The California Attorney General’s Office began enforcing the California Consumer Privacy Act (“CCPA”) over a year ago and recently released a set of sample enforcement cases it has pursued against individuals. companies. The examples are anonymous and do not constitute a complete list of all law enforcement cases, but the descriptions can provide useful advice to businesses subject to the law. Even companies that typically deal with exempt personal information may find it useful to review the examples as they demonstrate the MA’s enforcement strategy, enforcement priorities, and give an indication of how the GA interprets the provisions. of the law.
The GA press release notes that companies currently have 30 days to remedy the suspected non-compliance after receiving a notice of suspected non-compliance. However, businesses should be aware that this 30-day processing period will end in 2023, when the CCPA changes as a result of the California Privacy Rights Act that was approved by California voters last year. Taking note of these examples now can help companies get a head start on their own CCPA compliance. Here is a brief summary of some important examples:
Relationship to entity receiving data for online advertising and analytics – is this a “sale” to a third party or a share with a service provider?
A striking number of examples focus on the use of data for targeted advertising and analysis. In several instances, the AG referred to companies engaging in targeted advertising involving the exchange of personal information, the AG referred to as “selling” personal information requiring opt-out rights and disclosures. In one example in particular, the MA referred to a retailer using third-party tracking technology on their website that was sharing data with advertisers about consumer shopping activity. The AG criticized the company for not having established a service provider relationship with the recipient advertiser.
To take with: Businesses need to thoroughly analyze who receives their data and how the relationship is characterized, including for online marketing and analytics purposes. Businesses using service providers should be reminded to enter into service provider agreements that contractually prohibit the service provider from retaining, using or disclosing personal information outside of what is permitted by law.
Third party trackers – what data is analyzed and how can consumers opt out of its use?
One example referred to the use of third-party trackers employed for site analysis purposes. However, the GA does not provide details on the nature of the data that is of concern for this example. In particular, how this data meets the definition of âpersonal informationâ under the CCPA is unknown at this point. Another example indicates that implementing a “global privacy control” browser extension that allows site visitors to refuse to allow third-party online trackers, such as cookies, to collect data may be. necessary.
To take with: Businesses that have third-party trackers, such as cookies, present on their websites should consider whether granting opt-out rights or establishing relationships with service providers are appropriate responses.
Opt-out – what is an effective means?
In other instances, the MA has suggested that a business is failing to comply with opt-out requirements for online advertising simply by referring consumers to third-party trade association opt-out tools, perhaps by referencing to tools made available by the Network Advertising Initiative and the Digital Advertising. Alliance.
To take with: Businesses subject to CCPA opt-out rights should ensure that they do not use verification procedures, such as the requirement for government identification and a consumer invoice, before making a purchase. ‘grant a withdrawal request.
The company is a financial institution under the GLBA – does the company still have to think about CCPA compliance?
Yes. For example, car dealerships should consider personal information they collect that is not regulated by the Gramm-Leach-Bliley Act and is subject to the CCPA because an example application refers to a dealership that has collected personal information from consumers taking a test drive without providing notice. to the Collection.
To take with: Financial institutions should conduct data inventories to assess whether they collect or disclose data sets that are subject to CCPA.
Privacy program – what do the policies say?
Looking at the examples, it is clear that the Attorney General is making an effort to ensure that privacy policies accurately and fully describe a company’s practices in handling personal information, including information collected, how they are used and how they are shared.
To take with: Businesses need to ensure that their privacy programs are integrated across the enterprise and capture all data practices, as well as changes to those practices. The examples also indicate that the MA pays attention to complaints submitted to it by consumers, so it is important that companies have a good complaints handling program and are sensitive to consumer complaints.
The privacy program has been implemented – the case is over, isn’t it?
No, businesses should be reminded that they might not be able to set up a CCPA compliance program and leave it alone. The CCPA will change in 2023 as a result of the California Privacy Rights Act, adding new requirements for businesses subject to the law and transferring enforcement power to a new agency, the California Privacy Protection Agency. The agency is also starting a rule-making exercise to roll out regulations to reflect changes to the CCPA. And over time, as is the case with these application examples, we will continue to learn more about regulators’ interpretation of the CCPA and enforcement priorities.
To take with: As with all good compliance programs, companies should implement a regular review of their CCPA compliance program to ensure that legal updates are recorded and adjustments are made to both changes in business practices. and changes in the law, taking appropriate account of consumer complaints and demands.
Trained advisors can help businesses take smart compliance approaches to answer each of these questions as being directly applicable to your business and its processes.
Companies can find sample application cases here: https://oag.ca.gov/privacy/ccpa/enforcement