Privacy Law
CA OAG Issues First CCPA Enforcement Action; Releases Updated Enforcement Examples
By Brandon M. Jasso, CIPP/US/E, CIPM
California Attorney General Rob Bonta (“AG Bonta”) and the Office of the Attorney General (“OAG”) have been active in protecting the privacy rights of Californians and making sure businesses comply with their obligations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). On August 24, 2022, the OAG issued a press release (“Press Release”) and concurrently released a YouTube video of AG Bonta, regarding a CCPA enforcement action settlement with Sephora, Inc. (“Sephora”) over allegations that Sephora the CCPA.
The Press Release stated that AG Bonta had filed a Complaint against Sephora, seeking an Injunction, Civil Penalties, and Other Equitable Relief (“Complaint”), alleging that Sephora had failed to provide a notice of sale of consumer’s personal information, failed to provide a “Do Not Sell My Personal Information” (“DNS”) link, failed to provide two or more opt-out of sale methods, and failed to respond to opt-out requests pursuant to a Global Privacy Control (“GPC”) (to learn more about GPC, see here), and had failed to correct the above issues within 30 days after notice of these deficiencies from the OAG.
Concurrently, on August 24, 2022, AG Bonta filed a Final Judgment and Permanent Injunction (“Judgment”) containing the settlement terms agreed to between the OAG and Sephora. Pursuant to the Judgment, Sephora must pay “$1.2 million in penalties and comply with important injunctive terms” and must, as stated in the press release and by AG Bonta in the Video:
- “Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data”;
- “Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control”;
- “Conform its service provider agreements to the CCPA’s requirements”; and
- “Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.”
The Press Release also quoted AG Bonta who stated:
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Businesses should be on alert that they can and will be subject to an enforcement action when they fail to comply with the CCPA. Additionally, as California moves closer to the effective date of the new California Privacy Rights Act amendments to the CCPA, businesses should take great care to make sure they are ready to operate under the law as expected on January 1, 2023, as there will no longer be a 30-day cure period as originally provided by the CCPA.
Additionally, also noted in the Press Release, was an update to the CCPA Enforcement Case Examples. The enforcement actions taken covered a variety of industries, with a few highlighted below:
- Online Retailers: multiple online retailers had been making user information available to third parties (who had not been verified to be CCPA compliant) for services like advertising and analytics without allowing consumers to opt-out or acknowledging the GPC.
- Weblink Shortener: a URL shortener website failed to provide a privacy policy that provided notice of consumer rights under the CCPA, indicate whether personal information was sold, nor provided a DNS link.
- Telehealth: “a business that provides a platform for virtual healthcare services also had a separate public-facing website that collected personal information and is subject to the CCPA.” The business link at notice at collection failed to send consumers to the relevant section and the privacy policy failed to provide guidance on data subject access requests, list categories of personal collect or disclosed, and who the personal information was shared with.
The examples show that no industry is exempt from its obligations to comply with the CCPA and that the OAG, who will soon work closely with the California Privacy Protection Agency (“CPPA”), will make sure that any business, regardless of industry, that is subject to the CPPA must comply and afford consumers the protections and rights they are entitled to.
California will continue to be the leader in consumer privacy protections as the OAG is actively working protecting consumers as shown with the Sephora settlement, while the CPPA is actively working on updating the CCPA regulations to make sure they meet the needs of consumers and provide clear guidance to businesses.