Additional enforcement activities

Beyond more recent enforcement actions, the AG published a list of additional non-compliance by businesses that it discovered but which were cured under the law. This list of otherwise non-public enforcement activities provides further insight into the AG’s enforcement focus, which spans a wide range of topics. The AG sent non-compliance letters to a number of businesses, ranging from FinTech to health care and retailers. Some of the more notable concerns were as follows:

• Failure to include certain financial incentive disclosures related to programs where consumers were incentivized with some benefit – such as discounts, coupons or loyalty points – in exchange for more personal information. See our previous post for more information.
• Lack of training of staff to manage personal information in accordance with the CCPA.
• Confusing opt-out processes, such as unintuitive toggle options, broken or incompatible links, or an opt-out process that required multiple steps.

In addition to these call-outs, a lack of meaningful disclosures and of a functional opt-out of sale mechanism was a common thread among most of the published violations. The AG also focused on some less obvious non-compliance, such as links that do not take a user to a specific privacy policy section, inaccurate data collection disclosures, onerous verification processes, or an inability to make requests through a third-party agent.

Lessons learned and next steps for businesses

There are several lessons clients should heed if they are subject to the CCPA:

1. Any business subject to the CCPA should evaluate its loyalty programs and related offers (e.g., “enter your email for 10% off”) to determine whether it needs to update its privacy policy to account for the CCPA’s financial incentive disclosures. Businesses should ensure proper disclosure of such programs in their privacy policies.

2. Privacy compliance should not be left to one person – businesses should create teams to address the requirements of the CCPA and train those team members to recognize privacy risks, appropriately respond to consumer requests, understand triggers for the “sale” of personal information, and identify when new personal information types are collected, shared or used by the business.

3. Businesses should review their privacy policies and ensure there is an accurate disclosure addressing whether the business is selling consumer PI.

• A “sale” occurs when there is a transfer of PI for a monetary or non-monetary benefit. The definition has been broadly interpreted, such that businesses that share personal information with third parties but do not restrict such third parties from processing the personal information for the third parties’ own benefit may be engaging in the “sale” of personal information. Whether a business sells or does not sell personal information must be disclosed in the company’s privacy policy in a conspicuous manner.
• Relatedly, privacy policies and websites must include a “Do Not Sell My Personal Information” link which is functional and operative on all devices/browsers. The opt-out process must not require disproportionate effort. The privacy policy should clearly describe the opt-out process.
• Any links to the privacy policy should take users directly to the relevant section of the policy, whenever possible; a general reference and link to the top of the privacy policy page is likely insufficient if there is a specific section that is relevant for the purpose of the link.

4. Businesses must incorporate automatic processing of GPC into their websites.

• To comply with GPC laws, a business must update how it handles the storage of user-related personal information such as IP addresses, user agent strings, and cookie data. This will prevent these features from being tracked across the company’s website when users are visiting. To do this, the business should check for the special “Sec-GPC” request header on the back-end of the site either through an HTTP request or through a script that runs after a page loads. Once the signal is detected through either of these methods, the business should decide how to turn off data tracking, depending on which content management system (CMS), customer relationship management (CRM) system, and tech stack the company uses. After implementation, it is important for the business’s website developer to test across all GPC-accessible browsers and browser extensions. As a best practice, website visitors should also be given a manual option to opt out of being tracked on the business’s website so they can choose how their data is used by the company.

5. Businesses should review their contracts with vendors, contractors, and service providers to ensure the transfer and handling of PI does not inadvertently constitute a “sale.”

• In its complaint, the AG stated that having “valid service-provider contracts in place with each third-party” is an “exception to ‘sale’ under the CCPA.” In light of this exception, businesses should modify their contracts with service providers to comply with the requirements of the CCPA.
• If the business purposefully engages with a third party that does not qualify as a service provider, the business should ensure it complies with “sale” procedures and provides proper opt-outs as discussed above.

6. Businesses should act promptly within the 30-day cure period to rectify any defects in their privacy practices upon notice from the AG or another entity.

• Any business that receives a notice of violation(s) from the AG should take immediate action to update its privacy practices and bring them into compliance with the CCPA.

Additionally, even businesses without a physical presence in California should review the requirements of the CCPA and ensure compliance with its provisions. The CCPA is focused on enhancing privacy protections for California consumers, and does not exempt businesses located in other states. The CCPA affects all for-profit businesses that do business in California and (1) have a gross annual revenue of over $25 million; (2) buy, receive, or sell the PI of 50,000 or more California residents, households, or devices; or (3) derive 50 percent or more of their annual revenue from selling California residents’ PI.

As clients prepare for compliance with the CPRA, which is an update to the CCPA, clients should: (1) re-evaluate their privacy disclosures for accuracy; (2) confirm that rights-request processes are in place and up to date; and (3) assess whether their websites and mobile apps (especially those that contain third-party trackers or other AdTech solutions) are configured to appropriately monitor and honor user-enabled opt-out preference signals such as the GPC.

1. The GPC is a specification that can be set by users’ internet browsers and extensions to automatically convey an opt-out from the sale of PI. The use of such tools avoids the users having to exercise their right by clicking the “Do Not Sell My Personal Information” link on each website they visit.

In-depth 2022-353