July 1, 2021, marked the first anniversary since the California Office of the Attorney General (OAG) had the power to enforce the California Consumer Privacy Act (CCPA).
According to its recent report, the OAG began sending notices of noncompliance immediately on July 1, 2020. Businesses that receive notices of noncompliance have 30 days to cure the alleged violation before the OAG can initiate an enforcement action (i.e., sue the business for the alleged violation).
To demonstrate its “successful enforcement efforts,” the OAG issued a list of 27 examples in which it sent a notice of noncompliance and the steps taken by the companies in response. While the examples did not specify company names or provide substantive details about the alleged violations, there is enough information to identify initial enforcement trends and the red flags businesses should monitor.
OAG Not Targeting Specific Industry—All Businesses Should Prepare
While many predicted the OAG’s early enforcement efforts to focus on businesses that collect health-care data or children’s personal information, the OAG’s enforcement case examples prove otherwise. The OAG did not appear to target any particular industry.
Marketing companies, data brokers, social media networks, event-sales businesses, online dating platforms, grocery retailers, automotive companies, clothing retailers, pet adoption agencies, mobile app providers, ad tech companies, and video game distribution companies are among the types of businesses that received notices of noncompliance. This should be a wake-up call for businesses that while no industry is being targeted; no industry appears to be immune.
Service Providers Should Prepare to Demonstrate Status
Despite not being regulated by the CCPA, entities acting as service providers also received notices of noncompliance. In one example, an email marketing company collected consumers’ personal information on behalf of its customers. Because it was a service provider, the company did not provide any CCPA notices or offer methods to submit consumer requests.
After being notified of the alleged noncompliance, the company provided evidence that it acted as a service provider when it processed personal information. It also confirmed that personal information obtained from one customer was not used to provide services to another.
If an entity is acting as a service provider in one context but a business in another, then it may want to make that clear in its public facing statements as well. Doing so may signal to the OAG that the entity understands its obligations under the CCPA and has taken steps to comply when required.
‘Do Not Sell My Personal Information’ Link Is Low-Hanging Fruit
Despite there being no consensus on what qualifies as a “sale,” failing to provide a “Do Not Sell My Personal Information” (DNSMPI) link on a business’s internet homepage or, alternatively, failing to affirmatively state the company does not sell personal information, is low-hanging fruit for the OAG.
Indeed, more than a quarter of the companies that received notices of noncompliance did not have a DNSMPI link on their websites. Since the OAG created a tool to help consumers draft a notice of noncompliance to send to businesses that do not post an easy-to-find DNSMPI link on their website, this number is likely to increase over time.
Whatever position a company takes (i.e., whether it sells or does not sell personal information), it will be critical that its actions and statements communicate the same message. This requires businesses to not only consider those disclosures mandated by the CCPA, but also any documentation that describes the business’s privacy practices. It will also be critical to have in place controls to assure data usage practices align with the disclosures provided to consumers.
CCPA Is Not a ‘Check-the-Box’ Exercise
Companies that failed to include the required information in their privacy policies received notices of noncompliance. While the businesses responded by updating their privacy policies, treating the CCPA as a “check-the-box” exercise will not be sufficient.
Indeed, other companies received notices of noncompliance for failing to timely respond to consumer requests, and for providing methods to submit requests that were not operable. As such, companies must follow through on complying with their policies and other CCPA requirements.
Easily Accessible and Consumer Friendly Disclosures Are Key
This example demonstrates businesses are not only being judged on what information they provide to consumers, but how such information is relayed. Notices should be written so they can be understood by the average consumer.
Businesses should also minimize the number of steps consumers must go through to submit requests. Indeed, any process that requires consumers to jump through hoops to exercise their rights—e.g., requiring consumers to create accounts to submit a request) will likely draw scrutiny from the OAG.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Ron Raether leads the Cybersecurity, Information Governance and Privacy practice group at Troutman Pepper, and is a partner in the firm’s Financial Services Litigation Practice. He has assisted companies in navigating federal and state privacy laws for over 20 years, defending hundreds of putative class actions making privacy-based claims.
Ashley Taylor is a partner at Troutman Pepper where he focuses on federal and state government regulatory and enforcement matters involving state attorneys general, the CFPB, and the FTC. He was previously a deputy attorney general, and he has an extensive consumer practice, advising companies on regulatory and compliance issues.
Sadia Mirza, an attorney at Troutman Pepper, focuses her practice on cybersecurity and privacy issues and compliance across the financial services industry. She is a knowledgeable transactional counsel with experience in-house, positioning her to interact effectively with business, compliance, legal and information security departments.