On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Most of the summaries deal with notice deficiencies and inadequate disclosures, including financial incentives (e.g., loyalty programs), and consumer rights request program inadequacies. However, three of them, which are reproduced verbatim below (emphasis added), shed some light on the application of “do not sell” and digital tracking technologies (e.g., cookies). One of those three directly addresses Global Privacy Control signals (a matter the OAG has been pushing as of late). These cases seem to indicate that collection by a third-party cookie provider, absent a service provider commitment by such provider, may be a “sale” to such provider – a position that the OAG has been advancing in enforcement actions of which we are aware – and that this must be tied directly to the “Do Note Sell” link and tool:

Pet Industry Website Updated its Opt-Out Webform for Consumers to Opt Out of All Sales of Personal Information Industry: Pet Industry Issue: Authorized Agent; Sales of Personal Information

A business that operates an online pet adoption platform required a consumer’s authorized agent to submit a notarized verification when invoking CCPA rights. The business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business removed the notarization requirement for agents, added a “Do Not Sell My Personal Information Link”, and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.

Media Conglomerate Updated Opt-Out Process and Notices Industry: Mass Media and Entertainment Issue: Non-Compliant Opt-Out Process; Notices to Consumers

A mass media and entertainment business did not provide consumers with any methods to opt-out of the business’s sale of their personal information. The business only directed consumers to a third-party trade association’s tool designed to manage online advertising. The business’s privacy policy and notice of right to opt-out also did not include required information about how consumers or their agents could exercise their opt-out rights. The business also did not have a notice at collection and lacked a “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process, privacy policy, and notices to address these issues, and added the “Do Not Sell My Personal Information” link to all of its digital properties.

Manufacturer and Retailer Stopped Selling Personal Information Industry: Consumer Electronics Issue: Sales of Personal Information

A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.

[Emphasis added.] Leading cookie consent management platforms (CMPs) have the ability to tie “do not sell” consumer rights requests to opting out of certain sets of publisher-designated cookies and well as code that does the same when the GPC signal is present. In addition, the Internet Advertising Bureau has a CCPA framework and signal program, supported by some CMPs that can convert participating cookies from sales to service provider processing only. Publishers that have been holding off implementing such potential solutions should revisit the issue in light of these summaries.

In addition, the OAG announced the launch of a new consumer complaint tool that allows consumers to answer certain gating questions to create a notice of noncompliance that can be sent to a business, which the OAG states “may” start the 30-day opportunity to cure mandated by Section 1798.155.

Companies need to update their California privacy notices annually, typically as of January 1. In the process of doing so, we recommend an assessment of current CCPA compliance in light of the final regulations, summaries of initial enforcement actions and other OAG guidance. In addition, this will be a good opportunity to conduct a gap analysis to determine what changes will be needed before 2023 to comply with new state privacy laws that go into effect then. For more information, contact the authors.