CCPA Financial Penalties: Four Takeaways from the California AG’s $1.2 Million Enforcement Action that Should Inform Your Compliance Strategy
This action by the CAG gives some insight into the future of CCPA enforcement, even as the law is set for a statutory and regulatory update next year. The CAG’s press release summarizing the settlement is available here.
1. CAG Enforcement Set to Continue.
Although California’s new privacy agency, the California Privacy Protection Agency (“CPPA”), has CCPA enforcement authority, the CAG appears determined to continue enforcing the law, per its statutory authority to do so. Signaling only that enforcement may ramp up, the CAG reiterated that “[t]here are no more excuses” for a business’s failure to comply with the law (despite materially changing and unsettled regulations). Given the discussions of a potential federal law that would preempt most of the CCPA, the CAG was also likely sending a signal that a vigorously enforced California privacy law has value and should not be replaced.
Businesses should be alarmed by CAG’s treatment of the CCPA’s notice and cure period, pursuant to which businesses have 30 days to cure alleged CCPA violations. The notice and cure period becomes optional beginning in January 2023, and the CAG highlighted the cure period expiration in its press release on the Sephora settlement, likely signaling that the CAG will opt to not provide such a cure period starting next year.
2. Responding to the GPC is Mandatory.
The settlement underscores the CAG’s opinion that responding to the GPC as a request to opt out of “sales” is a mandatory aspect of complying with the CCPA. The CAG claimed that user-enabled privacy controls are a “game changer for consumers” and that businesses must process them as opt-out requests. That advice, significantly, seems to align with the CPPA’s understanding that responding to the GPC does not become optional when the California Consumer Privacy Rights Act (the “CPRA”) amends the CCPA next year. Businesses (and, as applicable, their privacy vendors) must immediately operationalize treating the GPC as a request to opt out of selling, at least at a browser level.
3. The CAG’s Priorities Remain Consistent.
The CAG’s enforcement priorities do not seem to have changed since last summer. Along with the settlement announcement, the CAG released information about a sweep of loyalty programs (available here) and new enforcement case examples (available here). Loyalty programs, which may constitute a “financial incentive” under the CCPA, and consumers’ right to opt-out of “sales” have long been a particular focus of the CAG since last summer.
The CAG may focus on financial incentives based on a belief that personal information collected through those programs is more valuable than the corresponding discounts offered to consumers. Businesses with loyalty programs should mitigate that risk by disclosing, with at least reasonable detail, that any discounts offered to consumers under a loyalty program are proportionate to any value obtained by businesses from collecting the consumers’ personal information.
In light of the CAG’s activity, businesses would be well-advised to review their websites and online trackers for CCPA compliance. The CAG and CPPA continue to promulgate regulations and bring enforcement actions regarding consumers’ right to opt out of sales in the context of online advertising/tracking. Such a focus is interesting for a few reasons. First, the CAG’s very broad interpretation of “selling” seems to make the forthcoming right for consumers to opt-out of “sharing” (sharing for cross-contextual advertising purposes) essentially obsolete. Second, the CCPA’s concept of “selling” is not confined to online tracking, but the CAG has a much easier time checking a website to see if “online” selling occurs rather than gathering information on a company’s backend information flows (i.e., “offline” selling). Third, many companies rely on service provider relationships to take (at least some) online tracking outside of the scope of “sales,” whereas the CAG complaint notes that Sephora did not have “valid” service provider agreements in place. As customers of online tracking technology are often forced to sign the provider’s paper, consider reviewing those agreements for CCPA service provider requirements following the Sephora settlement.
California continues to lead the way in U.S. privacy law, so it is critical to review your existing privacy program to make sure it’s prepared for additional regulatory scrutiny.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.