July 28, 2021

Volume XI, Number 209

Advertisement

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis

California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Most of the summaries deal with notice deficiencies and inadequate disclosures, including financial incentives (e.g., loyalty programs), and consumer rights request program inadequacies. However, three of them, which are reproduced verbatim below (emphasis added), shed some light on the application of “do not sell” and digital tracking technologies (e.g., cookies). One of those three directly addresses Global Privacy Control signals (a matter the OAG has been pushing as of late). These cases seem to indicate that collection by a third-party cookie provider, absent a service provider commitment by such provider, may be a “sale” to such provider – a position that the OAG has been advancing in enforcement actions of which we are aware – and that this must be tied directly to the “Do Note Sell” link and tool:

Pet Industry Website Updated its Opt-Out Webform for Consumers to Opt Out of All Sales of Personal Information
Industry: Pet Industry
Issue: Authorized Agent; Sales of Personal Information

A business that operates an online pet adoption platform required a consumer’s authorized agent to submit a notarized verification when invoking CCPA rights. The business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business removed the notarization requirement for agents, added a “Do Not Sell My Personal Information Link”, and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.

Media Conglomerate Updated Opt-Out Process and Notices
Industry: Mass Media and Entertainment
Issue: Non-Compliant Opt-Out Process; Notices to Consumers

A mass media and entertainment business did not provide consumers with any methods to opt-out of the business’s sale of their personal information. The business only directed consumers to a third-party trade association’s tool designed to manage online advertising. The business’s privacy policy and notice of right to opt-out also did not include required information about how consumers or their agents could exercise their opt-out rights. The business also did not have a notice at collection and lacked a “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process, privacy policy, and notices to address these issues, and added the “Do Not Sell My Personal Information” link to all of its digital properties.

Manufacturer and Retailer Stopped Selling Personal Information
Industry: Consumer Electronics
Issue: Sales of Personal Information

A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.

[Emphasis added.] Leading cookie consent management platforms (CMPs) have the ability to tie “do not sell” consumer rights requests to opting out of certain sets of publisher-designated cookies and well as code that does the same when the GPC signal is present. In addition, the Internet Advertising Bureau has a CCPA framework and signal program, supported by some CMPs that can convert participating cookies from sales to service provider processing only. Publishers that have been holding off implementing such potential solutions should revisit the issue in light of these summaries.

In addition, the OAG announced the launch of a new consumer complaint tool that allows consumers to answer certain gating questions to create a notice of noncompliance that can be sent to a business, which the OAG states “may” start the 30-day opportunity to cure mandated by Section 1798.155.

Companies need to update their California privacy notices annually, typically as of January 1. In the process of doing so, we recommend an assessment of current CCPA compliance in light of the final regulations, summaries of initial enforcement actions and other OAG guidance. In addition, this will be a good opportunity to conduct a gap analysis to determine what changes will be needed before 2023 to comply with new state privacy laws that go into effect then.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 202
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

678-272-3235
Kyle Dull Data Privacy & Cybersecurity Lawyer Squire Patton Boggs Miami Florida
Associate

A former assistant attorney general, Kyle has extensive experience investigating and litigating privacy and advertising law violations. He now draws on that experience to advise clients on their own data privacy, cybersecurity and advertising risks, and is regularly retained by corporations to defend and resolve enforcement actions.

Kyle has a solid understanding of domestic and international privacy laws and counsels digital media companies looking to protect their digital property and avoid potential legal issues by negotiating and drafting licensing, joint venture and data...

+1 305 577 2840
Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

212-872-9863
Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
Advertisement
Advertisement