits a consumer’s notice of alleged noncompliance to trigger the 30-day cure period.
The AG actively exercised its authority in the past year by targeting a broad range of industries and sectors for scrutiny and instituted processes for doing so. The AG has empowered consumers to notify companies directly of potential CCPA violations and play a key role in enforcement. Companies will want to prepare for an influx of consumer-generated notices of alleged noncompliance, of which the AG will be made aware. Given the potential 30-day cure trigger for consumer generated notices to companies, companies should consider the viability of the claims sooner rather than later.
Further, all companies that are required to comply with the CCPA can gain valuable insights from the case examples disclosed by the AG. The case examples appear to resolve some ambiguities regarding the AG’s approach to CCPA compliance and some companies will want to review and consider updating their compliance approaches, including in the context of sales of PI. Companies that identify potential compliance gaps, or those companies with known pending CCPA “action items”, will want to assess risk and consider updating their CCPA compliance programs. By understanding the case examples, companies that are subject to the CCPA will be better situated if they move swiftly to assess, analyze and remediate issues of which they are aware.
1) For additional CCPA resources and thought leadership, please visit our CCPA Resource Center.
2) For more information on the CPRA, please see our Dechert OnPoint, The Past as Prologue: California Voters Approve CPRA as AG Proposes New CCPA Regulations.
3) The AG’s website states that the “tool may be updated over time to include other potential CCPA violations.”
4) The information the tool collects includes the user’s name, the name of the business, a link to the business’s website, the date on which the website was last checked for CCPA compliance and the business email address.