This is the third article in a three-part series whereby Ankura privacy experts analyzed the 40 examples of alleged non-compliance with the California Consumer Privacy Act (CCPA) published by the California Office of Attorney General (OAG) in June 2021 and August 2022. Our first article included metrics on specific areas of CCPA non-compliance. The second article focused on the industries that were targeted by the OAG and this third article focuses on trends we observed between the 27 examples provided by the OAG in June 2021 versus the 13 examples provided by the OAG in August 2022.

Key Takeaways

When reviewing the 27 examples of CCPA noncompliance published by the OAG in 2021 versus the 13 examples published in 2022, it was obvious - simply trying is not good enough.

More specifically, in 2021 the examples of CCPA noncompliance centered around the absence of information. For example, the OAG’s examples from 2021 cited items such as: [1]

• “The company did not provide the required notices to consumers or methods to submit consumer requests.”
• “A business that provides an online dating platform and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage.”
• “The company did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs.”
• “The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months.”
• “An automotive company collected information from consumers who test drove vehicles at the business, but it failed to provide a notice at collection.”

These example snippets suggest the OAG was alleging non-compliance given the absence of information such as missing notices, missing Do Not Sell Links, and missing references to the sale of personal information. When we look forward to the examples of non-compliance published in August 2022, it appears the OAG is now citing organizations for non-compliance relating to unclear, inaccurate, or confusing notices or processes that the organization had previously developed but were still not compliant. For example, the OAG’s examples from 2022 cited items such as:[2]

•  “…website homepage; however, it included choices that were confusing with unclear language and toggle options.”
• “Revised online interfaces to clearly direct consumers to…”
• “Redesigned their loyalty programs’ enrollment methods to capture express opt-in consent…”
• “Revised their Notices of Financial Incentives…”
• “The business’s disclosures regarding its sale of data were also confusing, and…”
• “A business that operates a people search website had a “Do Not Sell My Personal Information” link that worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.”
• “The business required an onerous process for CCPA requests (including verification), provided only one method to submit CCPA requests…”
• “It was also unclear if the consumer was required to create an account in order to complete their requests. The business also did not properly disclose CCPA metrics for the previous calendar year.”
• “…had a non-compliant opt-out process. Its “Do Not Sell My Personal Information” link led to a pop-up option that only discussed how to manage cookies and similar technologies.”
• “…its online CCPA portal was not functional and was not accepting consumer requests to know and delete.”

Under the CCPA, organizations benefited from a 30-day right to cure that allowed an organization 30 days to make improvements after receiving a letter of non-compliance from the OAG. In January 2023, the 30-day right to cure will sunset when the California Privacy Rights Act takes effect. It’s important that organizations review existing CCPA processes and identify needed CPRA enhancements to avoid scrutiny from the OAG, especially in the absence of the cure period.  

[1] https://oag.ca.gov/privacy/ccpa/enforcement. Retrieved October 25, 2022.

[2] https://oag.ca.gov/privacy/ccpa/enforcement. Retrieved October 25, 2022.