2022 Update – Overview of California AG’s Examples of CCPA Non-Compliance – Privacy Protection

To print this article, simply register or log in to Mondaq.com.

The California Office of Attorney General (OAG) is responsible for enforcing the California Consumer Privacy Act (CCPA) and began sending notices of alleged non-compliance to businesses on July 1, 2020. In June 2021, nearly a year later, the OAG released 27 illustrative examples of alleged non-compliance and the actions each company has taken to respond to the non-compliance. Subsequently, in August 2022, the OAG issued an update adding another 13 illustrative examples of alleged non-compliance for a total of 40 examples.1

This is the first article in a three-part series that will collectively update the articles published by Ankura in 2021, focusing on the 27 illustrative examples to now include all 40 examples. This first article in this three-part series includes statistics on specific areas of CCPA non-compliance, our second article will focus on the industries targeted by the OAG, and our third article will focus on trends we’ve observed between the 27 examples provided by the OAG in June 2021 compared to the 13 examples provided by the OAG in August 2022.

We understand that the OAG has sent hundreds of letters of non-compliance to companies since the CCPA went into effect and that the 40 examples are intended to illustrate situations where they have sent a notice of non-compliance. Under the CCPA, once a company is made aware of alleged non-compliance, it has 30 days to address (or remedy) that non-compliance.

In August 2022, the OAG announced a $1.2 million settlement with Sephora, Inc related to alleged violations of the CCPA, with the OAG writing: selling their personal information, that it will not accept users’ requests to opt out of sales through user-enabled global privacy controls in violation of the CCPA, and that it has not remedied these violations within the 30-day period currently permitted by the CCPA CCPA.”

In January 2023, the 30-day cure right expires when the California Privacy Rights Act (CPRA) goes into effect.

Analysis of non-compliance actions

In August 2021, Ankura published an article examining key CCPA non-compliance actions as of June 2021. Ankura reviewed the first 27 illustrative examples to identify enforcement trends and guide companies in focusing their compliance efforts. Ankura identified 64 separate non-compliance actions in the 27 samples and grouped the results into 16 categories of alleged non-compliance. Our analysis found that the main categories of alleged non-compliance involved organizations that failed to disclose information related to consumer rights and failed to properly comply with “Do Not Sell My Personal Information” requirements.

We recently updated the analysis with new examples published by the OAG in 2022. Ankura identified a total of 97 separate non-compliant actions in the 40 samples. The chart below shows the 97 individual non-compliance actions grouped into 16 categories of alleged non-compliance.






































ID card

Description of non-compliance

2021

2022

Total

Total (%)

1

Missing method to submit requests or missing proper instructions regarding consumer rights

15

6

21

22%

2

Missing reference to sales position (e.g. “No knowledge of sales in previous 12 months”)

9

3

12

12%

3

Missing link Do not sell my personal information or opt-out process

9

5

14

14%

4

Missing pick-up message at the pick-up point

8

2

10

10%

5

Missing consumer rights instructions regarding discrimination

4

4

4%

6

Privacy statement or opt-out process was difficult to understand and needed to be revised

3

9

12

12%

7

Missing identification in notification as service provider

3

3

3%

8

Missing service provider clauses in contract

2

2

2%

9

Missing categorical information regarding personal information disclosure

2

2

2%

10

Missing notification requirements for minors and/or obtaining parental consent

2

2

2%

11

Invalid consent mechanism for sharing personal information

1

1

1%

12

Missing notification Disclosure about what has been sold

1

1

1%

13

Failure to respond to requests in a timely manner

1

1

1%

14

Missing notice of financial incentive

1

1

2

2%

15

Missing instructions for authorized agents

2

1

3

3%

16

Global privacy check didn’t work

1

6

7

7%

Total

64

33

97

100%

Key learning points

The OAG focuses on:

  • Notification of Financial Incentives – If a company operates a loyalty program that offers financial incentives, it must provide a compliant financial incentive notice that:

    • Is provided at or prior to the point of collection of personal information

    • Including material conditions

    • Enables explicit opt-in consent

    • This allows participants to easily withdraw from the program


  • Compliance with Global Privacy Controls (GPCs)– There is no doubt that the CA OAG expects companies to respect these Global Privacy Controls through their cookie solution.

  • Opt-out of sales rights – If a company sells data, it must ensure that:

    • Their privacy statement makes it clear that they sell data

    • Individuals can easily opt out of those sales of data

    • The opt-out solution is clear and easy to understand

    • The opt-out solution is handled directly and does not require the person to go to a third party to fulfill their request


  • Privacy rights –expanding privacy rights for individuals, including providing:

    • A notice of their rights

    • Alternative methods to request their rights

    • Instructions for agents to make requests

    • A fully functional solution that is accessible, easy to understand and not too complicated

    • A fully trained privacy rights team to review requests


  • Privacy Statements and Disclosures
    Pprovide individuals with clear, easy-to-understand and compliant privacy statements at or prior to collection point

Our next article in this series will focus on the industries targeted by the OAG and our final article will focus on trends we observed in OAG enforcement from 2021 as compared to 2022.

Footnote

1. https://oag.ca.gov/privacy/ccpa/enforcement. Retrieved October 25, 2022.

The content of this article is intended as a general guide to the topic. Specialist advice should be sought regarding your specific circumstances.

POPULAR ARTICLES ABOUT: Privacy from the United States

Federal data privacy law may have hit a roadblock

Seyfarth Shaw LLP

A bipartisan bill is circulating in Congress that would constitute the largest privacy and data protection legislation in US history. To date, such legislation has been left to the states…

Cyber ​​Suit circus

Wilson Elser Moskowitz Edelman & Dicker LLP

Every week, large and small companies fall victim to cyber-attacks with no end in sight. In hopes of mitigating negative investigation findings and fines, they must…

Leave a Comment