Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries. The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information. The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports. Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.
As with prior sweeps, the California AG has focused on the availability of opt-out rights under the CCPA. The CCPA requires that businesses that “sell” personal information provide consumers with the ability to opt out of such sales. The definition of “sell” includes any disclosure of personal information for both monetary and non-monetary (“other valuable”) consideration, which the California AG has interpreted to include many disclosures in the context of online behavioral advertising. Last year, the California AG released numerous examples of CCPA enforcement it had launched in which businesses in industries ranging from tech to healthcare to fitness were required to cure alleged CCPA violations. Many of those alleged violations involved purported failures to provide opt-out rights or providing those rights through mechanisms that were deemed to be confusing or misleading.
Additionally, in its August settlement with Sephora, following an earlier “enforcement sweep of online retailers,” the California AG argued that Sephora violated the CCPA by failing to honor opt-out requests sent through user-enabled privacy signals like Global Privacy Control. Specifically, the California AG alleged that Sephora installed tracking software on its website and app that provided third parties with information on consumers, which the California AG considered a sale under the CCPA. Although the settlement contained no admissions by Sephora, the retailer agreed to pay $1.2 million in penalties, implement a program to assess and monitor whether it effectively processes opt-out requests, and comply with other injunctive relief. With the California AG’s ongoing focus on these issues, along with the CPRA’s new right to opt out of the “sharing” of personal information for purposes of cross-contextual behavioral advertising, businesses that have not already done so should carefully assess whether and how to provide the ability to opt out of any such “sales” or “sharing.”
The sweep also draws attention to the continuing role of the California AG in CCPA enforcement even after the CPRA has gone into operation. Although the California Privacy Protection Agency may now also investigate potential CCPA/CPRA violations and issue fines of up to $2,500 per violation (or $7,500 for intentional violations or violations involving children’s data), the California AG retains the right to bring civil actions enforcing the laws. The penalties available through such actions are likewise up to $2,500 or $7,500 per violation, and the proceeds of any such penalties or settlements, as with the fines imposed by the California Privacy Protection Agency, will go to the California Consumer Privacy Fund, which is available to fund future enforcement, among other things.