Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.
As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.
Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.
Below is an overview of the new enforcement case examples.
Types of Entities
As with the initial example cases the Office published in July 2021, the new case examples involve many different types of entities, including consumer retailers (clothing, home goods, house staples, food and beverage, hospitality and home improvement), technology companies, medical devices, telehealth, fitness, FinTech, telecommunications, and AdTech. The wide range of entities indicates the Attorney General’s Office is casting a wide net with its ongoing enforcement actions and is not focused on any specific industry or industries.
Recognition of the Global Privacy Control Signal
There is no doubt the Office is focused on ensuring businesses recognize the Global Privacy Control (GPC) signal. In addition to it being a central focus of the public enforcement action, the Office’s new enforcement case examples state that the Office engaged in an “enforcement sweep” of multiple online retailers resulting in notices alleging “these retailers did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations.” We previously discussed the history of this requirement here. Ultimately, if a business’s website uses tracking technologies, the Office requires the website to recognize the GPC signal as a valid request to opt out of sales.
Notice of Financial Incentive
The new enforcement case examples also show a focus on businesses complying with the CCPA’s requirement to provide a notice of financial incentive. By way of background, if a business provides consumers with a financial incentive, it must explain to the consumer the material terms of the financial incentive so the consumer may make an informed decision about whether to participate. The CCPA requires the notice to contain certain information such as a summary of the financial incentive offered, a description of the material terms, and how a consumer can opt in. The CCPA regulations define “financial incentive” to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.”
In its enforcement case examples, the Office states that it conducted an “enforcement sweep” and notified multiple businesses that they were “operating loyalty programs that offered financial incentives (including product discounts, service differences and/or reduced prices) for the collection of consumers’ personal information without posting a compliant Notice of Financial Incentive.” To come into compliance, businesses posted appropriate notices at cash registers, revised online disclosures and interfaces, and redesigned loyalty program enrollment methods.
Proper website privacy policies also are a recurrent theme in the new enforcement case examples.
In one of the more basic examples, a business did not provide a notice to consumers with the required CCPA disclosures, including failing to disclose the CCPA’s consumer rights and not providing a “Do Not Sell My Personal Information” link.
In a third example, a FinTech mobile application did not notify consumers at or before the point of collection of the categories of personal information it collected and the purposes for the collection. The business remedied the violation by adding a link in the first screen of its mobile application to its notice at collection that included the required information.
Right to Opt Out of Sales
Many of the new enforcement case examples involve alleged violations of the CCPA’s right to opt out of sales. In one example, the business provided a “Do Not Sell My Personal Information” link on its homepage, but the link included confusing choices with unclear language and the use of double negatives. In response, the business simplified its disclosures, “more clearly explained” how it uses third-party cookies, and “allowed consumers to fully opt-out of the sale of personal information, including in connection with targeted advertising.”
Other examples of alleged non-compliance with the right to opt out of sales include:
- Failing to provide a clear and conspicuous “Do Not Sell My Personal Information” link
- Directing consumers to a third-party trade association tool designed to manage online advertising
- Using a “Do Not Sell My Personal Information” link that only worked on certain browsers
- Improperly directing users who clicked on the “Do Not Sell My Personal Information” link to a pop-up option that only discussed how to manage cookies and similar technologies
- Creating a confusing opt-out process
Finally, the new enforcement case examples show a focus on ensuring that California residents can exercise their CCPA rights. The Office identified the following deficiencies in its examples:
- Failing to provide methods for consumers to make requests
- Providing only one method for submitting requests
- Using a non-functional consumer request portal
- Requiring an onerous process for requests, including verification
- Improperly treating requests to know as requests to delete and permanently deleting personal information
- Not allowing consumers to submit opt-out requests and requests to know via authorized agents
- Failing to train individuals handling CCPA requests of the CCPA requirements