On Monday, July 19, 2021 the Office of the California State Attorney General (OAG) issued a press release to summarize its first year of CCPA enforcement.

In this press release, OAG urged consumers to take advantage of their CCPA rights, such as the right to know, delete, opt-out of the sale, right to non-discrimination, and rights for minors. In addition, consumers are encouraged to use OAG’s new Consumer Privacy Interactive Tool. It assists consumers with drafting notices of noncompliance that can be sent to a business the consumer believes failed to post a “Do Not Sell My Personal Information” link. OAG stated these consumer-sent notices may start the clock on the business’s 30-day window to cure the violations. Consumers should be aware that any information imputed into the tool is collected by OAG and may be used by OAG for its own enforcement and investigative purposes.

OAG also posted examples of enforcement actions it has taken thus far.

The examples provided by OAG deal with businesses from across a wide range of industries and allege, among other things: improper “Do Not Sell” implementations (e.g., failure to have a “Do Not Sell My Personal Information” link for targeted advertising), inadequate disclosures in privacy policies, inadequate and malfunctioning methods through which consumers could submit requests, inadequate notices at collection, untimely responses to consumer requests, improper disclosures of financial incentives, improper handling of requests from authorized agents, and failure to obtain opt-in consent from minors for the sale of personal informaiton. OAG also reviewed and required updates to service provider agreements where such agreements failed to implement the CCPA restrictions and obligations on services providers.

OAG reported that seventy-five percent of the businesses that received a notice of alleged non-compliance were able to cure the violation within their 30-day window. Of the  remaining twenty-five percent, they are either still within their 30-day cure period or an active investigation is still ongoing. With this in mind, businesses should continue to review their data practices, privacy disclosures, and processes for effectuating consumer rights.

The following provides a high-level summary of the examples OAG provided of its enforcement actions thus far. To summarize, OAG found:

Notice at Collection

An automotive dealership needed to provide a notice at collection before collecting personal information from consumers who wanted to test drive cars.

Methods for Submitting Consumer Requests

A data broker could not require customers to create an account in order to make a CCPA request.

A digital experiences partnership needed to offer a “Do Not Sell My Personal Information” link, and an email address and telephone number for consumers to submit requests.

A children’s toy distributor could not state in the privacy policy that the business could charge a fee for submitting requests to know. (Reminder: Under the CCPA, businesses can only charge a fee where the request is “manifestly unfounded or excessive, in particular because of [it’s] repetitive character.”)

Responding to Consumer Requests

A social media app needed to put processes in place to notify consumers when their requests were received and follow-up responses once the requests were either complied with or denied.

Financial Incentives

A grocery retailer who offered a loyalty program in exchange for a consumer’s personal information needed to provide a notice of financial incentives in the privacy policy.

Do Not Sell My Personal Information

An online pet adoption platform had to allow consumers the ability to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.

A data broker, dating platform, and ed tech company each needed to have a “Do Not Sell My Personal Information” link on their webpages that was functional.

A mass media and entertainment company with several digital properties in its portfolio needed a “Do Not Sell My Personal Information” link on all of its digital properties that “sell” personal information.

A data broker could not require consumers to be verified before honoring their opt-out requests.

An online provider of consumer electronics that used third-party online trackers to share data with advertisers about consumers’ online shopping either needed to provide OAG with evidence of service provider contractual obligations in place with these third parties or provide consumers the ability to opt-out of the sale of their personal information, including a process to comply with opt-out requests received through user-enabled privacy controls (e.g., a browser extension that signaled the global privacy control).

A social media platform that exchanged personal information about users’ online activities with various third-party analytics providers needed to provide the required notices and methods to opt-out of the sale personal information. The social media platform chose to remove all third-party trackers from the app and website. The OAG found this acceptable.

The following opt-out methods were alleged to be non-compliant with the CCPA:

  • directing consumers to a third-party trade association’s tool designed to manage online advertising (mass media and entertainment company, pet adoption platform)
  • adding a disclosure that hitting an “accept sharing” button when creating a new account is consent to the selling of that personal information (dating platform)
  • directing consumers to limit future tracking by visiting their mobile device settings (location data data broker)
  • using a webform that allows a user to opt-out of data collection instead of clearly stating that the webform is used to effectuate a consumer’s opt-out rights (location data data broker)

Privacy Policy Disclosures

An ed tech company, clothing retailer, video game distributor, grocery retailer, online email marketing company, online event sales company, online platform, and children’s toy distributor each needed to (i) provide notice of the required CCPA consumer rights including the right to know, delete, and to not be discriminated against for exercising CCPA rights; and (ii) list the categories of personal information they disclosed or sold in the past 12 months.

An ed tech company, clothing retailer, video game distributor, grocery retailer, and automotive dealership each needed to include the methods for consumers to exercise their CCPA rights and those methods needed to function as described.

A video game distributor, grocery retailer, online email marketing company, clothing retailer, dating platform, online event sales company, online platform, and children’s toys distributor each needed to explicitly state whether or not they had sold personal information in the past 12 months.

A digital experiences partnership needed to provide notice on how personal information was collected, used, and sold.

A grocery retailer needed notice of the right to opt-out of the sale of personal information.

An online platform needed a privacy policy that was easy to read and understandable to the average consumer without use of unnecessary legal jargon.

Authorized Agents

An online pet adoption platform could not require an authorized agent to submit a notarized verification of authorization.

A grocery retailer, automotive dealership, and mass media and entertainment company needed to disclose in the privacy policy how a consumer’s authorized agent could submit requests and the requirements for verifying such requests.

Minors

An online gaming company that made personal information of its users available for third-party mobile advertising purposes, including personal information of minors aged 13 to 15 years old, needed to provide an opt-out mechanism and obtain opt-in consent from minors. The online gaming company chose to stop sharing personal information for those advertising purposes and instituted other privacy protections directed at younger users, including age-gating and parental verification features.

Service Providers

An email marketing company that took the position it was a service provider needed to provide OAG with evidence of the company’s status as a service provider, confirmation that personal information obtained and processed for one customer was not used to provide services to another customer, and revise the company’s terms of service to include that the company acted as a service provider under the CCPA.

A social media network needed to update its service provider contracts in order to prevent the service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts.

An online advertising company that acted as both a service provider and a business needed to:

  • In the privacy policy, accurately describe both its position as a service provider and as a business, even if the primary function was as a service provider; and
  • In service provider contracts, include the necessary restrictions on the use of personal information.