CCPA Enforcement Tracker

The California AG’s office is the key enforcement agency for the California Consumer Privacy Act (CCPA). While the AG’s office does release specific details about ongoing investigations or enforcement actions, it does share useful information about enforcement actions without disclosing particulars.

California’s Department of Justice began enforcement of the CCPA on July 1, 2020. The CCPA grants businesses 30 days to cure or fix breaches and/or alleged violations. Failure to cure breaches can result in fines from enforcement of $2,500-$7,500 per violation, and also carry exposure to fines from consumer actions.

To assist businesses and consumers in understanding enforcement efforts, below are a few detailed examples, showing extensive CCPA enforcement across multiple industries:

1. A business that operates a social media network did not contractually prohibit its service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts. After being notified of alleged noncompliance, the business modified its service provider contracts by adding CCPA-specific addendums.
2. An online dating app was forcing users to accept sharing of their personal information whenever they signed up for online dating service. The platform also did not have the required “do not share” link. After receiving notice of violation and working collaboratively with the AG’s office, the company cured the violations and added the required link.
3. A car manufacturer failed to notify its consumers of the use of their personal information that it collected whenever they signed up for test drives. After the AG’s notice of violation, the company implemented a notice at collection and further updated its privacy policy to include the requisite information.
4. A grocery chain required consumers to provide their personal information in exchange for participation in its loyalty program. Yet it failed to provide a notice of a financial incentive to participating consumers. Upon receiving a notice of the violation, the company promptly took corrective action.
5. A mass media and entertainment business did not provide consumers with any methods to opt-out of the business’s sale of their personal information. The business only directed consumers to a third-party trade association’s tool designed to manage online advertising. The business’s privacy policy and notice of right to opt-out also did not include required information about how consumers or their agents could exercise their opt-out rights. The business also did not have a notice at collection and lacked a “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process, privacy policy, and notices to address these issues, and added the “Do Not Sell My Personal Information” link to all of its digital properties.

6. A business that operates a mobile app game installed software from a third-party mobile advertising platform that made available the personal information of its players, including minors aged 13 to 15 years old. The business did not provide an opt-out mechanism to adults or obtain an opt-in for minors. After being notified of alleged noncompliance, the business removed the ad software and instituted other privacy protections directed at younger users, including age-gating and parental verification features.

7. A business that launched a social media platform and advertised itself as being pro-privacy failed to inform consumers about their CCPA rights. The business also exchanged personal information about users’ online activities with various third-party analytics providers but did not post the required notices or provide consumers with methods to opt-out of the sale personal information. After being notified of alleged noncompliance, the company updated its privacy policy and removed all third-party trackers from its app and website.

8. A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.

9. A data broker posted a “Do Not Sell My Personal Information” link that did not work. The business also required verification – in the form of copies of government identification and a bill showing the consumer’s address – before honoring requests to opt-out of the sale of personal information. The data broker also required consumers to create an account in order to make a verifiable consumer request. After being notified of alleged noncompliance, the business updated its “Do Not Sell My Personal Information” link, no longer requires that consumers be verified to opt-out of the sale of personal information, and no longer requires customers to create an account in order to make a CCPA request.

A more detailed list of enforcement examples published by the AG’s office may be found a the following link: https://oag.ca.gov/privacy/ccpa/enforcement). These examples do not include all the facts, but they do provide some important indications as to how the California AG’s office is approaching enforcement and what businesses should pay attention to.