In various public comments, including at the CPPA’s July 2023 board meeting, the agency has outlined several enforcement priorities, namely: (1) privacy policy and notice compliance, including ensuring accuracy in the description of privacy practices; (2) compliance with and implementation of the right to delete; and (3) honoring consumer requests, including how such requests are effectuated and whether consumers face barriers in exercising their rights.

CPPA enforcement is also likely to prioritize matters involving vulnerable communities, such as children, the elderly, or marginalized communities susceptible to privacy violations. Based on comments during the CPPA’s July 2023 meeting, in deciding whether to pursue a matter, the agency may consider “the overall circumstances of the case,” which, in our experience, suggests that the enforcement division will weigh the following factors, among others: (1) harm to consumers; (2) the nature and severity of the harm; (3) the business’ ability to comply with the law and good-faith efforts in compliance; and (4) the size and resources of the business.

These priorities are also reflected in the AG’s past enforcement of the CCPA, and companies can look at prior enforcement actions and case examples for how the AG’s Office interprets CCPA obligations, gleaning lessons for potential future enforcement. We previously summarized these in depth in October 2022 and August 2021.

What to expect

Based on the foregoing, enforcement has focused on six broad issues, which we expect will continue to dominate the enforcement landscape into 2024:

1. Failure to provide or honor opt-out of sale/sharing requests
   
   The majority of AG enforcement actions concern companies’ failure to comply with requirements concerning the sale of personal information. This has been and is expected to remain a priority. A company is required to disclose whether it sells or shares (for cross-contextual advertising) personal information, and to provide a clear “Do Not Sell or Share My Personal Information” link if it does. In addition, companies should be testing the request process to confirm that it is working and that exercising this right is easy with minimal steps. This includes ensuring that requests are honored immediately with respect to tracking technologies on websites and in mobile apps. The enforcement history highlights what the AG does not consider adequate: directing consumers to a third-party trade association’s opt-out tool for targeted advertising; this is no substitute for a fully operational “do not sell” process. Coordinating with technology personnel and reviewing the user experience will be important in ensuring that the request process works properly.
   
   
2. Failure to honor GPC/OOPS signals
   
   Hand in hand with the above, regulators are expected to assess whether companies are honoring GPC/OOPS signals. Businesses must treat opt-out requests made by GPC/OOPS signals the same as requests made by users who have submitted a do not sell/share request. What is clear from prior enforcement actions is that regulators are actively reviewing websites to determine if the sites are (1) detecting GPC/OOPS signals and (2) restricting the collection of information through tracking technologies once detected. We expect such proactive website reviews to continue.
   
   
3. Deficient privacy policies and notices
   
   Also high on the list of enforcement priorities, and easily assessable by regulators, are deficient privacy policies and notices. As highlighted by the CPPA, when conducting reviews of policies, regulators are not engaging in a check-the-box review. Instead, they are checking if the policy adequately and accurately describes the business’ privacy practices, e.g., disclosures in connection with the “sale” or “sharing” of personal information as well as descriptions of request processes. Broad and sweeping statements in privacy notices will likely not be acceptable, as regulators push companies to be clear, concise, and transparent about their data practices. Deficiencies in policies can become gateways to further investigation. Businesses should also keep in mind that regulators are not just reviewing online policies, but also checking for compliance with notice requirements at POS and other in-person and over-the-phone points of data collection.
   
   
4. Failure to honor consumer requests; burdensome request process
   
   Several prior enforcement actions examined whether request processes actually worked. These actions scrutinized whether certain steps and requirements hindered consumers’ ability to exercise their rights, including through the use of authorized agents. These cases teach a number of lessons. For example, avoid requiring consumers to (1) provide unnecessary personal information; (2) create a new account; or (3) accept additional terms or policies in order to exercise their CCPA rights. Businesses may verify consumer identities and establish verification methods for requests to delete, correct, or otherwise access personal information, proportionate to the nature of the personal information at issue. However, requests to opt out and limit processing of sensitive information should not require verification, and businesses should ensure such processes are not burdensome. Here too it would be prudent to confirm that the request workstreams are operational and review the user experience, including for risks of dark patterns.
   
   
5. Non-compliant offerings of financial incentives
   
   The AG’s prior sweep on loyalty programs and financial incentives, covered in more detail in our prior article, provides key takeaways for businesses that offer loyalty programs, discounts, or other offers to consumers in relation to the collection, retention, or sale of their personal information. Compliance with financial incentives requirements is rooted in proper disclosures, including ensuring notices are provided electronically and at POS where applicable. Financial incentive programs also require opt-in and a right to withdraw from the program, and those processes should be reviewed for ease and functionality, similar to other opt-out processes.
   
   
6. Employee and B2B data
   
   Companies should keep in mind that all of the above compliance triggers will also apply to employee and B2B data. Just as with consumer data, businesses now have certain legal obligations for employee and B2B data, such as providing notice of privacy practices and fulfilling consumer requests to exercise their right to access or delete their personal information or opt out of the selling/sharing of their personal information. As a result, HR and privacy teams should be coordinating efforts, and systems should be developed to maintain compliance. Considerations include the vendor management of data, especially considering the sensitivity of the data, as well as having a process for correction and deletion of data that is compliant with applicable employment laws and practices.

What now?

Regulators will continue to rely on broad sweeps and consumer complaints to evaluate compliance based on their enforcement priorities. Several public comments have made clear that the CPPA and AG’s Office believe that businesses have been on notice of the CCPA’s requirements, and they expect businesses to be in full compliance. Keep in mind that the California Privacy Rights Act (or CPRA) removed the 30-day cure period, so businesses should not expect an opportunity to fix deficiencies after a notice of violation. In fact, non-compliance in this environment could be deemed an aggravating factor. To address this concern, contemporaneously documented good-faith efforts to work toward compliance should be considered. Businesses should review their compliance practices, not just to check that the basics are in place, but also to test processes and the user experience and confirm that policies and procedures are implemented correctly. This is especially true for businesses that may be deemed to serve vulnerable communities.

In addition, businesses may wish to be mindful of the following:

• Prioritize external-facing compliance elements, such as do not sell/share requests, and limit processing links, privacy notices (online and offline), and GPC/OOPS signal recognition.
• Legal should be involved in reviewing the functionality of compliance tools and the user experience to make sure that (1) requests are operationalized properly (including down streaming requests as applicable) and (2) processes are not overly burdensome or subject to dark patterns.
• Utilize available tools to help evaluate privacy practices and processes. Regulators are aware of and use such tools, and will expect businesses to take advantage of the same.
• Develop internal systems to ensure consistent compliance and data governance, as well as strategies for rectifying any errors or failures when they are revealed.
• Have a plan to explain and address deficiencies. In this aggressive enforcement climate, it would be prudent to take a proactive, as opposed to reactive, compliance posture.

In-depth 2024-037