Before the CCPA became enforceable on July 1, 2020, much ink was spilled (or many keys were hit) about the California Office of the Attorney General’s (“OAG”) ability to obtain civil penalties for CCPA violations. After that date, privacy lawyers waited with bated breath for OAG enforcement actions to start rolling in. But then, very little happened—at least publicly. While OAG attorneys have occasionally discussed sending confidential notices of violation to suspected violators in public appearances, no other public enforcement activity occurred.

It was tempting to think that the lack of public enforcement resulted from privacy lawyers’ excellent skill in interpreting the law and advising their clients, but the OAG’s recent release of 27 illustrative CCPA enforcement case summaries shows that the OAG has in fact been active in investigating and seeking to resolve CCPA violations. Those summaries provide some key insights into the OAG’s CCPA enforcement priorities. This post summarizes some of the most significant.

• Prospective Corrective Actions May Cure (or at Least Close Investigations into) Past CCPA Violations.

The CCPA provides that a violation occurs only if a business fails to cure alleged violations within 30 days of notification of noncompliance. But the statute is unclear on how prior violations could be cured. The introduction to the OAG’s case summaries is also unclear on that point—it only provides that cure “may require more than just starting to comply with the law.”

But the enforcement action summaries suggest that, in at least some cases, corrective actions that only apply prospectively can “cure” a prior CCPA violation. For example, one summary explains that a data broker that sold personal information without providing a “Do Not Sell My Personal Information” link addressed that issue by adding such a link to its homepage after receiving the OAG’s notice of noncompliance. While that link would not necessarily address sales of personal information that occurred before it was posted, its posting after the company received OAG’s notice nonetheless appears to have resolved the OAG’s concerns.

This is good news for businesses as implementing prospective compliance measures will generally be easier than cleaning up prior violations. Note, however, that this enforcement approach may change as the CPRA will transition enforcement authority to the newly created California Privacy Protection Agency (“CPPA”—yes, yet another unoriginal and confusing state privacy law acronym to join CCPA, CPRA, CDPA, and CPA) on January 1, 2023. While the 30-day cure provision will remain in effect, the CPPA’s approach to the enforcement cure period is still unknown—though the OAG’s approach may set a business-favorable precedent.

• Targeted Advertising Disclosures Presumed to Be Sales.

The CCPA’s broad and vague definition of “sale” includes all exchanges of personal information for “monetary or other valuable consideration.” That definition left some ambiguity about whether the sharing of personal information in connection with online behavioral advertising should be considered “sales.”

The OAG’s enforcement summaries strongly suggest that the OAG views behavioral advertising disclosures as “sales” under the CCPA, at least absent clear indications (such as a service provider relationship) that demonstrate otherwise. One summary, for example, explained that a pet industry website violated the CCPA by requiring consumers to “take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising.” The website cured that violation by creating “a ‘Do Not Sell My Personal Information Link’, and updat[ing] its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.” Similarly, another summary states a “mass media and entertainment business” failed to provide a valid sale opt-out method because it “only directed consumers to a third-party trade association’s tool designed to manage online advertising.”

It’s important to note that the CPRA will definitively resolve this ambiguity through the introduction of a “sharing” concept that covers behavioral advertising disclosures. But the OAG’s characterizations in the case summaries indicates that businesses that share personal information with third parties other than “service providers” as part of behavioral advertising activities should not wait for the CPRA to develop a compliance strategy for managing CCPA “sale” requirements.

• Consumers and Other Third Parties Can Deliver a Notice of Noncompliance.

In a troubling development for businesses and their counsel, one enforcement summary suggests that a valid notice of noncompliance that begins the 30-day cure period can be provided by sources other than the OAG. The relevant summary provides that a consumer advocacy organization’s publication of a report finding that a data broker sold professional contact directories without posting a “Do Not Sell My Personal Information” link “provided notice of CCPA non-compliance to the business, in addition to a notice provided by the [OAG].”

The OAG doubled-down on that interpretation by creating a tool on its website that allows individual consumers to create a notice of noncompliance to email to businesses that do not offer a “Do Not Sell My Personal Information” link. The OAG summary also does not indicate whether the consumer advocacy organization provided direct notice to the data broker, which leaves open the question whether the OAG interprets the CCPA to even require actual notice, or whether constructive notice could be sufficient.

Given that ambiguity, businesses should carefully monitor communications from consumers and third-party sources implicating the business’s CCPA compliance. If the OAG learns about the separate notice of noncompliance, it could provide the OAG a basis to argue the 30-day clock that measures the time for the business to cure the violation began when that notice was sent.

• Non-compliant Privacy Policies and Sale Opt-out Issues Are the Most Common Enforcement Issues.

The enforcement summaries show that the most common CCPA violation that led to a notice from the OAG was a non-compliant privacy policy. 14 of the 27 enforcement actions involved some allegation of a non-compliant privacy policy. Common issues included omitting disclosures on individual rights and personal information sharing and failures to address whether the business sells personal information. The second most common category of violations were failures to provide a sale opt-out or otherwise having non-compliant sale opt-out processes.

Businesses should therefore prioritize ensuring their privacy policies address all CCPA statutory and regulatory requirements and assess their posture regarding personal information sales, including whether the business discloses data for behavioral advertising.

***

While the CPRA will transition enforcement authority to the CPPA on January 1, 2023, the OAG’s enforcement summaries still provide useful insights for privacy lawyers on the OAG’s enforcement priorities and process, and on its interpretation of existing CCPA requirements. And they may set precedents for the CPPA to follow once it begins enforcement. Please reach out to any member of our team if you need assistance with CCPA or CPRA compliance efforts.