Worth the wait? Key takeaways from California Attorney General’s CCPA application case summaries | Wyrick Robbins Yates & Ponton LLP
Before the CCPA became enforceable on July 1, 2020, much ink was cast (or many keys were affected) on the ability of the California Attorney General’s Office (“OAG”) to obtain civil penalties for them. CCPA violations. After that date, privacy lawyers waited impatiently for the OAG’s enforcement action to begin. But then very little happened, at least publicly. Although lawyers at the OAG sometimes have discussed sending confidential notices of violation to suspected violators during public appearances, no other public performance activity took place.
It was tempting to think that the lack of public enforcement resulted from the excellent skill of privacy lawyers in interpreting the law and advising their clients, but the recent publication by the OAG of 27 examples of CCAA enforcement case summaries shows that the OAG was in fact active in investigating and seeking resolution of CCPA violations. These summaries provide key information on the OAG’s CCAA enforcement priorities. This article summarizes some of the most important.
- Potential corrective actions can remedy (or at least successfully investigate) past violations of the CCPA.
The CCPA predicts that a breach will only occur if a company fails to remedy the alleged breaches within 30 days of notification of non-compliance. But the statute is not clear on how past violations might be remedied. The introduction to the OAG’s case summaries is also not clear on this point – it only states that recovery “may require more than just starting to comply with the law.”
But the enforcement summaries suggest that, in at least some cases, remedies that apply only prospectively may âfixâ a previous violation of the CCPA. For example, a summary explains that a data broker who sold personal information without providing a “Do not sell my personal information” link resolved this issue by adding such a link to their home page after receiving the notice of non-compliance from the OAG. While this link does not necessarily relate to sales of personal information that took place prior to its publication, its publication after the company received the OAG notice nevertheless appears to have resolved the OAG’s concerns.
This is good news for businesses, as implementing potential compliance measures will generally be easier than cleaning up past breaches. Note, however, that this application approach may change as the ACPL will transfer enforcement authority to the new California Privacy Protection Agency (“CPPA” – yes, yet another unoriginal and confusing privacy law acronym to join CCPA, CPRA, CDPA, and CPA) on January 1, 2023. While the 30-day relief provision will remain in effect, CAPP’s approach to the applicable relief period is still unknown, although the OAG’s approach may create a business-friendly precedent.
- Targeted advertising disclosures presumed to be sales.
CCPA’s broad and vague definition of “sale” includes all exchanges of personal information for “monetary or other valuable consideration”. This definition has left some ambiguity as to whether the sharing of personal information as part of online behavioral advertising should be considered a âsaleâ.
The OAG Application Summaries strongly suggest that the OAG considers behavioral advertising disclosures as “sales” under the CCPA, at least in the absence of clear indications (such as a relationship with a service provider) that demonstrate the contrary. One summary, for example, explained that a pet industry website violated the CCPA by requiring consumers to “take additional steps to opt out by directing consumers to a third-party trade association tool. designed to handle online advertising â. The website corrected this violation by creating a “Do not sell my personal information” link and updating[ing] its web opt-out form which allowed consumers to opt out completely from the sale of personal information, including personal information that was exchanged for the purpose of targeted advertising. Likewise, another summary states that a “mass media and entertainment company” failed to provide a valid refusal-of-sale method because it “only referred consumers to a trade association’s tool. third party designed to manage online advertising “.
It is important to note that CPRA will definitively resolve this ambiguity by introducing a concept of âsharingâ which covers behavioral advertising disclosures. But the OAG’s characterizations in the case summaries indicate that companies that share personal information with third parties other than “service providers” as part of behavioral advertising activities should not wait for CPRA to develop a strategy. compliance to manage CCAC âsellâ requirements.
- Consumers and other third parties can send a notice of non-compliance.
Disturbingly for companies and their lawyers, an app summary suggests that a valid notice of non-compliance that begins the 30-day processing period may be provided by sources other than the OAG. The relevant summary provides that the publication by a consumer organization of a report finding that a data broker sold business contact directories without displaying a “Do not sell my personal information” link “provided notice of non-compliance with the CCPA at the company, in addition to a notice provided by the [OAG]. “
The OAG has doubled this interpretation by creating a tool on its website that allows individual consumers to create a notice of non-compliance to be emailed to businesses that do not offer a “Do not sell my personal information” link. The OAG summary also does not indicate whether the consumer organization sent a direct notice to the data broker, leaving open the question of whether the OAG interprets the CCPA as requiring even actual notice, or whether constructive advice might be sufficient.
In light of this ambiguity, businesses should carefully monitor communications from consumers and third-party sources involving business CCPA compliance. If the OAG becomes aware of the separate notice of non-compliance, this could provide the OAG with a basis to argue that the 30-day clock that measures the time required for the company to remedy the violation started when that notice. has been sent.
- Poor privacy policies and refusal to sell issues are the most common enforcement issues.
Companies should therefore ensure that their privacy policies meet all CCAC legal and regulatory requirements and assess their position regarding sales of personal information, including whether the company discloses data for behavioral advertising purposes.
Although the ACPL transfers enforcement authority to the CPPA on January 1, 2023, the OAG’s execution summaries still provide useful information to privacy lawyers about the OAG’s enforcement priorities and process. , and on its interpretation of existing CCPA requirements. And they can set precedents for the CPPA to follow once it goes into effect. Please contact any member of our team if you require assistance with CCPA or CPRA compliance efforts.