The California Attorney General began enforcing the California Consumer Privacy Act (“CCPA”) more than a year ago and recently released a number of examples of enforcement proceedings it has pursued against companies. The examples are anonymous and do not represent a complete list of all enforcement cases, but the descriptions can be helpful guidance for businesses governed by the law. Even companies that generally trade in exempted personal data may find the review of the examples useful as it highlights the AG’s enforcement strategy and priorities and provides an indication of how the AG interprets the legal requirements.
The AG’s press release notes that companies currently have 30 days to resolve suspected non-compliance after receiving notification of alleged non-compliance. However, businesses should be aware that this 30-day healing period ends in 2023 when the CCPA changes due to the California Privacy Rights Act, passed by California voters last year. If you take note of these examples now, organizations can be one step ahead in their own CCPA compliance. Here is a quick summary of some key examples:
Relationship with the company receiving data for online advertising and analysis – is it a “sale” to a third party or a transfer to a service provider?
A striking number of examples focus on the use of data for targeted advertising and analysis purposes. In several examples, the working group referred to companies that operate targeted advertising that included the exchange of personal data. In one example, the AG referred in particular to a retailer who uses third-party tracking technology on its website and has passed data on consumer shopping activities to advertisers. The AG has accused the company of not having established a service provider relationship with the advertiser recipient.
Bring away: Companies should thoroughly analyze who receives their data and how the relationship is characterized, including for online marketing and analysis purposes. Companies that use service providers must be reminded to enter into service provider agreements that contractually prohibit the service provider from storing, using or disclosing personal data outside the limits permitted by law.
Third party trackers – what data is analyzed and how can consumers opt out of its use?
One example related to the use of third party trackers used for site analytics purposes. However, the AG does not provide any information on the type of data that is important for this example. In particular, it is not currently known how such data meets the definition of “personal data” under the CCPA. Another example indicates that it may be necessary to implement a “Global Privacy Control” browser extension that allows website visitors to opt out of data collection by third-party online trackers such as cookies.
Bring away: Companies that use third-party trackers such as cookies on their websites should consider whether providing opt-out rights or establishing service provider relationships are appropriate responses.
Opt-out – what is an effective tool?
In other examples, the AG indicated that a company was failing to meet opt-out requirements for online advertising by simply directing consumers to third-party opt-out tools, possibly tools provided by the Network Advertising Initiative and the Digital advertising will be made available to Allianz.
Bring away: Companies subject to CCPA de-registration should ensure that they do not use verification procedures such as
The company is a financial institution as defined by the GLBA – does the company still need to think about compliance with the CCPA?
Yes sir. For example, car dealers should consider personal information they collect that is not regulated by the Gramm-Leach-Bliley Act and subject to the CCPA, as an example of enforcement points to a dealer who has collected personal information from consumers who have test drives do without making a notification when picking up.
Bring away: Financial institutions should conduct data inventories to assess whether they are collecting or disclosing records that are subject to the CCPA.
Privacy program – what do the guidelines say?
Bring away: Organizations should ensure that their data protection programs are integrated across the organization and that they capture all data practices and changes to those practices. The examples also show that the WG pays attention to consumer complaints. It is therefore important that companies have a good complaint management program in place and respond to consumer complaints.
The privacy program has been implemented – business is done, right?
No, companies should be reminded that they may not be able to set up a CCPA compliance program and leave it alone. The CCPA will change in 2023 based on the California Privacy Rights Act, adding new requirements for companies subject to the law and transferring the enforcement agency to a new agency, the California Privacy Protection Agency. The agency is also starting a rulemaking exercise to introduce regulations to reflect changes to the CCPA. And over time, as is the case with these enforcement examples, we will continue to learn more about how regulators interpret the CCPA and what enforcement priorities are.
Bring away: As with all good compliance programs, organizations should conduct a routine review of their CCPA compliance program to ensure that legal updates are captured and adjustments are made to both changes in business practice and changes in the law, taking appropriate account of consumer complaints and inquiries.
Qualified lawyers can help companies go through intelligent compliance approaches to answer each of these questions that are directly applicable to your company and its processes.
Companies can find the examples of enforcement cases here: https://oag.ca.gov/privacy/ccpa/enforcement