California AG Offers CCPA Application Summaries, Launches Complaint Handling Tool
On July 19, the California Attorney General’s Office (OAG) issued a press release summarizing its first year of CCAC enforcement. Seventy-five percent of businesses receiving an adjustment notice would have come into compliance within the 30-day timeframe, and 25% are still within that timeframe or are under investigation. The OAG also released summaries of 27 resolved exemplary cases. The OAG has been careful to note that the summaries are not advice and do not include all the facts, but they do offer some leads nonetheless. Unfortunately, the summaries often lack sufficient detail to allow readers to presume the enforcement position taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the investigation. of the BVG.
Most of the summaries deal with gaps in notices and inadequate disclosures, including financial incentives (eg, loyalty programs) and inadequacies of consumer rights application programs. However, three of them, which are reproduced verbatim below (emphasis added), inform the application of “do not sell” and digital tracking technologies (eg, cookies). One of those three is directly related to global privacy control signals (a topic the OAG recently insisted on). These cases seem to indicate that the collection by a third-party cookie provider, in the absence of a commitment from the service provider by that provider, may be a “sale” to that provider – a position that the OAG has advanced in enforcement actions that we are aware of – and that this should relate directly to the link and the ‘Do Note Sell’ tool:
The Pet Industry website updated its opt-out web form allowing consumers to opt out of all sales of personal information
Industry: Pet industry
Problem: authorized agent; Sales of personal information
A company that operates an online pet adoption platform has required that an authorized consumer agent submit a notarized verification when invoking CCPA rights. The company’s disclosures regarding its data sale were also confusing, and the company did not appear to provide a mechanism for consumers to opt out of the sale of their personal information. The company also urged consumers to take additional steps to unsubscribe directing consumers to a third-party trade association tool designed to manage online advertising. After being informed of the alleged non-compliance, the company removed the notarization requirement for agents, added a link “Do not sell my personal information”, and updated its opt-out web form which allowed consumers to opt out completely from the sale of personal information, including personal information that was exchanged for targeted advertising.
Updated opt-out process and media conglomerate notice
Industry: mass media and entertainment
Problem: Non-compliant withdrawal process; Notice to Consumers
Manufacturer and retailer stop selling personal information
Industry: Consumer electronics
Problem: Sales of personal information
A company that sells electronics maintained third-party online trackers on its retail website who shared data with advertisers about consumers’ online purchases. The company has neither imposed a contractual relationship of service provider on these third parties, nor processed consumer withdrawal requests. that have been submitted through a user-activated global privacy check, for example, a browser extension that reported GPC. After being informed of the suspected non-compliance, the company worked with its privacy provider to complete consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.
[Emphasis added.] The main cookie consent management (CMP) platforms have the ability to link “do not sell” consumer rights requests to the deactivation of certain sets of cookies designated by the publisher and to a code that makes even when the GPC signal is present. In addition, the Internet Advertising Bureau has a CCPA signal framework and program, supported by some CMPs that may convert participating cookies from sales to service provider-only processing. Publishers who have delayed implementing such potential solutions should reconsider the matter in light of these summaries.
In addition, the OAG announced the launch of a new consumer complaint tool that allows consumers to answer certain blocking questions to create a notice of non-compliance that can be sent to a business, which it claims the BVG, “may” begin the possibility of 30 days for treatment prescribed by article 1798.155.
Businesses must update their California privacy notices annually, usually starting January 1. We do this by recommending an assessment of current CCPA compliance in light of final regulations, summaries of initial enforcement actions, and other OAG guidance. In addition, this will be a good opportunity to conduct a gap analysis to determine what changes will be needed before 2023 to comply with the state’s new privacy laws that will then come into effect.
© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 202