Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Top Takeaways From a Year of CCPA Enforcement

Aug. 6, 2021, 8:00 AM

July 1, 2021, marked the first anniversary since the California Office of the Attorney General (OAG) had the power to enforce the California Consumer Privacy Act (CCPA).

According to its recent report, the OAG began sending notices of noncompliance immediately on July 1, 2020. Businesses that receive notices of noncompliance have 30 days to cure the alleged violation before the OAG can initiate an enforcement action (i.e., sue the business for the alleged violation).

To demonstrate its “successful enforcement efforts,” the OAG issued a list of 27 examples in which it sent a notice of noncompliance and the steps taken by the companies in response. While the examples did not specify company names or provide substantive details about the alleged violations, there is enough information to identify initial enforcement trends and the red flags businesses should monitor.

OAG Not Targeting Specific Industry—All Businesses Should Prepare

While many predicted the OAG’s early enforcement efforts to focus on businesses that collect health-care data or children’s personal information, the OAG’s enforcement case examples prove otherwise. The OAG did not appear to target any particular industry.

Marketing companies, data brokers, social media networks, event-sales businesses, online dating platforms, grocery retailers, automotive companies, clothing retailers, pet adoption agencies, mobile app providers, ad tech companies, and video game distribution companies are among the types of businesses that received notices of noncompliance. This should be a wake-up call for businesses that while no industry is being targeted; no industry appears to be immune.

Service Providers Should Prepare to Demonstrate Status

Despite not being regulated by the CCPA, entities acting as service providers also received notices of noncompliance. In one example, an email marketing company collected consumers’ personal information on behalf of its customers. Because it was a service provider, the company did not provide any CCPA notices or offer methods to submit consumer requests.

After being notified of the alleged noncompliance, the company provided evidence that it acted as a service provider when it processed personal information. It also confirmed that personal information obtained from one customer was not used to provide services to another.

Entities acting as service providers should take note. Because service providers are not required to provide any CCPA notices or process consumer requests, it may be difficult for consumers—and even the OAG—to discern when companies are handling data as “businesses” and managing other data as “service providers.” To minimize confusion, service providers should consider confirming their status in their outward-facing disclosures (e.g., a website “Terms of Use”).

If an entity is acting as a service provider in one context but a business in another, then it may want to make that clear in its public facing statements as well. Doing so may signal to the OAG that the entity understands its obligations under the CCPA and has taken steps to comply when required.

‘Do Not Sell My Personal Information’ Link Is Low-Hanging Fruit

Despite there being no consensus on what qualifies as a “sale,” failing to provide a “Do Not Sell My Personal Information” (DNSMPI) link on a business’s internet homepage or, alternatively, failing to affirmatively state the company does not sell personal information, is low-hanging fruit for the OAG.

Indeed, more than a quarter of the companies that received notices of noncompliance did not have a DNSMPI link on their websites. Since the OAG created a tool to help consumers draft a notice of noncompliance to send to businesses that do not post an easy-to-find DNSMPI link on their website, this number is likely to increase over time.

Whatever position a company takes (i.e., whether it sells or does not sell personal information), it will be critical that its actions and statements communicate the same message. This requires businesses to not only consider those disclosures mandated by the CCPA, but also any documentation that describes the business’s privacy practices. It will also be critical to have in place controls to assure data usage practices align with the disclosures provided to consumers.

CCPA Is Not a ‘Check-the-Box’ Exercise

Companies that failed to include the required information in their privacy policies received notices of noncompliance. While the businesses responded by updating their privacy policies, treating the CCPA as a “check-the-box” exercise will not be sufficient.

Indeed, other companies received notices of noncompliance for failing to timely respond to consumer requests, and for providing methods to submit requests that were not operable. As such, companies must follow through on complying with their policies and other CCPA requirements.

Easily Accessible and Consumer Friendly Disclosures Are Key

In one example, a business received a notice for a noncompliant privacy policy. Even after updating the privacy policy to include the required verbiage, the OAG found the privacy policy to be difficult to read as it contained “unnecessary legal jargon.” The business then received a second notice of noncompliance.

This example demonstrates businesses are not only being judged on what information they provide to consumers, but how such information is relayed. Notices should be written so they can be understood by the average consumer.

Businesses should also minimize the number of steps consumers must go through to submit requests. Indeed, any process that requires consumers to jump through hoops to exercise their rights—e.g., requiring consumers to create accounts to submit a request) will likely draw scrutiny from the OAG.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Author Guidelines

Author Information

Ron Raether leads the Cybersecurity, Information Governance and Privacy practice group at Troutman Pepper, and is a partner in the firm’s Financial Services Litigation Practice. He has assisted companies in navigating federal and state privacy laws for over 20 years, defending hundreds of putative class actions making privacy-based claims.

Ashley Taylor is a partner at Troutman Pepper where he focuses on federal and state government regulatory and enforcement matters involving state attorneys general, the CFPB, and the FTC. He was previously a deputy attorney general, and he has an extensive consumer practice, advising companies on regulatory and compliance issues.

Sadia Mirza, an attorney at Troutman Pepper, focuses her practice on cybersecurity and privacy issues and compliance across the financial services industry. She is a knowledgeable transactional counsel with experience in-house, positioning her to interact effectively with business, compliance, legal and information security departments.