Earlier this week, the California AG announced its first public enforcement action and settlement for alleged violations of CCPA as well as updated its website to include new enforcement case examples. In light of these developments, here are some key takeaways for your business:
Noncompliance is Expensive. The settlement provides the first true insight into the costs of noncompliance. The settlement includes a monetary penalty of $1.2 million. In addition, the settlement requires remediation of noncompliance, implementation and maintenance of a program for two years to ensure effective processing of opt-out requests, internal reviews for two years of tracking technologies and contracts, and annual reporting to the AG.
Take Advantage of the Notice to Cure. While it may seem that there has been a lack of enforcement action for violations of CCPA, that actually isn’t true. CCPA provides a 30 day right to cure, and the AG has issued numerous notices to cure over the past two years. Prior to this enforcement action, all alleged violations had been handled behind closed doors, and the AG had posted enforcement case examples without listing names. This enforcement action is the first time a business allegedly did not address the AG’s notice to cure. If your business receives a notice from the AG regarding alleged CCPA violations, address it promptly.
The Window to Cure is Ending. The CCPA’s 30 day right to cure ends once CPRA takes effect in January 2023. Under CPRA, notice to cure is discretionary. Further, the AG has stated that not all CCPA violations are curable. Accordingly, expect to see many public enforcement actions and settlements for alleged violations of CCPA in the near future. Do not build your business’s CCPA compliance relying on a right to cure.
Targeted Advertising is a Sale. Once again, the AG has made clear that it considers targeted advertising to be a “sale” under CCPA and to require an opt-out. The AG brought the enforcement action based on alleged use of tracking technologies on a website without addressing sale obligations under CCPA. If your business engages in targeted advertising, you need to address sale obligations.
Sales Require Notice and Opt-Out. Under CCPA, where a business sells personal information, it must state so in its privacy policy and provide a readily accessible Do Not Sell My Personal Information link in the footer of its website/app. According to the AG, the business in the enforcement action did neither, and stated it does not sell personal information. Stating you don’t sell personal information and not providing an opt-out are low hanging fruit for the AG. If your business engages in targeted advertising, you need to provide appropriate notice in your privacy policy as well as an opt-out mechanism.
Responding to Do Not Sell Signals is Mandatory. This point is controversial. The AG has taken the position that businesses must honor global opt-out signals. That means that where a consumer activates a setting in their browser to opt-out of sales and the consumer visits a business’s website, the business must read the signal and automatically treat the signal as a request to opt-out. Per the AG, the AG did a wide sweep of large retail websites to see whether they included tracking technologies, and, if so, tested whether the websites responded to global opt-out signals sent via Global Privacy Control (GPC). This enforcement action (and many of the enforcement case examples) was brought on grounds that the business failed to honor global opt-out signals. Given the AG’s focus on global opt-out signals (and the CPRA Regs making honoring signals an express requirement), any businesses that don’t honor signals (specifically GPC) should strongly consider changing their practices.
Google Technologies are on the Radar. In the enforcement action, the AG refers to a “widely-available” analytics and advertising service and “restricted data processing” (RDP). RDP is a term used specifically by Google for CCPA opt-outs. It is likely the AG brought enforcement actions against businesses that used Google tracking technologies on their websites. If your business uses any Google tracking technologies, you should carefully review obligations under CCPA.
Review Your Contracts. The AG repeatedly discusses the importance of executing contracts with service providers that meet all the requirements under CCPA. This means drafting contracts with CCPA-specific language, not just stating that each party will comply with applicable privacy law. If a contract requires you as the business to take specific technical measures so the recipient will act as a service provider, you need to take those measures.
Review Your Loyalty Programs. Through the examples, the AG reminds companies yet again they must comply with the financial incentive obligations under CCPA.
"My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."
unknownx500
