Reed Smith In-depth

Key takeaways

  • Confirm that privacy policies accurately reflect how the company processes personal information, and verify that consumer request / opt-out practices are clearly disclosed and have been tested to ensure functionality.
  • Ensure that the company’s process for honoring requests for access, deletion and correction of consumers’ personal information aligns with the applicable regulations, and implement and test systems to confirm that they work.
  • Test whether sites are responding to global privacy control / opt-out preference signals. 

It’s 2024 and the California Privacy Protection Agency (CPPA) and California Attorney General’s Office haven’t skipped a beat in investigating potential non-compliance with the California Consumer Privacy Act (CCPA). The California AG’s Office recently celebrated Data Privacy Day by announcing an investigative sweep focused on streaming services’ compliance with opt-out requirements under which consumers may “opt out” of any practice by such businesses to sell or share consumers’ personal information. Prior CCPA investigative sweeps have focused on loyalty programs, mobile applications, employee data, and recognition of global privacy control (GPC) signals, also now known as out-out preference signals (OOPS).

The AG’s announcement is just the start of what some anticipate will be a busy enforcement year for privacy compliance. Given the broad scope of the AG’s efforts, is there anything that companies can do proactively? The answer is yes. To help focus compliance efforts, it’s possible to glean insights about future enforcement priorities from prior enforcement actions, as well as from the CPPA’s and AG’s public comments.

Lessons learned from public statements and past enforcement actions

Both the CPPA and the AG can pursue enforcement under the CCPA. The AG’s Office also has available to it other causes of action, such as claims under the California Unfair Competition Law. Thus, it is important to review activity from both agencies in assessing future risk.

The following brief enforcement timeline may provide a useful starting point: