Lessons learned from the California AG’s CCPA enforcement announcement

The California Attorney General recently released information concerning its first year of enforcement activity under the California Consumer Privacy Act (CCPA). The AG provided illuminating examples of its investigations of businesses across various industries, dating back to July 1, 2020, the first day that CCPA enforcement began. The AG’s examples are noteworthy in that they document non-compliance with some of the most basic, and easiest-to-implement, requirements of CCPA. As discussed below, the AG’s announcement and related actions signal continued, and likely increased, enforcement in days ahead. Businesses that are subject to CCPA  should undertake necessary actions to ensure compliance with all facets of the law.

Highlights of Examples Included in the AG’s Announcement

Failure to Provide Required Notices to Consumers

Several of the AG’s example enforcement actions arose of out the businesses’ failure to provide required notices concerning consumer rights under the CCPA, such as the rights to know, delete, and to not be discriminated against. In one example, a grocery store chain did not provide Notice of Financial Incentive to consumers participating in a customer loyalty program. In another case, an automotive company failed to provide required information at the time it collected personal information from consumers who test drove vehicles. Other examples include failure to provide notice about how authorized agents may submit CCPA requests on behalf of consumers and how to opt-out of sales of personal information. In addition, a number of businesses failed to include “Do Not Sell My Personal Information” links on their websites.

Non-Compliant Privacy Policy

The AG cited numerous examples of privacy policies that lacked required notices concerning consumer rights, methods to exercise those rights, and failure to state whether or not personal information was sold over the past 12 months.  In one example, the business claimed in its privacy policy that it could charge a fee for processing right to know requests. One business’s privacy policy stated that by clicking on an “accept sharing” button when creating a new account, consumers provided blanket consent to sell personal information.

Non-Compliant Service Provider Contracts

Some businesses failed to include required restrictions on the use of processed personal information in their contracts with third party service providers. The businesses failed to prohibit service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts.

What Does This Mean for Businesses?

The AG’s announcement demonstrates that businesses of all sizes and industries can be taken to task for violations of the CCPA. Although some of the businesses highlighted in the AG’s announcement were able to come into compliance during the CCPA’s 30 day cure period, the AG emphasized that reliance on the cure period “may require more than just starting to comply with the law.”  This statement should serve as a caution to businesses that may be deferring compliance in light of the availability of the cure period.

The AG also announced the launch of a new online Consumer Privacy Tool, which allows consumers to directly notify businesses that do have a clear and easy-to-find “Do Not Sell My Personal Information” link on their homepage. The AG noted that the tool may be expanded to include other violations of the CCPA. It is clear, therefore, that many eyes will be on businesses to ensure that they are in compliance with all aspects of the law.

What Should Businesses Do?

First, confirm whether your business falls under CCPA’s reach. Note that a business does not need to have a location in California to order to fall within the law.

Second, in light of the AG’s announcement, businesses that are subject to the CCPA would be well served to immediately:

• Examine whether they are providing all required notices to consumers in a timely manner;
• Review their privacy policies to ensure accuracy and compliance with the law, and
• Undertake an analysis of third party service provider contracts to ensure inclusion of required limitations concerning the use of personal information.