California Attorney General Previews Enforcement Strategy

California Attorney General Rob Bonta waded into privacy enforcement issues for the first time on July 19, 2021, with a press release addressing two key issues: 1) summary details on notices sent by the Office of the Attorney General (OAG) demanding that businesses cure violations of the California Consumer Privacy Act (CCPA) and 2) the launch of a new consumer reporting tool for certain compliance complaints. The release – Bonta's first statement about the CCPA since taking office earlier this year – demonstrates a continued focus by the state on businesses compliance with CCPA's obligation to provide individuals an easy method to opt-out of certain disclosures of their personal information.

Details on Notices to Cure

The press release confirmed that the OAG has sent notices to cure to multiple entities since enforcement began just over one year ago. Recipients have included data brokers, marketing companies, businesses handling children's information, media outlets and online retailers. At least two companies appeared to do business primarily offline – a car manufacturer and grocery chain. Per the report, 75 percent of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25 percent of businesses that received a notice of alleged violation are either within the 30-day cure period or are under active investigation.

The OAG also added to the CCPA section of its website a list of "Enforcement Case Examples" that summarize "illustrative examples" where the OAG sent cure notices. Of the 27 examples offered, the most common potential violation related to disclosures; 18 examples concerned either a failure to provide notice at collection or a "Non-Compliant Privacy Policy." Non-compliance with opt-outs, either due to a failure to include a "Do Not Sell My Personal Information" link on a website or a deficient process, accounted for seven examples. Only two examples referenced a failure to implement proper contract terms in service provider contracts – not surprising given the typical lack of consumer visibility into such terms.

The examples underscore the importance of strict adherence to the CCPA's requirements on privacy disclosures and consumer request intake. Notably, not a single example involved the scope of what a business returned in response to a right-to-know request or challenged the claim of an exception to the right to delete. Cited violations included issues such as failure to include descriptions of consumers' rights in the privacy notice, failure to offer appropriate methods to submit requests and imposing additional requirements for requests not permitted by the law, such as verification of identity for opt-out requests.

Consumer Reporting Tool for Do Not Sell

Bonta also announced the launch of a Consumer Privacy Interactive Tool that allows consumers to directly notify the OAG and businesses that do not have a clear and easy-to-find "Do Not Sell My Personal Information" link on their homepage. The tool asks guided questions to walk users through the threshold elements of the CCPA before generating a notification that users can send to the business.

In its current form, the tool may well encourage consumers to over-report perceived, but not actual, non-compliance with the Do Not Sell requirements. The questions assume the user knows a business's revenue or reach, and understands CCPA's less-than-intuitive definitions of a "service provider" and "sale." A user then inputs the business's details into the tool, which auto-generates an email that the user can cut and paste into an email and send to the offending business. Importantly, the OAG is clear that it also collects a business's information provided through the tool and will use such information "to assist [it] in investigating and enforcing the law." According to the OAG, moreover, an email generated by the tool but sent by a consumer may also trigger the 30-day period for a business to cure its violation of the CCPA's Do Not Sell provisions. Notice and an opportunity to cure is a prerequisite to the attorney general bringing an enforcement action.

The OAG also confirmed that information submitted through the tool may be discoverable by members of the public through a California Public Records Act (CPRA) request. The California Department of Justice's Guidelines for Access to Public Records suggest that "investigative records" and "records prepared in connection with litigation" would remain confidential.

Embracing a Technical Solution to Global Opt-Outs

The OAG additionally updated its CCPA Frequently Asked Questions last week to endorse Global Privacy Control (GPC) – a little-used technical standard intended to communicate a consumer's Do Not Sell request from a global privacy control, as contemplated under CCPA Regulation § 999.315. GPC is available as part of several browsers, extensions and websites. Though the GPC standard is not mentioned in the CCPA or its implementing regulations, the updated frequently asked questions states that GPC "must be honored by covered businesses as a valid consumer request to stop the sale of personal information." The enforcement examples also include a consumer electronics company that did not "process consumers' request to opt-out" when submitted via a user-enabled global privacy control, "e.g. a browser extension that signaled the GPC." As of yet, however, GPC is merely a signal, and businesses must still build the processes necessary to effectuate consumer opt-outs internally and with third parties.