Keypoint: A detailed analysis of the Attorney General’s twenty-seven published examples of noncompliance notices sent during the first year of CCPA enforcement reveals key learnings for CCPA compliance efforts.
In July, the California Attorney General published twenty-seven “illustrative examples” of noncompliance notices it sent to businesses during its first year of enforcing the CCPA. The examples provide a rare glimpse into the Attorney General’s enforcement priorities.
Below is an analysis of the published enforcement examples. The office emphasizes, however, that the information provided “does not include all the facts of each situation and does not constitute legal advice.”
Types of Entities
The illustrative examples concern the following types of businesses and industries:
- social media (3)
- grocery retailer (3)
- online event sales (2), dating (1), marketing services (1), advertising (1), platform (1), gaming (1), clothing retailer (1)
- children’s toy distribution
- mass media and entertainment
- location data
- pet industry
- consumer electronics
- digital media
- email subscription platform
- digital experiences partnership
- data broker
- video game distribution
- education technology
- database/directory sales
The wide variety of entities receiving enforcement notices suggests that the Attorney General is not targeting, nor will it overlook, any particular industries or types of businesses. Further, these are just examples of enforcement notices such that the absence of a certain type of industry or business from the list should not be given any particular weight.
Summary of Deficiencies
The following chart identifies the various types of deficiencies ranked in descending order by the number of times the examples cited the deficiency. In many instances the enforcement notice covered multiple deficiencies.
Perhaps unsurprisingly, the illustrative examples indicate a focus on vetting online privacy policies and ensuring that businesses are providing proper methods for receiving consumer requests. The examples also show a focus on the sale of personal information, including providing the required “Do Not Sell My Personal Information” link. We provide further analysis after the chart.
|Topic||Number of Times Cited|
|Failure to Identify / Deficient Methods to Submit Consumer Requests||22|
|Failure to Provide / Deficient Do Not Sell My Personal Information Link||10|
|Failure to State Whether Business Sells Personal Information||7|
|Failure to Have Proper Service Provider Contracts||2|
|Failure to Provide Notice at Collection||2|
|Failure to Properly Respond to CCPA Requests||1|
|Failure to Provide Notice of Financial Incentive||1|
|Failure to Obtain Opt-In Consent for Sale of Minors’ Information||1|
|Failure to Recognize Global Privacy Control Signal||1|
Analysis of Deficiencies
In its examples, the Attorney General identified a number of deficiencies with privacy policies, including the failure to (1) provide notice of CCPA consumer rights (e.g., right to know, delete, and not be discriminated against); (2) disclose methods of receiving consumer requests and/or have existing methods work; (3) state whether the business sells personal information or disclosed personal information for a business purpose in the last 12 months; (4) provide the categories of personal information the business disclosed; (5) include instructions on how authorized agents can submit requests; (6) provide a toll-free number for requests; and (7) provide adequate notice of how personal information is collected, used, or sold.
The fact that so many enforcement actions related to privacy policies indicates that this is “low hanging fruit” for the Attorney General. Businesses can mitigate risk by focusing on these documents and closely tracking the requirements set forth in the CCPA regulations.
In addition to the issues outlined above, the Attorney General identified a number of other deficiencies related to consumer requests, including businesses (1) failing to timely acknowledge and respond to consumer requests; (2) improperly stating that the business could charge a fee for responding to requests; (3) directing consumers to non-functional online methods for submitting requests; (4) requiring authorized agents to submit notarized verifications; and (5) providing incorrect instructions on how to exercise requests to know and delete.
As with privacy policies, the Attorney General’s focus on consumer requests follows given that the methods of receiving requests are publicly reviewable and the failure to implement proper methods (or respond to requests) is likely to create consumer complaints to the Attorney General.
Sale of Personal Information
Another area of focus is the sale of personal information. The enforcement notices included not only requiring clear disclosures about whether a business sells personal information (as described above) but also ensuring that businesses that do sell personal information provide a “Do Not Sell My Personal Information” link (and ensure the link actually works).
In one example, the Attorney General faulted a business for taking the position that a “user clicking an ‘accept sharing’ button when creating an account was sufficient to establish blanket consent to sell personal information.” The Attorney General identified other issues involving the sale of personal information, including a business providing a confusing webform for opt-out requests, multiple businesses directing consumers to a third-party trade association’s tool to manage online advertising, and another business not obtaining opt-in consent for the sale of minors’ information.
The Attorney General also faulted a data broker for requiring users to verify their identify before honoring opt-out requests and improperly requiring users to create an account to make a request.
Finally, in an interesting example, the Attorney General condemned a “media conglomerate” for requiring consumers “to submit multiple, separate requests to opt out of the sale of their personal information on each website in its portfolio.” The absence of background facts and context for this alleged violation makes it difficult to analyze. However, at a minimum, it suggests that businesses with multiple URLs need to be mindful of whether they need a centralized opt-out mechanism.
Cookies and Tracking Technologies
In June 2020, we wrote an article for the IAPP analyzing the Attorney General’s comments on cookies and tracking technologies in its Final Statement of Reasons published with the CCPA regulations. At that time, we noted that “many questions remain unanswered.”
The illustrative enforcement notices make a number of references to online tracking that indicate it is a priority. However, the lack of specificity in the notices once again makes it difficult to draw too many conclusions.
In one example, the office states: “The business also exchanged personal information about users’ online activities with various third-party analytics providers but did not post the required notices or provide consumers with methods to opt-out of the sale [of] personal information.” The example notes that the business removed all tracking from its application and website upon receiving notice of the alleged non-compliance.
The reference to “third-party analytics providers” is notable insofar as it could be read to suggest that the Attorney General considers the use of services such as Google Analytics to be a sale of personal information. However, the lack of details and specificity with this example make drawing such a conclusion speculative at best.
It should be noted that during the rulemaking process, the office was specifically asked to confirm whether sharing information with Google Analytics and Adobe Analytics would be considered a service provider relationship or sale of personal information. See Appendix A to Final Statement of Reasons ¶ 544 at page 176. The Attorney General responded that the comment “raises specific legal questions that require a fact-specific determination.”
In another enforcement example, the office states:
- “A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.”
The example reinforces that the use of tracking technologies for third-party advertising is a sale (at least under certain circumstances). This point, although initially challenged by certain groups, seems to have become uncontroverted. Again, the lack of specificity and details surrounding this example makes it difficult to analyze. For example, there is no indication whether the office considers a consumer’s consent to cookies to not be a sale of personal information.
The reference to a Global Privacy Control (“GPC”) signal is also notable. As discussed in our prior post, the office recently announced that businesses must recognize GPC signals as valid opt-out requests. It is anticipated that the Attorney General will increase its enforcement actions relating to GPC signals in the coming months.
Finally, the office noted that directing consumers to their device settings to effectuate their opt-out rights was, standing alone, insufficient under the circumstances.
Service Provider Contracts
In two examples the office stated that the entity was operating as a “service provider” under the CCPA, but its service provider contracts did not contain the necessary restrictions on the use of personal information. These examples reinforce that entities should be mindful to include the necessary service provider language when transferring personal information to entities that meet that definition.
Synthesizing the above analysis, a number of key takeaways can be drawn from the published enforcement cases, including:
- Focus on Publicly Available Disclosures and Information
It should come as no surprise that the most frequently cited deficiencies in the enforcement notices concern privacy policies, consumer requests and the opt-out of sales. These disclosures are all publicly available for review and critique. Businesses subject to the CCPA should ensure that they are closely tracking the CCPA’s requirements for these disclosures. They also should ensure that their privacy policies are readable and understandable (a, no doubt, tricky undertaking given the complexity of the CCPA).
- Conspicuously Post Opt-Out / Do Not Sell My Personal Information
Ensuring that consumers have the right to opt-out of the sale of their personal information came up in a number of ways in the enforcement examples, including businesses failing to provide the required link in their footers, failing to state whether they sell (or do not sell) personal information in their privacy policies, and failing to obtain opt-in consent for the sale of minor’s information. It should be borne in mind that a primary goal of the CCPA is to give consumers control of their personal information and the sale of personal information is intricately tied to that goal.
- Recognize Global Privacy Control Signal
Although it only appears once in the enforcement notices, over the past two months the office has shown an increased interest in enforcing businesses’ recognition of GPC signals. This is an issue that businesses should get ahead of now to ensure compliance.
- Cookies and Other Tracking Technologies
Unfortunately, many questions remain regarding how the office is approaching cookies and other tracking technologies. The enforcement examples contain two examples that discuss tracking technologies but neither provides the type of factual detail and analysis that privacy professionals crave when analyzing these complex issues.
- Comply with All CCPA Provisions
Although the office has focused on certain deficiencies, it has pursued enforcement on a wide variety of topics. The CCPA is a complex law and will only become more complex when the California Privacy Rights Act goes into effect in January 2023 (not to mention dealing with other state privacy laws in Colorado and Virginia).
- Prepare for an Uncertain Future
An interesting aspect of these enforcement efforts is that the office will no longer be the primary regulator of the CCPA in the near future as the California Privacy Protection Agency (“Agency”) will take over that role. Presumably, the Agency will pick up where the office left off; however, there is nothing preventing the Agency from focusing on other topics. That is particularly true given that the CPRA provides for many more topics to be refined through the Agency’s rulemaking process. Further, the CPRA will fundamentally change many aspects of the CCPA, making the law far more complex and nuanced.