OAG Releases Summary of Sample Enforcement Actions

By Andrew Scott

Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.

This July, California Office of the Attorney General (OAG) rolled out three major updates to its CCPA webpage to mark the one-year anniversary of the California Consumer Privacy Act (CCPA)’s July 1, 2020 statutory date of enforcement.  First, OAG released a summary of sample enforcement actions to date, which provides helpful guidance about how the office is interpreting the statute.  Second, the OAG updated FAQs on its CCPA website and took related actions that indicate support for a new global privacy control tool.  And, finally, the OAG unveiled a new privacy tool that helps consumers send letters to businesses if consumers believe they are not complying with the CCPA’s Do Not Sell requirements.  We address each of these substantial developments below. 

We address the first update below.  Posts on the other two developments are found in separate posts in this month’s CLA Privacy Section update.

In mid-2020, the OAG began sending notices of alleged noncompliance to CCPA businesses.  Under the CCPA, the notices are required to give businesses thirty days to cure the OAG’s allegations of noncompliance. If a business cannot cure the alleged noncompliance, the OAG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation.

On July 19, 2021, the OAG published twenty-seven “illustrative examples of situations in which it sent a notice of alleged noncompliance and steps taken by each company in response.”  The examples provide insight into the industries and issues that the OAG has focused on.  Provided below is an overview of some of the important issues the OAG seemed to focus on, including providing insight into the office’s priorities heading into the CCPA’s second year.

Issues:

• Non-Compliant Privacy Policy (14):  With fourteen of the twenty-seven examples including a non-compliant privacy policy, the OAG has signaled it is seriously looking for CCPA privacy policy compliance from companies. In one example, a company received a second notice that its updated privacy still did not comply with the CCPA regulations.  The OAG found non-compliant notices in a variety of industries, including online dating, online event sales (2x), online advertising, automotive, grocery retail (2x), education technology, online clothing retail, video game distribution, and others.  Clearly, a compliant privacy notice is of paramount importance for any company subject to the CCPA.  In its examples, the OAG found the following issues of non-compliance in the privacy policies: 
  • Claiming a fee may be charged for processing a consumer’s request to know;
  • Containing unnecessary legal jargon, making the notice not easy to read or understandable to the average consumer;
  • Failing to disclose information about the collection, the use, and the selling of consumer personal information;
  • Failing to inform consumers of how to submit requests to know, delete, and opt-out of the sale of personal information;
  • Failing to include a notice of financial incentive;
  • Inadequately disclosing CCPA consumer rights, including the right to know, to delete, and to not be discriminated against;
  • Inadequately disclosing what personal information is sold;
  • Inadequately identifying the categories of personal information transferred to others for a business purpose;
  • Inadequately listing the categories of personal information disclosed;
  • Inadequately stating whether or not the company had sold personal information in the past 12 months;
  • Providing incorrect instructions for how consumers could exercise their CCPA rights to request to know and delete;
  • Lacking the required information about how consumers or their agents could exercise their opt-out rights; and
• Lack of Request Methods (6):  With six examples, it is clear that the OAG is focused on consumers being provided with methods to exercise their CCPA rights (e.g., to request, to know, and to delete).  Defective online methods for submitting CCPA requests are not compliant. 
• No “Do Not Sell My Personal Information” Link (4):  In one example, the Do Not Sell My Personal Information link (DNSMPI) did not function properly.  In another example, a business that sold personal information neither had the link on its homepage nor had adequate disclosures about what personal information it sold in its privacy policy. If a company determines that it sells personal information within the meaning of the CCPA, it is important to have the DNSMPI link on any of the business’s digital properties and functioning properly.
• Notice to Consumers (5):  In addition to the online businesses that collect consumer data, brick and mortar businesses that collect information offline may also be subject to the CCPA.  Accordingly, such brick and mortar businesses must have methods in place to ensure that when a consumer’s data is collected, notice of that collection is provided.   
• Sales of Personal Information (4): Non-compliance included a business’s disclosures regarding its sale of data being “confusing” while another business did not provide consumers with methods to opt-out of the sale of personal information
• Non-Compliant Opt-Out Process (3): The OAG took the position that a conglomerate requiring consumers to submit multiple, separate requests to opt-out of the sale of their personal information is not a CCPA-compliant practice.
• Non-Compliant Service Provider Contracts (2):  Businesses that enter into contracts with service providers (known in the GDPR as processors) must ensure that language exists in those contracts to restrict how these entities retain, use, or disclose the personal information they receive.  Moreover, one example highlighted that a business failed to impose a service provider contractual relationship on advertisers that the company shared data with from its retail site. Finally, the OAG determined that a service provider was also classified as a business in some contexts; the service providers’ privacy notice was subsequently found non-compliant. This highlights the importance of companies really needing to understand their own data practices (e.g., use, disclosure, and retention practices) because if they do not recognize whether they are service providers and/or businesses, they could end up misrepresenting their status to consumers or other business partners. 
• Authorized Agent: Authorized agents need to be provided with instructions on how they can submit requests on behalf of consumers; however, requiring an authorized agent to submit a notarized verification when invoking CCPA rights was found by the OAG to be a non-compliant practice.
• Untimely Responses to CCPA Requests:  A business was found not to be timely in responding to CCPA requests to know and delete personal information. 
• Sales of Minors’ Personal Information: A business did not provide an opt-out mechanism to adults or obtain an opt-in for minors.
• Verification:  A business no longer requires that a consumer be verified to opt-out of the sale of personal information.
• Account Creation for Verification:  A business no longer requires a customer to create an account in order to make a CCPA request.

It is important to note that OAG stated that each business that received a notice has cured the alleged violation(s); the OAG did not assess penalties.  In January 2023, the right to cure will sunset when the California Privacy Rights Act takes effect.