One year after enforcement of the California Consumer Privacy Act (CCPA) took effect, the California attorney general (AG) released an enforcement update and a tool for consumers to create and issue notices of noncompliance with certain parts of the CCPA.

As businesses await the January 1, 2023, effective date of the California Privacy Rights Act (CPRA), the California AG’s office has been actively enforcing the CCPA and providing updated guidance for consumers and businesses. Recently, California AG Rob Bonta held a press conference to discuss enforcement proceedings brought by his office over the last year and to announce a new tool designed to simplify consumer reporting of complaints related to personal information “sales” opt-outs. The AG’s office also recently released a summary of its CCPA enforcement activities as well as updated CCPA FAQs.

There are a number of important takeaways from the AG’s office’s recent announcements, which are discussed in greater detail below. In short:

  • The AG has cast a wide net, but privacy policies and personal information “sales” are the most common bases for CCPA enforcement. According to the AG’s summary of 27 recent enforcement proceedings, businesses receiving notices of alleged noncompliance have run the gamut from brick-and-mortar grocery chains to online dating apps and marketing service providers. As expected, the majority of the enforcement activities have related to businesses’ compliance with the CCPA regulations’ privacy policy and personal information “sales” opt-out requirements. However, the AG’s office has also targeted an array of other subjects, such as children’s data, service provider vendor agreements, and notices of financial incentives.
  • The AG’s office remains committed to requiring businesses to treat global browser privacy signals (“global privacy controls” or “GPCs”) as opt-out requests. Although there is currently no universally accepted global opt-out mechanism, the latest CCPA FAQs mandate that businesses treat GPC signals as valid CCPA opt-out requests – technical obstacles and consumer intent notwithstanding.

The AG’s CCPA “Consumer Privacy Interactive Tool” may increase pressure on businesses that have not yet prominently enabled “Do Not Sell” functionality. A new tool on the AG’s website will enable consumers who believe that a business is selling or has sold their personal information to generate a “notice of noncompliance” directed to the business. The AG’s website hints that such consumer-generated notices may satisfy the AG’s statutory obligation to provide notice before filing an enforcement action under the CCPA – regardless of whether the business believes it “sells” personal information or has previously received notice from the AG’s office.

CCPA enforcement update

During his press conference, AG Bonta marked the one-year anniversary of the CCPA’s enforcement by noting that in the past year, 75 percent of business that have received notices of noncompliance have fixed their practices within the 30-day cure period. The remaining 25 percent, according to the AG, are still within the cure period or are under active investigation. In addition to reporting that his office has published a summary of enforcement proceedings, AG Bonta highlighted a handful of cases in his public remarks, which included:

  • Slow responses to CCPA inquiries by a social media company. A social media company that was alleged to be slow in processing and responding to California consumer requests under the CCPA received a notice from the AG’s office, after which the business streamlined its response practices.
  • Lack of “Do Not Sell” functionality on an online dating app. An online dating app that lacked a “Do Not Sell My Personal Information” link received notice of alleged noncompliance. Upon receiving the notice from the AG’s office, the business added a “Do Not Sell” link on its platform.
  • Notice at or before the point of collection during vehicle test drives. A vehicle manufacturer and retailer collected personal information from users during test drives, but allegedly failed to notify the individuals of how it used the collected personal information. Upon receiving notice from the AG’s office, the business updated its notice practices and privacy policy.
  • Notice of financial incentives for grocery store loyalty program. A grocery store chain allegedly required personal information in exchange for participation in a loyalty program, but did not provide notice of financial incentive. After receiving notification from the AG’s office, the business updated its privacy policy to include a notice of financial incentive.

Updated CCPA FAQs suggest that the AG remains serious about requiring businesses to accept global privacy controls as “Do Not Sell” requests

In updated FAQs, the AG’s office provided guidance on browser-based global privacy controls and directions for consumers to submit requests to opt out of the sale of their personal information “using the GPCs.” Despite acknowledging that the GPCs remain ”a proposed technical standard,” and though the underlying technology remains in development, the updated FAQs from the AG’s office state that “under law, [GPCs] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” In fact, one of the enforcement examples announced by the AG’s office described a proceeding against a consumer electronics company that did not process “consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC.”

New CCPA self-help tool enables consumers to notify businesses that they lack “Do Not Sell” home page links

Additionally, AG Bonta announced a consumer-facing CCPA enforcement tool that generates a CCPA “notice of noncompliance” that can be emailed to the business. The tool is currently limited to alleged noncompliance with the requirement that businesses that “sell” personal information must post a “Do Not Sell My Personal Information” link. Using the self-help tool, a consumer who believes a business should post the “Do Not Sell” link but has failed to do so can enter information into a web form that will generate a notice that can then be copied into an email or printed and sent to the business.

The AG’s website notes that this consumer-issued notice “may” satisfy the requirement that businesses be provided a 30-day “cure” opportunity before the AG can “sue businesses that violate the CCPA.” Anticipating emerging trends

  • With the CCPA, the CPRA, related regulations (both active and pending), and the AG’s many advisory pronouncements, ”full compliance” remains a moving target even for well-intentioned businesses with devoted privacy resources. In this climate of uncertainty and risk, recent proceedings by the AG’s office and published AG guidance offer critical insight into how the AG is interpreting the law and what the AG’s likely enforcement priorities will be going forward. Some patterns are emerging:
  • Consumer complaints (and subsequent enforcement proceedings) related to the availability of businesses’ “Do Not Sell” functionality are likely to accelerate with the introduction of the new Consumer Privacy Interactive Tool and the AG’s renewed commitment to enforcing GPCs as a personal information “sales” opt-out.
  • Consumer-facing resources such as rights request tools, privacy policies, and related notices will remain frequent areas of AG inquiry.
  • Effective global privacy controls that accurately reflect consumer preferences are still under development, though the upcoming CPRA rulemaking process is expected to clarify many of the rules of the road. Nevertheless, it appears that the California AG’s office is already committed to taking an aggressive stance regarding the enforceability of such signals under the CCPA. While it may be too soon for businesses to know exactly what to do, businesses that “sell” under the meaning of the CCPA should pay close attention to emerging technical developments and guidance and should prepare to adapt as the landscape changes.