Read the article HERE.
Not since the disappearance of Amelia Earhart have people been more perplexed. Which companies were the early targets of the California Attorney General’s enforcement of the California Consumer Privacy Act (“CCPA”) and on what basis? We finally have a partial answer.
On July 19, the California Attorney General released an enforcement report and launched a new interactive tool through which consumers can draft a “non-compliance” notice to companies that allegedly lack a “Do Not Sell My Personal Information” link on their websites or mobile apps. Based on the CCPA enforcement actions reported, continuing your company’s efforts to comply with the CCPA, no matter your industry, will be vital in the coming months.
The good news is that most companies receiving violation notices are successfully curing their alleged CCPA violations. The Attorney General’s Office reported that in the first year of enforcement, 75% of the companies that received CCPA non-compliance notices cured the alleged violation, while the remaining 25% are still within the 30-day cure period or are under continuing investigation. The California Attorney General did not give details regarding each non-compliance notice and did not provide a total number of enforcement actions taken. However, the Attorney General did provide 27 examples of instances in which his Office sent non-compliance notices and the company cured the alleged violations.
The 27 enforcement examples released by the Attorney General show early CCPA enforce-ment targeted a variety of industries on a number of different aspects of CCPA non-compliance. Recipients of non-compliance notices included an online dating company that allegedly sold personal information and lacked a “Do Not Sell My Personal Information” (“DNSMPI”) link, a grocery chain which allegedly did not provide a notice of financial incentive to consumers participating in a loyalty program, and an automotive company that allegedly collected information from consumers who test drove vehicles without providing a notice at collection. Other industries targeted included children’s toys, email marketing, social media, online event planning, education technology, advertising technology, online classified ads, media, pet, data broker, manufacturing, retail, video game, and clothing.
Of the more than a dozen CCPA issues represented in the 27 enforcement examples, the majority centered on the adequacy of a company’s privacy policy, such as whether consumers were provided methods to exercise CCPA rights such as the right to know and delete, whether a list of categories of personal information was disclosed, and whether a statement affirming or disclosing if a company sold personal information in the last 12 months was included.
The enforcement examples also touch on consumers’ ability to exercise CCPA rights without barriers. The California Attorney General instructed companies to remove a requirement to provide notarized verification as part of the rights request process, to cease charging a fee for processing CCPA requests to know, to remove verification requirements in connection with requests not to sell personal information, and to revise policies to ensure the average consumer understands the text.
The report also highlights the use of cookies, pixels, and other trackers on websites and mobile apps and clarifies the requirement in connection with many cookies and trackers for website or mobile app operators to: enter data processing agreements with cookie/tracker providers, provide DNSMPI rights in connection with cookies/trackers, or remove cookies and other trackers from their websites and mobile apps.
To further ease consumer burdens in making CCPA requests and reports, the California Attorney General created the Consumer Privacy Interactive Tool, a tool that helps consumers draft a non-compliance notice to send to companies. This tool asks consumers guided questions based on the CCPA and then generates a notice for consumers to send to an allegedly non-compliant company. The California Attorney General will have access to the violations reported through the tool and may take action based on them.
So far, the tool is limited to complaining about failure to post a DNSMPI link, but may include other CCPA violations in the future. With the launch of this tool, companies which are not required to have a DNSMPI link will likely receive an increase in unwarranted consumer complaints regarding the CCPA.
The Attorney General’s enforcement update solves some of the mysteries of CCPA enforcement, but questions remain. The outcome for the 25% of companies that are still within the 30-day cure period or are involved in an ongoing investigation is unclear, as the California Attorney General’s Office may sue some of these companies. Another consideration is that the California Attorney General will eventually share CCPA enforcement responsibility with the newly established California Privacy Protection Agency (“CPPA”). The CPPA will administratively enforce the California Privacy Rights Act and the CCPA, while the California Attorney General will retain civil enforcement authority over these statutes. Thus, while the California Attorney General’s first-year update is helpful, the update may not be instructive once the CPPA assumes administrative enforcement power in July 2023.
In addition, the report reminded all consumers that under the CCPA, they had the following rights: Under the CCPA, California consumers have the following rights:
- Right to Know – Consumers may request that a business tell them what specific personal information they have collected, shared, or sold about them, and why it was collected, shared, or sold.
- Right to Delete — Consumers may request that a business delete personal information that the business collected from the consumer, subject to some exceptions.
- Right to Opt-Out — If a business sells their personal information, consumers may request that it stop doing so.
- Rights for Minors — A business cannot sell the personal information of minors under the age of 16 without their permission and, for children under 13, without parental consent.
- Right to Non-Discrimination — A business may not discriminate against consumers who exercise their rights under the CCPA.
With CCPA enforcement underway and a non-compliance notice tool available to consumers, companies should remain vigilant in seeking to comply with the CCPA.
The Labor and Employment Practice Group provides a wide range of services to employers, including counseling, employee handbooks, employment audits, wage and hour litigation, harassment training and litigation, PAGA litigation, trade secrets protection and litigation, unfair competition litigation, and defense of class actions. For further information contact Greg Norys, head of the firm’s Labor and Employment Practice Group.
About the Firm:
Established in 1994, Coleman & Horowitt, LLP is a state-wide law firm focused on delivering responsive and value driven service and preventive law. The firm represents businesses and their owners in matters involving transactions, litigation, agriculture & environmental regulation and litigation, intellectual property, real estate, estate planning and probate. The Firm has been recognized as a “Top Law Firm” (Martindale Hubbell) and a “Go-To” Law Firm (Corporate Counsel). From six offices in California, and the Firm’s membership in Primerus, a national and international society of highly rated law firms (www.primerus.com), the Firm has helped individuals and businesses solve their most difficult legal problems. For more information, see www.ch-law.com and www.Primerus.com.