Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (“CCPA”) opt-out requirements for businesses that sell or share consumer personal information.

“From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020,” said Attorney General Bonta.

The CCPA requires businesses that sell personal data or share personal information for targeted advertising must permit consumers the right to opt-out from that selling or sharing. The intent of the CCPA is that exercising this right should be easy and involve minimal steps. The Attorney General stated in last week’s announcement that “[c]onsumers should also be able to have this choice honored across different devices if they are logged into their account when they send their opt-out request.”

This action follows prior CCPA investigative sweeps focused on such topics as employers and HR-related data (July 2023), mobile applications (January 2023), loyalty programs (January 2022) and recognition of the Global Privacy Control (August 2022). These prior sweeps led to numerous private settlements with the Attorney General that required changes to business practices (the Attorney General may not require the payment of monetary penalties without bringing a public enforcement action). In addition, in July 2023, the California Privacy Protection Agency initiated an inquiry into privacy practices of connected vehicles and related technologies.

The only public enforcement action that the Attorney General’s office has brought for a violation of the CCPA was in August 2022. In that case, the Attorney General announced a $1.9 million settlement with a well-known cosmetics retailer, resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA.

These actions make clear that the California regulators’ focus extends far beyond websites and mobile applications, and into connected TVs and vehicles and other technologies, and into the internal data and business practices of organizations. We can only expect this type of activity to pick up once the currently stayed CCPA regulations (discussed here) become effective and enforceable on March 29th of this year.

For more insights into this investigative sweep and CCPA enforcement generally, stay tuned; Privacy World will be there to keep you in the loop.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.