Keypoint: In only its second public enforcement settlement, the California Attorney General announced a $375,000 fine along with injunctive relief.

On February 21, 2024, the California Attorney General announced that it had reached a settlement with a company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA). This is only the second time the Attorney General’s office has publicly announced a settlement. In August 2022, the office announced a settlement over allegations that a company failed to disclose that it was selling consumers’ personal information and failed to process opt-out requests via user-enabled global privacy controls.

In announcing the enforcement action, Attorney General Bonta stated “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

In the below article we provide a brief overview of the settlement.

Background

According the the Attorney General’s complaint, the defendant company collected the personal information of its customers through its website and mobile application. That information included names, addresses, and transaction history.

Beginning in 2018, the company participated in two marketing cooperatives in which unrelated businesses contributed their customer personal information “for the purpose of advertising their own products to customers from the other participating businesses. The marketing co-op then combines, analyzes, and uses the information to target mailed advertisements to potential new customers on behalf of participating businesses.”

In January 2020 – shortly after the CCPA first went into effect – the company again transferred consumer names, addresses, and transaction histories to the marketing cooperative. According to the complaint, the exchange was made for “the opportunity to advertise [the company’s] services directly to the customers of the other participating companies.” Because the company received a benefit for sharing the personal information, the transfer constituted a CCPA sale. However, the company did not disclose the sale in its privacy policy or provide an opt-out link on its website and mobile application.

The Attorney General’s office first sent a notice of violation in September 2020. At the time, the CCPA had a 30-day right to cure provision, which has since expired. Although the right to cure existed, the Attorney General found that the company was unable to cure the violation because it was unable to “make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.” Among other reasons, the Attorney General argued that a cure was not possible because the “consumer personal information and inferences . . . had already been sold downstream to other companies and beyond the marketing co-op’s members, including to a data broker that re-sold the data many times over.” The company also did not contractually restrict the marketing cooperative’s use of the personal information.

The Attorney General alleged violations of both CalOPPA (a predecessor law to the CCPA) and the CCPA. The office alleged that the company violated the CCPA by failing to disclose the sale of personal information and provide consumers with the right to opt out of sales. The complaint alleged that each sale of consumer personal information was a violation of multiple statutory and regulatory provisions.

With respect to CalOPPA, the office alleged that the company’s privacy policy failed to inform consumers that their personal information would be shared with marketing cooperatives or that they may receive unsolicited advertisements from unrelated companies based on the information they provided to the company.

Settlement

Pursuant to the proposed settlement, the company will pay a $375,000 fine. In addition, the settlement requires the company to comply with various provisions of the CCPA and CalOPPA, for a period of three years implement and maintain a compliance program to assess and monitor whether it is selling or sharing the personal information of consumers and, if so, evaluate whether it is complying with the CCPA’s requirements regarding same. The company will also have to, for a period of three years, annually certify compliance to the Attorney General’s office.