CCPA Enforcement in the News

Results of a recent California Consumer Protection Act (CCPA) investigation reveal the impact that privacy regulations can have on brands that violate new laws. Here’s what you need to know to stay compliant, build trust with customers, and protect your business from expensive consequences. A recent investigation by the California Attorney General (AG) against a large retailer found that the retailer violated both the California Consumer Protection Act (CCPA) and the Unfair Competition Law. Here’s what happened and what you can do to protect your brand from a similar fate.

California AG cites retailer over CCPA violations

Beginning in 2021, the AG conducted an enforcement sweep of large retailers to determine their compliance with the CCPA when presented with a Global Privacy Control. This new control is a browser-level signal that signifies that the user wants to decline all tracking efforts. The CCPA has specific provisions for how a site must behave when exposed to such a signal.The retailer in question was found to be ignoring the signal when presented, and a preliminary investigation by the AG cited them for:

• Failing to properly disclose sales of data to third parties to consumers. 
• Failing to provide “Do Not Sell My Personal Information” links on the website and mobile application.
• Failing to allow users to opt-out of sales of their personal information, including via a Global Privacy Control.

The Attorney General provided a Cure Notice to correct the violations within 30 days. The retailer did not act, and so the AG filed for trial.

We want to call out that while this retailer had a 30-Day Notice to Cure Violations, this 30-day window will be removed for all brands come January 1st, 2023. After that date, brands should not expect similar warnings to correct violations before being subject to enforcement.

What’s next in this case?

Rather than go to trial, the retailer settled with the AG and, pending approval by the Court, is subject to the following:

• $1.2 Million dollar fine
• The retailer must properly disclose any sale of data.
• The retailer must properly respect the Global Privacy Control.
• The retailer must build out a compliance plan and operate it for two years, and provide reports to the State over compliance with the opt-out of sale activities. 
• The retailer must conduct annual reporting to the State for the next two years regarding any companies to which they sell data, identifying said companies and identifying if the retailer considers them a Service Provider.
• The retailer must enter a contract with any Service Providers to ensure compliance with the CCPA.
• The retailer is responsible for ensuring compliance with the CPRA amendments to the CCPA entering enforcement on January 1st, 2023.

What should you do?

1. We recommend a privacy regulation compliance audit, which Further can conduct, to support conversations with legal counsel.While this case deals with a specific retailer, the AG provided clarification around what constitutes a ‘sale of data’. In the investigation, the AG stated that any exchange of personal information for benefit (not just monetary gain) is considered a ‘sale’ under the CCPA. It’s worth a review to determine whether your site meets compliance requirements in light of this new information. The pending CPRA amendments (entering enforcement on Jan 1st, 2023) make it clear this applies to third parties and not Service Providers (however, please note that the definitions of Service Providers and Third Parties change with the new regulation).
2. We recommend ensuring compliance by updating your tag management system to respect the Global Privacy Control opt-out signal.Given the investigation and news that the CCPA is using the Global Privacy Control to determine compliance, we recommend reviewing any existing Consent Management behavior to ensure it properly accounts for the presence of the Global Privacy Control.  We can assist in discussions about the control and assist with implementation efforts, such as modification of an existing consent management integration with your tag management system to handle this new use case.
3. We recommend reviewing your site to ensure that you have “Do Not Sell My Personal Information” links as required by the CCPA.The investigation cited the retailer for not having the links and actively misleading consumers over their sale of personal information. It’s critical that the proper disclosures be present to avoid potential violations.
4. We recommend reviewing your Privacy Policy.Many of the California Attorney General’s recent enforcement efforts centered around non-compliant Privacy Policies. Further can assist in a review of your existing privacy policy to help ensure it has everything the California Attorney General may be looking for.

Lastly, please note that currently only the browsers Firefox, Brave, and DuckDuckGo support the Global Privacy Control. It is, however, expected that browser support will increase over time, given the governmental backing of the specification.We realize that this news may be very concerning. Please know that we at Further are monitoring these developments closely, and we’re available for discussions on this matter should you have any questions or concerns.Read more recent privacy news:

• Privacy Framework Revoked! TCF v2.0 Upended in DPA Ruling

  Contact us  right away to ensure your site is CCPA compliant.