Reed Smith In-depth

On August 24, 2022, the California attorney general’s (AG) office published 13 new California Consumer Privacy Act (CCPA) enforcement case examples. The new enforcement examples supplement the 27 examples the AG published in July 2021, also covered in our previous blog. The new case examples provide a rare glimpse into the AG’s past year of CCPA enforcement activities, and may forecast potential enforcement under the California Privacy Rights Act (CPRA). With the CCPA’s 30-day right to cure ending on January 1, 2023, businesses subject to the CCPA (and soon the CPRA) should review these case examples as part of their ongoing compliance efforts

The AG’s recent enforcement activity focuses on compliance with the CCPA’s requirements to: (1) provide notice of financial incentives; (2) maintain proper website privacy policies; (3) provide a conspicuous and clear right to opt out of sales of personal information; (4) provide consumers with simple mechanisms to exercise their CCPA rights; and (5) recognize Global Privacy Control (GPC) signals.1 Below is an overview of one specific enforcement decision involving the recognition of GPC signals, privacy policy disclosures, and the 30-day right to cure.

California attorney general’s office imposes first fine for violation of the CCPA

This August, the AG announced a $1.2 million settlement with a retailer for violations of the CCPA and the California Unfair Competition Law (UCL). This is the first public example of CCPA enforcement activity resulting in a monetary penalty, along with injunctive terms, and reporting provisions. The AG learned of the retailer’s non-compliance during its June 2021 enforcement sweep that assessed whether large retailers continued to sell personal information (PI) after a consumer indicated an opt-out via a GPC signal. Through its investigation, the AG determined that the retailer did not appear to recognize consumer opt-outs through GPC, which meant that consumer personal information may have been passed to third-party companies as a “sale.” The investigation also uncovered that the retailer’s privacy policy stated that the retailer did not sell PI, while concurrently stating that the retailer shared consumers’ geolocation data and internet or other electronic network activity with third parties. The AG determined that the retailer also violated the UCL, claiming that it made false or misleading statements related to the sale of consumers’ PI while “unfairly depriving” consumers of the ability to opt out of any such sales.

The settlement is part of the AG’s ongoing, aggressive enforcement of the CCPA. In his announcement of the settlement, the AG stated that the enforcement action should send “a strong message to businesses that are still failing to comply with California’s consumer privacy law” and that his office will hold them accountable for violations. The AG also stated that there are “no more excuses” for non-compliance. As a result, businesses should expect increased enforcement in this area.