The California Office of Attorney General (OAG) is responsible for enforcing the California Consumer Privacy Act (CCPA) and began sending notifications of alleged non-compliance to companies on July 1, 2020. In June 2021, almost a year later, the OAG released 27 illustrative examples of alleged non-compliance and the actions taken by each company to respond to the non-compliance. Then in August 2022, the OAG released an update by adding an additional 13 illustrative examples of alleged non-compliance for a total of 40 examples.1

This is the first article in a three-part series which, collectively, will provide an update to the articles Ankura published in 2021 focused on the 27 illustrative examples to now include all 40 examples. This first article in this three-part series includes metrics on specific areas of CCPA non-compliance, our second article will focus on the industries that were targeted by the OAG, and our third article will focus on trends we observed between the 27 examples provided by the OAG in June 2021 compared to the 13 examples provided by the OAG in August 2022.

It is our understanding that the OAG sent hundreds of letters of non-compliance to companies since the CCPA was enacted and that the 40 examples are meant to be illustrative of situations in which they sent a notice of non-compliance. Under the CCPA, once a company is notified of alleged non-compliance, they have 30 days to address (or cure) that non-compliance.

In August 2022, the OAG announced a $1.2 million settlement with Sephora, Inc related to alleged violations of the CCPA whereby the OAG wrote, "After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA."

In January 2023, the 30-day right to cure will sunset when the California Privacy Rights Act (CPRA) takes effect.

Analysis of Non-Compliance Actions

In August 2021, Ankura published an article examining the Top CCPA Non-Compliance Actions as of June 2021. Ankura reviewed the initial 27 illustrative examples to identify enforcement trends and guide companies on where to focus their compliance efforts. Ankura identified 64 discrete non-compliant actions across the 27 examples and grouped results into 16 categories of alleged non-compliance. Our analysis showed that the top categories of alleged non-compliance related to organizations failing to disclose information related to consumers' rights and failing to properly address "Do Not Sell My Personal Information" requirements.

We recently updated the analysis to include new examples published by the OAG in 2022. Ankura identified a total of 97 discrete non-compliant actions across the 40 examples. The chart below shows the 97 discrete non-compliant actions grouped into 16 categories of alleged non-compliance.

ID

Description of Non-Compliance

2021

2022

Total

Total (%)

1

Missing Method to Submit Requests or Missing Proper Instructions Related to Consumer Rights

15

6

21

22%

2

Missing Reference to Sale Position (e.g., "No knowledge of sales in prior 12 months")

9

3

12

12%

3

Missing Do Not Sell My Personal Information Link or Opt-Out Process

9

5

14

14%

4

Missing Pre-Collection Notice at Point of Collection

8

2

10

10%

5

Missing Consumer Rights Instructions Regarding Discrimination

4

4

4%

6

Privacy Notice or Opt-Out Process was Hard to Understand and Needed Revisions

3

9

12

12%

7

Missing Identification in Notice as Being a Service Provider

3

3

3%

8

Missing Service Provider Clauses in Contract

2

2

2%

9

Missing Categorical Information related to Personal Information Disclosures

2

2

2%

10

Missing Notice Requirements for Minors and/or Obtaining Parental Consent

2

2

2%

11

Invalid Consent Mechanism for Sharing Personal Information

1

1

1%

12

Missing Notice Disclosure About What was Sold

1

1

1%

13

Not Responding to Requests in a Timely Manner

1

1

1%

14

Missing Notice of Financial Incentive

1

1

2

2%

15

Missing Instructions for Authorized Agents

2

1

3

3%

16

Global Privacy Control Was Not Functioning

1

6

7

7%

Total

64

33

97

100%


Key Takeaways

The OAG is focused on:

  • Notice of Financial Incentives – If a company is operating a loyalty program that offers financial incentives, they will need to provide a compliant Notice of Financial Incentives that:
    • Is provided at or prior to the point of collection of personal information
    • Includes material terms
    • Allows for express opt-in consent
    • Allows participants to easily withdraw from the program
  • Honoring of Global Privacy Controls (GPCs) – There is no ambiguity here that the CA OAG expects companies to honor these Global Privacy Controls through their cookie solution.
  • Opt-Out of Sale Rights – If a company is selling data, they must ensure that:
    • Their privacy notice makes it clear that they are selling data
    • Individuals can easily opt-out of that sale of data
    • The opt-out solution is clear and easy to understand
    • The opt-out solution is handled directly and does not require the individual to go to a third-party to execute their request
  • Privacy Rights –Extending privacy rights to individuals, including providing them with:
    • A notice of their rights
    • Alternate methods to request their rights
    • Instructions for agents to make requests
    • A fully functioning solution that is accessible, easy to understand, and not overly complex
    • A fully trained privacy rights team to adjudicate requests
  • Privacy Notices and DisclosuresProviding individuals with clear, easy to understand, and compliant privacy notices at or prior to the point of collection

Our next article in this series will focus on the industries that were targeted by the OAG and our final article will focus on trends we observed in OAG enforcement actions from 2021 compared to 2022.

Footnote

1. https://oag.ca.gov/privacy/ccpa/enforcement. Retrieved October 25, 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.