Online businesses that sell to California residents should take note of a recent enforcement action by the state’s attorney general (AG) signaling that adequate notice of sale must be provided in a business’s privacy policy, California residents’ opt-out requests must be honored, and, from the AG’s perspective, the use of third-party cookies for targeted advertising is a sale.
On August 24, 2022, the AG announced the first public settlement of an enforcement action against a retail company for alleged violations of the California Consumer Privacy Act (CCPA). The settlement is for $1.2 million and includes an injunction. The AG alleged that a global beauty retailer failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of sale via user-enabled Global Privacy Control (GPC) browser signals in violation of the CCPA, and did not cure these alleged violations within the 30-day period currently allowed by the CCPA. The AG’s actions were based on the retailer’s use of third-party analytic cookies on its website and apps. The AG’s complaint noted that the analytics provider could “determine who the shopper was, using extensive data gathered from other sources, and then present [the retailer] with the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.”