Review your content's performance and reach.

Become your target audience’s go-to resource for today’s hottest topics.

Understand your clients’ strategies and the most pressing issues they are facing.

Keep a step ahead of your key competitors and benchmark against them.

Questions? Please contact [email protected]

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

The following are our key takeaways from this settlement. For a description of the allegations and procedural history, see “What Happened?” below.

The OAG’s CCPA settlement resulted from enforcement efforts that started in July 2020. After settling multiple cookie DNS and GPC cases without monetary penalty or public settlements, the OAG has now required a payment of $1.2 million in a public settlement of such a case. In this game-changing cookie-related enforcement action, according to the OAG’s complaint, on June 25, 2021, the OAG notified a retailer/etailer of consumer products (Retailer) about CCPA violations based on the OAG’s review and testing of the Retailer’s website (we have resolved noncompliance letters on behalf of many clients caught up in such sweeps). The Retailer allegedly did not cure the putative violations to the OAG’s satisfaction within 30 days of the date of the notice and, on August 24, 2022, a complaint with proposed settlement and judgment was filed and announced, calling for remediation, civil penalties and ongoing compliance reporting. That is a quick turnaround, based on the time we have had to help clients resolve similar allegations. Thus, we enter a new era of CCPA enforcement where real repercussions apply.

The OAG alleges that the Retailer violated the CCPA because it failed to:

Relatedly, the complaint also alleged violations of California’s Unfair Competition Law, a consumer protection law similar to, but broader than, Section 5 of the Federal Trade Commission (FTC) Act, which prohibits deceptive or unfair commercial practices. The Retailer’s privacy policy disclosed the use of online tracking technology but also stated that the Retailer did not sell personal information within the meaning of the CCPA. The OAG argued that this statement was misleading and deceptive. The complaint also alleged that the Retailer “unfairly deprived” consumers of their ability to opt out of the Retailer’s sale of personal information. This reflects a more aggressive use of traditional consumer protection laws applied to advertising data practices at the state and the federal level. Indeed, the OAG, in its recent announcements, has echoed recent statements by the FTC referring to long-common digital advertising practices, self-regulated by transparency and opt-out rules, as unfair commercial deception.

To make clear that this first civil penalty is not a one-off, in the same press release announcing the settlement, Attorney General Bonta announced that the OAG sent notices on August 24, 2022, to “a number of businesses” alleging non-compliance for failure to process consumer opt-out requests made via user-enabled global privacy controls” and was conducting website sweeps, something they have been doing for months. Now, however, in the wake of these civil penalties, those letters will have more import.

Concurrently, the OAG published a new list of “illustrative examples” indicating “steps taken” by businesses after receiving one of the OAG’s notices of alleged noncompliance to supplement the 27 provided in July 2021. Thirteen new examples cover an array of non-compliance, including not only the same failure to honor consumer requests to opt-out of sales related to web tracking technologies as in the settlement, but also non-compliant notices (including for financial incentive, which we discuss more below, and collection) and privacy policies; absence of required privacy rights request methods; non-compliant methods and erroneous treatment of requests; requiring consumers to waive or limit their CCPA rights; limiting requests to know; and non-compliant verification procedures. As to the loyalty program example, as we previously covered in Consumer Privacy World, earlier this year the OAG targeted multiple business operating loyalty programs, defined as a “financial incentive” under the CCPA. Now, the OAG has published the resolutions of that sweep. In order to resolve the noncompliance letters, the businesses, depending on the alleged violation:

While these other new resolutions apparently did not result in civil penalties, the threat of monetary settlements is now real.

The timing of the OAG’s announcement is interesting: it comes four months before the CCPA is expanded by the CPRA, which is effective from January 1, 2023, and while Congress is considering the America Data Privacy and Protection Act (ADPPA), the terms of which would preempt most of the CPRA and the other state privacy laws in Colorado, Connecticut, Utah and Virginia. For now, the OAG makes clear that it remains committed to enforcing the CCPA and holding violators accountable.

What Was the Result of the Settlement?

The proposed settlement includes a monetary payment to California totaling $1.2 million and also specific compliance requirements that the Retailer must address within 180 days of the final settlement and for two years thereafter.

The settlement requires the Retailer to:

As previously discussed in Consumer Privacy World, the OAG’s GPC requirement is notable because the GPC is a “proposed specification” (like the Data Rights Protocol) and lacks technical details, or clear indication of consumer intent as a rule. The complaint states that the Retailer “wholly disregarded” sales opt-out requests made via the GPC. However, the OAG states in its CCPA FAQs that “Under law, [GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” Further, this is despite the fact that the OAG’s rulemaking authority for requiring GPC is dubious at best, especially since the plain language of the CPRA makes GPC (now called OOPS) optional if the business has an online DNS mechanism. Likely, the fact that the California Privacy Protection Agency (CPPA), the additional privacy regulatory agency created by the CPRA, has proposed CPRA regulations with an Orwellian twist to the CPRA to conclude that GPC/OOPS is not optional. For more on this, see our analysis and a similar conclusion by the Internet Advertising Bureau. A business that wanted to challenge the OAG and CPPA on these issues would have a solid basis to do so, but how many operators of online services and retailers are prepared to dedicate resources to litigating the issue and risk reputational harm and massive civil penalties if they are unsuccessful?

It is important to note that the Colorado Attorney General’s Office has engaged in pre-rulemaking listening sessions with the public about the upcoming rulemaking on the Colorado Privacy Act (CPA). One of the example topics discussed was a universal opt-out that would allow Colorado consumers “to opt out of the sale of their personal data or use of their data for targeted advertising using a single opt-out mechanism that will be honored by all covered businesses processing their personal data.” By July 1, 2023, the Colorado Attorney General is required to specifically adopt rules detailing the technical specifications of one or more universal opt-out mechanisms. (6-1-1313(2), C.R.S.). Under the CPA, honoring the user-enabled opt-out is optional until July 1, 2024, at which time it becomes mandatory. (6-1-1306(1)(a)(IV)(A)-(B), C.R.S.). We have heard that the CPPA and the Colorado Attorney General are in-sync on user-enabled privacy controls and other issues, with the goal being compatibility.

What Should Retailers and Operators of Online Services Do?

The OAG views the right to opt out of sales as a “hallmark” of CCPA. As we have previously discussed, “sale” is broadly and somewhat confusingly defined under CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration” (Cal. Civ. Code 1798.140(t)). The OAG takes the “making available” language and the lack of monetary exchange to mean that retailers and other operators of online services are responsible for “selling” the personal information collected by third parties associated with their sites or facilities. This is not a new OAG position. The CPPA does the same. See our breakdown of the proposed CPPA regulations, especially regarding third parties collecting personal information in connection with another business’s site or facility. Also, keep in mind that on January 1, the CPRA adds a new term, “share,” “shared,” or “sharing,” which is really only processing for cross-context behavioral advertising without the requirement of monetary or other valuable consideration. Thus, businesses should review their advertising practices to see if they meet the OAG’s and CPPA’s broad definition of “sell” under the CCPA or the new term, “share.” Also, operators of online services and retailers beware – the authorities will go after you directly for your adtech and other partners’ practices, because you have the direct relationship.

The settlement demonstrates the authorities’ broad view of “sale” under CCPA, i.e., online tracking technologies – including cookies, pixels, web beacons and software development kits (SDKs) – that “automatically send data about consumers’ online behavior to third-party companies” in exchange for free or presumably discounted analytics and/or advertising services, constitutes a sale of personal information under CCPA in their minds. The OAG’s complaint relays the example of a data analytics and digital advertising provider that the Retailer allowed to:

In doing so, the settlement clearly expresses the OAG’s belief that such commonplace advertising and analytics services are sales and not service provider activities. Further, the proposed CPRA regulations expressly state that a vendor that facilitates cross-context behavioral advertising services cannot qualify as a service provider – even if they use the client’s personal information only to provide services to the client (e.g., social media matched ads).

The Gloves Are Off and the Clock is Ticking

The days of genteel sparring with the OAG and having months to cure alleged violations are over. The OAG’s press release regarding the settlement states, “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.” And, lest you forget, there is a new sheriff in town. Soon the CPPA will also have enforcement authority. And it is clear that both see collection and commercialization of consumer data as suspect, and will err on the side of consumer privacy where statutory ambiguities exist. Well-meaning businesses have struggled with CCPA, and CPRA is far more complicated, plus HR and B-to-B personal information comes into full scope in January. Recent civil penalties suggest that companies should not be lackadaisical about CCPA compliance and 2023 CPRA preparation.

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .

© Copyright 2006 - 2022 Law Business Research