Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.

Types of Entities

As with the initial example cases the Office published in July 2021, the new case examples involve many different types of entities, including consumer retailers (clothing, home goods, house staples, food and beverage, hospitality and home improvement), technology companies, medical devices, telehealth, fitness, FinTech, telecommunications, and AdTech. The wide range of entities indicates the Attorney General’s Office is casting a wide net with its ongoing enforcement actions and is not focused on any specific industry or industries.

Recognition of the Global Privacy Control Signal

There is no doubt the Office is focused on ensuring businesses recognize the Global Privacy Control (GPC) signal. In addition to it being a central focus of the public enforcement action, the Office’s new enforcement case examples state that the Office engaged in an “enforcement sweep” of multiple online retailers resulting in notices alleging “these retailers did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations.” We previously discussed the history of this requirement here. Ultimately, if a business’s website uses tracking technologies, the Office requires the website to recognize the GPC signal as a valid request to opt out of sales.

Notice of Financial Incentive

The new enforcement case examples also show a focus on businesses complying with the CCPA’s requirement to provide a notice of financial incentive. By way of background, if a business provides consumers with a financial incentive, it must explain to the consumer the material terms of the financial incentive so the consumer may make an informed decision about whether to participate. The CCPA requires the notice to contain certain information such as a summary of the financial incentive offered, a description of the material terms, and how a consumer can opt in. The CCPA regulations define “financial incentive” to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.”

In its enforcement case examples, the Office states that it conducted an “enforcement sweep” and notified multiple businesses that they were “operating loyalty programs that offered financial incentives (including product discounts, service differences and/or reduced prices) for the collection of consumers’ personal information without posting a compliant Notice of Financial Incentive.” To come into compliance, businesses posted appropriate notices at cash registers, revised online disclosures and interfaces, and redesigned loyalty program enrollment methods.

Privacy Policy Disclosures

Proper website privacy policies also are a recurrent theme in the new enforcement case examples.

In one of the more basic examples, a business did not provide a notice to consumers with the required CCPA disclosures, including failing to disclose the CCPA’s consumer rights and not providing a “Do Not Sell My Personal Information” link.

In another example, a business failed to describe the information a consumer must provide to make a verifiable request, list the categories of personal information it collected and disclosed in the past twelve months, and list the categories of third parties for each category of personal information it disclosed for a business purpose. The business’s notice at collection also incorrectly linked to the beginning of the business’s privacy policy instead of the relevant section.

In a third example, a FinTech mobile application did not notify consumers at or before the point of collection of the categories of personal information it collected and the purposes for the collection. The business remedied the violation by adding a link in the first screen of its mobile application to its notice at collection that included the required information.

Right to Opt Out of Sales

Many of the new enforcement case examples involve alleged violations of the CCPA’s right to opt out of sales. In one example, the business provided a “Do Not Sell My Personal Information” link on its homepage, but the link included confusing choices with unclear language and the use of double negatives. In response, the business simplified its disclosures, “more clearly explained” how it uses third-party cookies, and “allowed consumers to fully opt-out of the sale of personal information, including in connection with targeted advertising.”

Other examples of alleged non-compliance with the right to opt out of sales include:

  • Failing to state whether the business sold personal information in its privacy policy
  • Failing to provide a clear and conspicuous “Do Not Sell My Personal Information” link
  • Directing consumers to a third-party trade association tool designed to manage online advertising
  • Using a “Do Not Sell My Personal Information” link that only worked on certain browsers
  • Improperly directing users who clicked on the “Do Not Sell My Personal Information” link to a pop-up option that only discussed how to manage cookies and similar technologies
  • Creating a confusing opt-out process

Consumer Requests

Finally, the new enforcement case examples show a focus on ensuring that California residents can exercise their CCPA rights. The Office identified the following deficiencies in its examples:

  • Failing to provide methods for consumers to make requests
  • Providing only one method for submitting requests
  • Using a non-functional consumer request portal
  • Requiring an onerous process for requests, including verification
  • Improperly requiring consumers to accept a business’s privacy policy and terms of use to exercise their CCPA rights
  • Improperly treating requests to know as requests to delete and permanently deleting personal information
  • Not allowing consumers to submit opt-out requests and requests to know via authorized agents
  • Failing to train individuals handling CCPA requests of the CCPA requirements