On August 24, 2022, California Attorney General Rob Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA), which took effect in January 2020. The action highlights several lessons for online retailers and other companies with an online presence, and suggests some best practices on which to take action in the aftermath of the announcement.

The Violations and Settlement. The state accused a national beauty retailer of three violations under CCPA:

• Failing to disclose to customers that it sells their personal data;
• Failing to process users’ requests to opt out of having their personal information sold; and
• Failing to act to correct its violations within the prescribed 30-day cure period.

If approved by the court, the settlement requires the retailer to pay a $1.2 million fine and correct the violations. In addition, within 180 days of the effective date of the judgment and for the following two years, the company must provide annual reports to the attorney general about its sale of personal information and how it is processing opt-out requests, among other required information.

Key Points. Some legal analysts commented the Attorney General is using the company as an example, noting ambiguities in some definitions under the law. Nevertheless, the action surfaced three key points that should prompt companies to review their practices:

• Definition of “data sale” is defined: While the retailer, like many companies, engaged in ordinary data-sharing for online behavioral advertising and disclosed these practices in its privacy policy, the Attorney General claimed these activities constitute a “sale” under CCPA since there was an exchange of “valuable consideration,” even though there was no monetary exchange.
• GPC compliance is mandatory: Although a Global Privacy Control (GPC) has not been widely adopted as a mechanism to comply with the law’s “Do Not Sell My Personal Information” link requirement, the settlement makes it clear the Attorney General considers it mandatory to comply with the GPC if it is sent.
• Additional laws may be cited: In addition to alleged violations of CCPA, the Attorney General also brought claims the retailer violated California’s unfair and deceptive practices statute for allegedly unfairly depriving consumers of their right to opt out of the sale of personal information.

Best Practices. As a result of this enforcement action – which was one of more than 100 notices alleging CCPA violations that were part of the Attorney General’s investigative sweep – organizations doing business in California should consider evaluating their digital infrastructure and reviewing their privacy policies to ensure compliance not only with CCPA, but also with the California Privacy Rights Act (CPRA). This new regulation goes into effect January 1, 2023, and expands on existing consumer privacy rights. Actions taken today will mitigate potential financial and reputational risks in the future.

Even as privacy regulations and interpretations continue to change, businesses can enact certain common-sense safeguards to mitigate risks related to data privacy. First principles begin with the responsible treatment of data, including transparency, data minimization, accuracy and security.

To learn more about how the Relyance platform can contribute to a responsible data privacy and protection program, please click here to book a demo.

On August 24, 2022, California Attorney General Rob Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA), which took effect in January 2020. The action highlights several lessons for online retailers and other companies with an online presence, and suggests some best practices on which to take action in the aftermath of the announcement.

The Violations and Settlement. The state accused a national beauty retailer of three violations under CCPA:

• Failing to disclose to customers that it sells their personal data;
• Failing to process users’ requests to opt out of having their personal information sold; and
• Failing to act to correct its violations within the prescribed 30-day cure period.

If approved by the court, the settlement requires the retailer to pay a $1.2 million fine and correct the violations. In addition, within 180 days of the effective date of the judgment and for the following two years, the company must provide annual reports to the attorney general about its sale of personal information and how it is processing opt-out requests, among other required information.

Key Points. Some legal analysts commented the Attorney General is using the company as an example, noting ambiguities in some definitions under the law. Nevertheless, the action surfaced three key points that should prompt companies to review their practices:

• Definition of “data sale” is defined: While the retailer, like many companies, engaged in ordinary data-sharing for online behavioral advertising and disclosed these practices in its privacy policy, the Attorney General claimed these activities constitute a “sale” under CCPA since there was an exchange of “valuable consideration,” even though there was no monetary exchange.
• GPC compliance is mandatory: Although a Global Privacy Control (GPC) has not been widely adopted as a mechanism to comply with the law’s “Do Not Sell My Personal Information” link requirement, the settlement makes it clear the Attorney General considers it mandatory to comply with the GPC if it is sent.
• Additional laws may be cited: In addition to alleged violations of CCPA, the Attorney General also brought claims the retailer violated California’s unfair and deceptive practices statute for allegedly unfairly depriving consumers of their right to opt out of the sale of personal information.

Best Practices. As a result of this enforcement action – which was one of more than 100 notices alleging CCPA violations that were part of the Attorney General’s investigative sweep – organizations doing business in California should consider evaluating their digital infrastructure and reviewing their privacy policies to ensure compliance not only with CCPA, but also with the California Privacy Rights Act (CPRA). This new regulation goes into effect January 1, 2023, and expands on existing consumer privacy rights. Actions taken today will mitigate potential financial and reputational risks in the future.

Even as privacy regulations and interpretations continue to change, businesses can enact certain common-sense safeguards to mitigate risks related to data privacy. First principles begin with the responsible treatment of data, including transparency, data minimization, accuracy and security.

To learn more about how the Relyance platform can contribute to a responsible data privacy and protection program, please click here to book a demo.