Today (once again in connection with Data Privacy Day), California Attorney General Rob Bonta released a statement that his office has sent another round of warning letters to businesses for alleged failure to comply with the CCPA. According to the statement, the Attorney General sent letters to businesses with mobile apps (specifically in the retail, travel, and food services industries) that allegedly violated the CCPA by:
- Failing to comply with consumer Do Not Sell opt-out requests or not offering a Do Not Sell opt-out mechanism.
- Failing to process consumer requests (specifically opt-out and deletion requests) submitted via authorized agents (including through a company called Permission Slip).
While the statement is brief, it provides some key insights into CCPA enforcement:
- Do Not Sell is still the top issue for California regulators. If you engage in targeted advertising and don’t offer a Do Not Sell mechanism, you are well behind with your compliance.
- Offering a mechanism to address consumer requests is not sufficient by itself. You need to make sure you adequately address consumer requests, including those made by authorized agents.
- To my knowledge, this is the first time the Attorney General has referenced a specific authorized agent. It reminds me of when the Attorney General tweeted about Global Privacy Control (GPC) in 2021. Businesses should pay special attention to authorized agent requests received from Permission Slip.
- California regulators are paying special attention to mobile apps, in part, because of “the wide array of sensitive information that these apps can access”. This lines up with CPRA concerns around precise location data, which is often associated with mobile devices.
- Although the CPRA took effect at the beginning of January, there is a grace period for enforcement. The Attorney General is still enforcing the CCPA so that grace period does not mean that businesses do not need to comply with obligations already under CCPA, such as relating to Do Not Sell or GPC. Also, any provisions that sunset in January under CCPA (such as the B2B and employment exceptions) are now fair game for the Attorney General.
- The statement claims that there is a need for user-enabled global privacy control for mobile operating systems. This seems to be an acknowledgement by the Attorney General that there are technical limits to GPC in connection with mobile devices, and that may be why this round of warning letters (seemingly) does not reference GPC. Expect further enforcement around GPC.
We will continue to monitor for updates to California privacy law and regulatory enforcement.
"On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. Today’s sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data."