On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!
The following are our key takeaways from this settlement. For a description of the allegations and procedural history, see “What Happened?” below.
- According to the OAG, the existence of online tracking technologies on an operator’s (i.e., a business) online service (e.g., websites and mobile apps) that collect personal information by a technology provider or other third party are “sales” of personal information by the operator of the online service, because the operator of the online service makes the opportunity to collect and use the data available to the third party, unless those third parties have agreed to contractual restrictions on their use of personal information such that they qualify as “service providers” under the CCPA. If not, you must enable “Do Not Sell” (DNS) to disable the tech or have the third party contractually agree to be a service provider. Keep in mind:
- Enabling DNS means both an affirmative opt-out mechanism and recognizing and acting on user-enabled “global privacy controls” (GPCs). See GPC.
- If you rely on signals or settings to restrict tracking technology to service provider processing, the operator of the online service is responsible for ensuring they work and are honored.
- Cookie banners and preference centers are only sufficient if configured consistent with the OAG’s position on DNS and GPC. Many, if not most, are not.
- What a service provider can do with personal data collected on behalf of a business is incredibly narrow and getting more narrow under the California Privacy Rights Act (CPRA).
- Review the use of online tracking technology to see if it meets the CPRA’s definition of “share” in preparation for the CPRA’s amendments to the CCPA, and remember the opt-out of “sharing” goes beyond “selling” and includes cross-contextual behavioral advertising services that might have qualified under the CCPA as a service provider activity (e.g., social media platform matched audience ads).
- The CCPA’s notice and cure provision will expire on January 1, 2023 (when the CPRA comes into full force and effect). If you receive a noncompliance letter from the OAG in the meantime, respond and swiftly comply or prepare to challenge and risk a potentially hefty penalty. The OAG is on record that it will no longer exercise discretion to allow extended cure opportunities.
- For purposes of calculating an enforcement penalty, the OAG may consider that each “sale” is a violation, and not necessarily calculate penalties on a per-consumer, per-visit, per-day, or other less colossal measure. Thus, the OAG may seek penalties for millions of violations per day. The potential of crippling penalties raises the stakes of challenging the government’s aggressive interpretations of the CCPA and CPRA. The $1.2 million penalty appears calculated to make a point to industry, but at the same time avoid litigation of the issues.
- Ensure privacy policies and notices are complete and accurate or risk deception and unfairness claims in addition to CCPA claims.
The OAG’s CCPA settlement resulted from enforcement efforts that started in July 2020. After settling multiple cookie DNS and GPC cases without monetary penalty or public settlements, the OAG has now required a payment of $1.2 million in a public settlement of such a case. In this game-changing cookie-related enforcement action, according to the OAG’s complaint, on June 25, 2021, the OAG notified a retailer/etailer of consumer products (Retailer) about CCPA violations based on the OAG’s review and testing of the Retailer’s website (we have resolved noncompliance letters on behalf of many clients caught up in such sweeps). The Retailer allegedly did not cure the putative violations to the OAG’s satisfaction within 30 days of the date of the notice and, on August 24, 2022, a complaint with proposed settlement and judgment was filed and announced, calling for remediation, civil penalties and ongoing compliance reporting. That is a quick turnaround, based on the time we have had to help clients resolve similar allegations. Thus, we enter a new era of CCPA enforcement where real repercussions apply.
The OAG alleges that the Retailer violated the CCPA because it failed to:
- Provide a “Do Not Sell My Personal Information” link on its website or in its mobile apps, and offer consumers at least two methods for exercising the right to opt out of the sale of their personal information, including in the case of non-service provider cookies.
- Configure its website to detect or honor opt-out-of-sale requests sent via a user-enabled GPC. According to the press release announcing the settlement, a user-enabled GPC allows a consumer “to opt out of all online sales in one fell swoop by broadcasting a ‘do not sell’ signal across every website they visit, without having to click on an opt-out link each time.” The OAG found that an activated browser GPC signal had no effect on the Retailer’s site’s third-party cookies and that consumer personal information continued to flow to third-party companies, including advertising partners and analytics providers.
To make clear that this first civil penalty is not a one-off, in the same press release announcing the settlement, Attorney General Bonta announced that the OAG sent notices on August 24, 2022, to “a number of businesses” alleging non-compliance for failure to process consumer opt-out requests made via user-enabled global privacy controls” and was conducting website sweeps, something they have been doing for months. Now, however, in the wake of these civil penalties, those letters will have more import.
Concurrently, the OAG published a new list of “illustrative examples” indicating “steps taken” by businesses after receiving one of the OAG’s notices of alleged noncompliance to supplement the 27 provided in July 2021. Thirteen new examples cover an array of non-compliance, including not only the same failure to honor consumer requests to opt-out of sales related to web tracking technologies as in the settlement, but also non-compliant notices (including for financial incentive, which we discuss more below, and collection) and privacy policies; absence of required privacy rights request methods; non-compliant methods and erroneous treatment of requests; requiring consumers to waive or limit their CCPA rights; limiting requests to know; and non-compliant verification procedures. As to the loyalty program example, as we previously covered in Consumer Privacy World, earlier this year the OAG targeted multiple business operating loyalty programs, defined as a “financial incentive” under the CCPA. Now, the OAG has published the resolutions of that sweep. In order to resolve the noncompliance letters, the businesses, depending on the alleged violation:
- “Posted the Notice of Financial Incentives (NoFI) at cash registers where consumers would reasonably encounter the terms before voluntarily joining the loyalty program.”
- Included a deep link to the NoFI in the online sign-up process.
- Captured express opt-in consent and “meaningfully provide consumers” with the ability to withdraw from the loyalty program at any time.
- Included the material terms in the NoFI.
While these other new resolutions apparently did not result in civil penalties, the threat of monetary settlements is now real.
The timing of the OAG’s announcement is interesting: it comes four months before the CCPA is expanded by the CPRA, which is effective from January 1, 2023, and while Congress is considering the America Data Privacy and Protection Act (ADPPA), the terms of which would preempt most of the CPRA and the other state privacy laws in Colorado, Connecticut, Utah and Virginia. For now, the OAG makes clear that it remains committed to enforcing the CCPA and holding violators accountable.
What Was the Result of the Settlement?
The proposed settlement includes a monetary payment to California totaling $1.2 million and also specific compliance requirements that the Retailer must address within 180 days of the final settlement and for two years thereafter.
The settlement requires the Retailer to:
- Process consumer opt-out requests received via the GPC.
- Implement and maintain a program to assess, test and monitor whether consumer opt-out requests are properly handled.
- Provide an annual report on the testing, assessment and monitoring together with analysis of errors and technical issues experienced with consumer opt-out requests and how they are remediated.
- Review its websites and mobile apps to determine the entities to which personal information is made available.
- Enter into CCPA compliant service provider agreements with vendors that process personal information, or treat the “making available” of personal information as sells.
As previously discussed in Consumer Privacy World, the OAG’s GPC requirement is notable because the GPC is a “proposed specification” (like the Data Rights Protocol) and lacks technical details, or clear indication of consumer intent as a rule. The complaint states that the Retailer “wholly disregarded” sales opt-out requests made via the GPC. However, the OAG states in its CCPA FAQs that “Under law, [GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” Further, this is despite the fact that the OAG’s rulemaking authority for requiring GPC is dubious at best, especially since the plain language of the CPRA makes GPC (now called OOPS) optional if the business has an online DNS mechanism. Likely, the fact that the California Privacy Protection Agency (CPPA), the additional privacy regulatory agency created by the CPRA, has proposed CPRA regulations with an Orwellian twist to the CPRA to conclude that GPC/OOPS is not optional. For more on this, see our analysis and a similar conclusion by the Internet Advertising Bureau. A business that wanted to challenge the OAG and CPPA on these issues would have a solid basis to do so, but how many operators of online services and retailers are prepared to dedicate resources to litigating the issue and risk reputational harm and massive civil penalties if they are unsuccessful?
It is important to note that the Colorado Attorney General’s Office has engaged in pre-rulemaking listening sessions with the public about the upcoming rulemaking on the Colorado Privacy Act (CPA). One of the example topics discussed was a universal opt-out that would allow Colorado consumers “to opt out of the sale of their personal data or use of their data for targeted advertising using a single opt-out mechanism that will be honored by all covered businesses processing their personal data.” By July 1, 2023, the Colorado Attorney General is required to specifically adopt rules detailing the technical specifications of one or more universal opt-out mechanisms. (6-1-1313(2), C.R.S.). Under the CPA, honoring the user-enabled opt-out is optional until July 1, 2024, at which time it becomes mandatory. (6-1-1306(1)(a)(IV)(A)-(B), C.R.S.). We have heard that the CPPA and the Colorado Attorney General are in-sync on user-enabled privacy controls and other issues, with the goal being compatibility.
What Should Retailers and Operators of Online Services Do?
The OAG views the right to opt out of sales as a “hallmark” of CCPA. As we have previously discussed, “sale” is broadly and somewhat confusingly defined under CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration” (Cal. Civ. Code 1798.140(t)). The OAG takes the “making available” language and the lack of monetary exchange to mean that retailers and other operators of online services are responsible for “selling” the personal information collected by third parties associated with their sites or facilities. This is not a new OAG position. The CPPA does the same. See our breakdown of the proposed CPPA regulations, especially regarding third parties collecting personal information in connection with another business’s site or facility. Also, keep in mind that on January 1, the CPRA adds a new term, “share,” “shared,” or “sharing,” which is really only processing for cross-context behavioral advertising without the requirement of monetary or other valuable consideration. Thus, businesses should review their advertising practices to see if they meet the OAG’s and CPPA’s broad definition of “sell” under the CCPA or the new term, “share.” Also, operators of online services and retailers beware – the authorities will go after you directly for your adtech and other partners’ practices, because you have the direct relationship.
The settlement demonstrates the authorities’ broad view of “sale” under CCPA, i.e., online tracking technologies – including cookies, pixels, web beacons and software development kits (SDKs) – that “automatically send data about consumers’ online behavior to third-party companies” in exchange for free or presumably discounted analytics and/or advertising services, constitutes a sale of personal information under CCPA in their minds. The OAG’s complaint relays the example of a data analytics and digital advertising provider that the Retailer allowed to:
- Collect personal information via the Retailer’s digital properties.
- Combine that personal information with data that the provider received from other sources to augment a consumer profile.
- Provide the Retailer with opportunities to re-target the same consumer through the provider’s ad network.
In doing so, the settlement clearly expresses the OAG’s belief that such commonplace advertising and analytics services are sales and not service provider activities. Further, the proposed CPRA regulations expressly state that a vendor that facilitates cross-context behavioral advertising services cannot qualify as a service provider – even if they use the client’s personal information only to provide services to the client (e.g., social media matched ads).
The Gloves Are Off and the Clock is Ticking
The days of genteel sparring with the OAG and having months to cure alleged violations are over. The OAG’s press release regarding the settlement states, “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.” And, lest you forget, there is a new sheriff in town. Soon the CPPA will also have enforcement authority. And it is clear that both see collection and commercialization of consumer data as suspect, and will err on the side of consumer privacy where statutory ambiguities exist. Well-meaning businesses have struggled with CCPA, and CPRA is far more complicated, plus HR and B-to-B personal information comes into full scope in January. Recent civil penalties suggest that companies should not be lackadaisical about CCPA compliance and 2023 CPRA preparation.
Reach out to the authors for more information, or to your normal point of contact at the firm.