The California AG’s office is the key enforcement agency for the California Consumer Privacy Act (CCPA). While the AG’s office does release specific details about ongoing investigations or enforcement actions, it does share useful information about enforcement actions without disclosing particulars.
California’s Department of Justice began enforcement of the CCPA on July 1, 2020. The CCPA grants businesses 30 days to cure or fix breaches and/or alleged violations. Failure to cure breaches can result in fines from enforcement of $2,500-$7,500 per violation, and also carry exposure to fines from consumer actions.
To assist businesses and consumers in understanding enforcement efforts, below are a few detailed examples, showing extensive CCPA enforcement across multiple industries:
- A business that operates a social media network did not contractually prohibit its service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts. After being notified of alleged noncompliance, the business modified its service provider contracts by adding CCPA-specific addendums.
- An online dating app was forcing users to accept sharing of their personal information whenever they signed up for online dating service. The platform also did not have the required “do not share” link. After receiving notice of violation and working collaboratively with the AG’s office, the company cured the violations and added the required link.
- A grocery chain required consumers to provide their personal information in exchange for participation in its loyalty program. Yet it failed to provide a notice of a financial incentive to participating consumers. Upon receiving a notice of the violation, the company promptly took corrective action.
6. A business that operates a mobile app game installed software from a third-party mobile advertising platform that made available the personal information of its players, including minors aged 13 to 15 years old. The business did not provide an opt-out mechanism to adults or obtain an opt-in for minors. After being notified of alleged noncompliance, the business removed the ad software and instituted other privacy protections directed at younger users, including age-gating and parental verification features.
8. A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.
9. A data broker posted a “Do Not Sell My Personal Information” link that did not work. The business also required verification – in the form of copies of government identification and a bill showing the consumer’s address – before honoring requests to opt-out of the sale of personal information. The data broker also required consumers to create an account in order to make a verifiable consumer request. After being notified of alleged noncompliance, the business updated its “Do Not Sell My Personal Information” link, no longer requires that consumers be verified to opt-out of the sale of personal information, and no longer requires customers to create an account in order to make a CCPA request.
A more detailed list of enforcement examples published by the AG’s office may be found a the following link: https://oag.ca.gov/privacy/ccpa/enforcement). These examples do not include all the facts, but they do provide some important indications as to how the California AG’s office is approaching enforcement and what businesses should pay attention to.