On August 24, 2022, the California Office of Attorney General (OAG) published a summary of 13 CCPA investigations, “illustrative” of situations in which notices of alleged noncompliance were sent and remedial measures were implemented.  Note that the CCPA’s mandatory notice-and-cure period will expire on January 1, 2023.  Following that, the California Privacy Protection Agency will have the discretion to grant cure periods.

Some key trends include:

  • Several of the cases involved allegedly noncompliant notices.
  • Some of the investigations followed up on complaints that consumers made to its office regarding CCPA compliance.
  • Multiple cases involved alleged violations related to the sale opt-out.

We summarize the 13 examples below.

  • Sale opt-outs.  Multiple online retailers used web tracking technologies to allegedly provide consumers’ personal information to third parties, but did not process consumer requests to opt-out via a global privacy control (“GPC”) (which the AG claimed was required by CCPA regulations), or ensure that the third-party recipients of consumers’ personal information were CCPA-compliant service providers. 
    • Cure:  The retailers updated their service-provider contracts, adopted technology to send “restricted use” signals to third-party recipients, and blocked certain transfers of personal information upon the detection of a GPC.
  • Notices of financial incentives.  Multiple retailers (including in the clothing, home goods, and hospitality sectors) operated loyalty programs that allegedly offered financial incentives for the collection of consumers’ personal information, but did not post a notice of financial incentives. 
    • Cure:  The businesses posted or revised financial incentive notices (e.g., at cash registers or via “deep links”) and revised their enrollment methods.
  • Consumer rights notice and mechanisms.  A technology company allegedly did not provide notice of required CCPA consumer rights or disclose the methods by which consumers could exercise these rights, and did not expressly state whether it had sold personal information or provide a “clear and conspicuous” do-not-sell link. 
    • Cure:  The business revised its privacy policy, implemented two request methods, and added a do-not-sell link.
  • Complaints on social media of healthcare company’s handling of consumer requests. In response to consumers criticizing how a healthcare company responded to certain requests, the AG alleged that the company treated certain access requests as deletion requests, and permanently deleted the personal information of these consumers. 
    • Cure: The business introduced staff training and revised its processes for responding to consumer access and deletion requests.
  • Medical device company and sale opt out. A medical device company allegedly required consumers to accept its privacy policy and terms of service in order to exercise their CCPA rights.  The AG also claimed that the business did not provide an opt-out mechanism regarding the sale of personal information and instead directed consumers to a third-party trade association’s tool designed to manage online advertising. 
    • Cure:  The business removed the restrictions on consumers’ exercise of their CCPA rights, added a do-not-sell link, and updated its webform.
  • Telehealth company’s privacy policy.  A telehealth business’s privacy policy allegedly did not contain certain required disclosures, such as the categories of personal information collected or disclosed within the previous year, and the business’s “notice at collection” hyperlinks allegedly directed consumers to the wrong section of its privacy policy. 
    • Cure: The business updated its privacy policy to include the required disclosures, and introduced “deep-links” directing consumers to the notice-at-collection section of its privacy policy.
  • Fitness business’s opt-outs.  A fitness business’s website contained a do-not-sell page that the AG alleged included unclear language and toggle options (e.g., the toggle for Do Not Sell was “on/off”).  The business’s privacy policy also directed consumers to a third party’s tool to manage online advertising and cookie preferences. 
    • Cure:  The business streamlined its opt-out options, including by adopting an “easy to understand toggle,” and revised its privacy policy to explain its use of third-party cookies and to enable consumers to fully opt-out of the sale of personal information.
  • FinTech privacy policy and opt-outs.  A FinTech business that offers financial services to minors operated a mobile app that allegedly did not notify consumers at or before the point of collection about the categories of personal information collected and the purposes for which information would be used.  It also allegedly did not state whether it sold personal information in the privacy policy.
    • Cure.  The business updated its privacy policy to indicate that it did not sell personal information of consumers under 18 years old, added a do-not-sell opt-out link to its homepage for consumers over the age of 18, and added a link to the first screen of its mobile app that included the categories of personal information collected and purposes for which information would be used.
  • People search opt-outs.  A business operating a people search website allegedly provided only one method for the submission of requests, and required consumers to agree to its terms of service and privacy policy.  The AG described this process as “onerous.” A “Do Not Sell My Personal Information” link also allegedly only worked on certain browsers.
    • Cure.  In response, the business took steps to ensure that its sale opt-out link worked on all browsers, revised its California Privacy Page to simplify processes for submitting consumer requests, and provided consumers with alternative methods to submit such requests. The business also agreed to email all consumers who submitted CCPA requests within the prior two years but did not complete verification.
  • Clothing retailer’s opt-outs.  A clothing retailer’s “Do Not Sell My Personal Information” link discussed managing cookies and similar technologies but allegedly did not provide an opt-out mechanism. 
    • Cure.  In response, the business updated its opt-out mechanism by offering all consumers—including non-Californians—the option to opt-out of the sale of personal information, separate from its cookie preferences option.
  • Technology platform’s opt-outs and requests to know.  A technology platform allegedly did not allow consumers to submit opt-out requests or requests to know via authorized agents, and did not train those handling consumer inquiries. 
    • Cure.  The business implemented a mechanism to allow consumers to submit requests via authorized agents, updated its privacy policy accordingly, and conducted a training for its employees that covered authorized agent requests. It also initiated a technical solution to block all third-party advertising cookies for anyone visiting their website using a CA IP address.
  • Wireless network provider’s response to requests.  A consumer notified a wireless network provider that their online CCPA portal allegedly was not functional.
    • Cure.  The business explained the measures it had taken to ensure that its online CCPA portal was functioning, and implemented a process for responding to other online CCPA requests (which included responding to the GPC).
  • Advertising service’s privacy disclosures and opt-outs.  An advertising service’s privacy policy allegedly did not contain all required CCPA disclosures, while other disclosures and opt-out methods were allegedly incomprehensible to the average consumer or contained nonfunctional hyperlinks. 
    • Cure.  The business revised its privacy policy and hired a user experience designer to improve its opt-out function.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Christina Higgins Christina Higgins

Christina Higgins is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Christina advises leading businesses on a wide array of cyber security and data privacy compliance issues across various industries, including technology…

Christina Higgins is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Christina advises leading businesses on a wide array of cyber security and data privacy compliance issues across various industries, including technology services, big pharma, professional sports, and financial services. Her practice also includes providing strategic advice on internal investigations and cyber security incident response, ranging from advance persistent threats to theft or misuse of internal information.

Christina’s practice also focuses on regulatory matters and government investigations, where she presents clients in FTC and State AG investigations involving allegations of unfair or deceptive privacy, data security, and marketing practices.

Read more about Christina HigginsEmail
Show more Show less
Photo of Rachel Bercovitz Rachel Bercovitz

Rachel Bercovitz is an associate in the firm’s Washington, DC office, where she is a member of the Litigation and Data Privacy and Cybersecurity groups. She maintains an active pro bono practice, with a particular focus on gun violence prevention.

Read more about Rachel BercovitzEmail