On August 24, 2022, the California Office of Attorney General (OAG) published a summary of 13 CCPA investigations, “illustrative” of situations in which notices of alleged noncompliance were sent and remedial measures were implemented. Note that the CCPA’s mandatory notice-and-cure period will expire on January 1, 2023. Following that, the California Privacy Protection Agency will have the discretion to grant cure periods.
Some key trends include:
- Several of the cases involved allegedly noncompliant notices.
- Some of the investigations followed up on complaints that consumers made to its office regarding CCPA compliance.
- Multiple cases involved alleged violations related to the sale opt-out.
We summarize the 13 examples below.
- Sale opt-outs. Multiple online retailers used web tracking technologies to allegedly provide consumers’ personal information to third parties, but did not process consumer requests to opt-out via a global privacy control (“GPC”) (which the AG claimed was required by CCPA regulations), or ensure that the third-party recipients of consumers’ personal information were CCPA-compliant service providers.
- Cure: The retailers updated their service-provider contracts, adopted technology to send “restricted use” signals to third-party recipients, and blocked certain transfers of personal information upon the detection of a GPC.
- Notices of financial incentives. Multiple retailers (including in the clothing, home goods, and hospitality sectors) operated loyalty programs that allegedly offered financial incentives for the collection of consumers’ personal information, but did not post a notice of financial incentives.
- Cure: The businesses posted or revised financial incentive notices (e.g., at cash registers or via “deep links”) and revised their enrollment methods.
- Consumer rights notice and mechanisms. A technology company allegedly did not provide notice of required CCPA consumer rights or disclose the methods by which consumers could exercise these rights, and did not expressly state whether it had sold personal information or provide a “clear and conspicuous” do-not-sell link.
- Cure: The business revised its privacy policy, implemented two request methods, and added a do-not-sell link.
- Complaints on social media of healthcare company’s handling of consumer requests. In response to consumers criticizing how a healthcare company responded to certain requests, the AG alleged that the company treated certain access requests as deletion requests, and permanently deleted the personal information of these consumers.
- Cure: The business introduced staff training and revised its processes for responding to consumer access and deletion requests.
- Medical device company and sale opt out. A medical device company allegedly required consumers to accept its privacy policy and terms of service in order to exercise their CCPA rights. The AG also claimed that the business did not provide an opt-out mechanism regarding the sale of personal information and instead directed consumers to a third-party trade association’s tool designed to manage online advertising.
- Cure: The business removed the restrictions on consumers’ exercise of their CCPA rights, added a do-not-sell link, and updated its webform.
- Telehealth company’s privacy policy. A telehealth business’s privacy policy allegedly did not contain certain required disclosures, such as the categories of personal information collected or disclosed within the previous year, and the business’s “notice at collection” hyperlinks allegedly directed consumers to the wrong section of its privacy policy.
- Cure: The business updated its privacy policy to include the required disclosures, and introduced “deep-links” directing consumers to the notice-at-collection section of its privacy policy.
- Fitness business’s opt-outs. A fitness business’s website contained a do-not-sell page that the AG alleged included unclear language and toggle options (e.g., the toggle for Do Not Sell was “on/off”). The business’s privacy policy also directed consumers to a third party’s tool to manage online advertising and cookie preferences.
- Cure: The business streamlined its opt-out options, including by adopting an “easy to understand toggle,” and revised its privacy policy to explain its use of third-party cookies and to enable consumers to fully opt-out of the sale of personal information.
- FinTech privacy policy and opt-outs. A FinTech business that offers financial services to minors operated a mobile app that allegedly did not notify consumers at or before the point of collection about the categories of personal information collected and the purposes for which information would be used. It also allegedly did not state whether it sold personal information in the privacy policy.
- Cure. The business updated its privacy policy to indicate that it did not sell personal information of consumers under 18 years old, added a do-not-sell opt-out link to its homepage for consumers over the age of 18, and added a link to the first screen of its mobile app that included the categories of personal information collected and purposes for which information would be used.
- People search opt-outs. A business operating a people search website allegedly provided only one method for the submission of requests, and required consumers to agree to its terms of service and privacy policy. The AG described this process as “onerous.” A “Do Not Sell My Personal Information” link also allegedly only worked on certain browsers.
- Cure. In response, the business took steps to ensure that its sale opt-out link worked on all browsers, revised its California Privacy Page to simplify processes for submitting consumer requests, and provided consumers with alternative methods to submit such requests. The business also agreed to email all consumers who submitted CCPA requests within the prior two years but did not complete verification.
- Clothing retailer’s opt-outs. A clothing retailer’s “Do Not Sell My Personal Information” link discussed managing cookies and similar technologies but allegedly did not provide an opt-out mechanism.
- Cure. In response, the business updated its opt-out mechanism by offering all consumers—including non-Californians—the option to opt-out of the sale of personal information, separate from its cookie preferences option.
- Technology platform’s opt-outs and requests to know. A technology platform allegedly did not allow consumers to submit opt-out requests or requests to know via authorized agents, and did not train those handling consumer inquiries.
- Cure. The business implemented a mechanism to allow consumers to submit requests via authorized agents, updated its privacy policy accordingly, and conducted a training for its employees that covered authorized agent requests. It also initiated a technical solution to block all third-party advertising cookies for anyone visiting their website using a CA IP address.
- Wireless network provider’s response to requests. A consumer notified a wireless network provider that their online CCPA portal allegedly was not functional.
- Cure. The business explained the measures it had taken to ensure that its online CCPA portal was functioning, and implemented a process for responding to other online CCPA requests (which included responding to the GPC).
- Advertising service’s privacy disclosures and opt-outs. An advertising service’s privacy policy allegedly did not contain all required CCPA disclosures, while other disclosures and opt-out methods were allegedly incomprehensible to the average consumer or contained nonfunctional hyperlinks.
- Cure. The business revised its privacy policy and hired a user experience designer to improve its opt-out function.