California Consumer Privacy Act Brings Changes to the Litigation Landscape
The California Consumer Privacy Act (CCPA) provides consumers with groundbreaking rights over their personal information. Attorney General Rob Bonta reported that upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violation are either within the 30-day cure period or are under active investigation. In addition, the California Department of Justice is seeing a wide range of numbers of consumer requests reported by businesses as required under the law. Among similarly sized and scoped companies, some have reported requests in the millions while others in the hundreds. Attorney General Bonta also launched a new online tool that allows consumers to directly notify businesses of potential violations.
“Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” said Attorney General Bonta. “Plain and simple: Exercise your rights under the CCPA. Any Californian is empowered to opt out of the sale of their personal information online. Consumers can also join our enforcement efforts with our new Data Privacy Protection Tool that allows anyone to notice a business that appears to be out of compliance with CCPA.”
On July 1, 2020, the California Department of Justice began enforcing the CCPA by notifying businesses found not to be in compliance with the law. Under the CCPA, businesses that received notices had 30 days to cure or fix the alleged violation before an enforcement action can be initiated. Notices to cure have been issued to entities, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers.
Examples of notices to cure include:
• A business that manufactures and sells cars failed to notify consumers of the use of personal information when collecting personal information from consumers seeking to test-drive vehicles at a dealership location, in addition to other omissions in its privacy policy. After being notified of alleged noncompliance, the business implemented a notice at collection for personal information received in connection with test drives and updated its privacy policy to include required information.
• A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers. After being notified of alleged noncompliance, the company amended its privacy policy to include a Notice of Financial Incentive.
• A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or effectuated. The business explained its response processes and submitted detailed plans showing that it updated its CCPA consumer response procedures to include timely receipt confirmations and responses to future requests.
• An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage and disclosed that a user clicking an “accept sharing” button when creating a new account was sufficient to establish blanket consent to sell personal information. After being notified of alleged noncompliance, the business added a clear and conspicuous “Do Not Sell My Personal Information” link and updated its privacy policy with compliant sales disclosures.
Attorney General Bonta this summer also launched a new online Consumer Privacy Tool that allows consumers to directly notify businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their homepage.
As part of the CCPA, businesses are required to have a link to their privacy policy on their website at the bottom of the homepage. Businesses that sell personal information about consumers must also include a “Do Not Sell My Personal Information” link on their websites or mobile apps. The tool, available at oag.ca.gov, asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business. This email may trigger the 30-day period for the business to cure their violation of the law, which is a prerequisite to the Attorney General bringing an enforcement action. The tool does not constitute legal advice.
Finally, Attorney General Bonta encouraged all Californians to utilize their privacy rights. Under the CCPA, California consumers have the following rights:
• Right to Know: Consumers may request that a business tell them what specific personal information they have collected, shared or sold about them, and why it was collected, shared, or sold.
• Right to Delete: Consumers may request that a business delete personal information that the business collected from the consumer, subject to some exceptions.
• Right to Opt-Out: If a business sells their personal information, consumers may request that it stop doing so.
• Rights for Minors: A business cannot sell the personal information of minors under the age of 16 without their permission and, for children under 13, without parental consent.
• Right to Non-Discrimination: A business may not discriminate against consumers who exercise their rights under the CCPA.
For more information about the CCPA, visit oag.ca.gov/ccpa.