Search california consumer privacy act

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

As the first year for litigation and enforcement, 2020 was a big year for the California Consumer Privacy Act (“CCPA”).  Read on for ConsumerPrivacyWorld’s highlights of the year’s most significant events, as well as our predictions for what 2021 may bring.

Recap – What is the CCPA?

Following the lead of the European Union’s General Data Privacy Regulation (“GDPR”), the CCPA is the nation’s first definitive set of data privacy laws and went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

So what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Key Developments in CCPA Litigation and Enforcement

January 1, 2020 and July 1, 2020 were important dates for the CCPA.  The former date set the act into motion, and saw the commencement of private rights of action.  The latter marked the start of enforcement proceedings.

Litigation

It didn’t take long for litigants to begin alleging violations of the CCPA. The first such lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Besides being the first lawsuit to expressly allege a specific violation of the CCPA, this putative class action lawsuit also presented a notable standing issue:  whether a Pennsylvania resident that stayed in a California treatment facility for one month could be a “consumer” under the CCPA.

In early motion practice, the defendant seized on this standing issue, asserting that plaintiff’s one-month stay in California did not render him a consumer as required by the statute.  The CCPA defines a “consumer” as “a natural person who is a California resident.”  The applicable regulations in turn define as resident as:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the Court did not have an opportunity to weigh in on this dispute before the parties filed a notice of voluntary dismissal of suit.

At least one CCPA class action, G.R. v. TikTok, No. 2:20-cv-04537 (C.D. Cal.), has already been consolidated with a several other lawsuits in an MDL in the U.S. District Court for the Northern District of Illinois.  On May 20, 2020, “G.R.,” a minor, filed a putative class action suit against popular social media platform TikTok and its parent company, ByteDance.  Seeking to represent a class of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present,” the plaintiff alleged that TikTok violated the CCPA when it allegedly failed to provide notice of the app’s alleged use and collection of its users’ data.  The complaint alleged that this use and collection included scanning every video uploaded to the app with facial recognition technology, extracting geometric data regarding the unique points and contours of each face as they appear in each uploaded video, and then creating and storing a template of each face from that data.

In September, G.R. was consolidated with several other lawsuits against TikTok into an MDL.  The MDL currently features over 30 plaintiffs, many of which are alleged to be minors.  On December 18, 2020 an amended consolidated class action complaint was filed.  Check back here for updates on how this case develops.

On the litigation front, one district court held that the CCPA’s focus on privacy does not restrict the scope of discovery.  In Kaupelis v. Harbor Freight Tools USA, Inc., No. 8:19-cv-01203 (C.D. Cal.), the court granted a motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law”.

Another case, Stasi v. Inmediata Health Grp. Corp., No. 3:19-cv-02353 (S.D. Cal.),  confirmed that the CCPA does not apply to medical information that is governed by the California Confidentiality of Medical Information Act (“CMIA”) but can apply to disclosed non-medical information.

2020 also recently saw a settlement in a putative class action that when filed, was among the first to cite a violation of the CCPA.  High-end children’s clothing retailer Hanna Andersson faced numerous claims in the putative class action that followed a widespread data breach.  The alleged breach affected the personal information of over 200,000 customers who made online purchases on the Hanna Andersson website between September 16 and November 11, 2019.  The personal information included names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates.  This information was then exfiltrated and used to make fraudulent purchases using the affected customers’ credit cards.  On January 15, 2020, Hanna Andersson notified its customers of the breach.

In a settlement reached last month, Hanna Andersson agreed to create a settlement fund of $400,000 and implement new security measures.  These measures include hiring a director of cyber security, conducting a risk assessment of the its data assets and environment consistent with the NIST Risk Management Framework, and completing PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA).  For more information on the significance of this settlement, including how the financial component of the settlement compares to other settlements, be sure to read ConsumerPrivacyWorld’s previous, in-depth coverage.

Legislation and Enforcement

As reported on our sister blog, Security & Privacy Bytes, 2020 was an incredibly active year for CCPA-related legislation and enforcement activity.

State enforcement of the CCPA began on July 1, 2020, when the Attorney General of California started to issue violation notice letters to a swath of online businesses. Although the letters themselves remain confidential, California’s Supervising Deputy Attorney General, Stacey Schesser, has provided some insight into their substance.  The letters targeted multiple industries and business sectors, which dispelled the belief that certain industries would be prioritized over others.  Additionally, the letters focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where the Attorney General thought one was necessary).  Finally, the targets of the letters were identified, at least in part, based on consumer complaints, including complaints made using social media.

On August 14, 2020, several regulations concerning the CCPA went into effect or were dropped.  The issues addressed by the regulations included the ease with which consumers could submit requests to opt out, whether certain businesses were required to provide offline notices of the right to opt-out, and the wording that businesses must incorporate when the sale of personal information is involved.  For more information, our sister blog, Security & Privacy Bytes, previously provided in-depth coverage.

This year, California also enacted a law to resolve the disconnect between the CCPA and HIPAA.  On September 14, 2020, Governor Gavin Newsom signed AB 713 into law.  AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data, which may be particularly helpful in research.  AB 713 solves a disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards.  Without this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.  Check out Security & Privacy Bytes’ coverage here.

Additionally, although this year was the first year in which the CCPA was in effect, it was also the year when its successor was determined.  On November 6, 2020, a majority of Californians voted to approve Proposition 24, the “California Privacy Rights Act of 2020” (“CPRA”).  The CRPA will go into effect on January 1, 2023, but will apply to all personal information (PI) collected on or after January 1, 2022.  Security & Privacy Bytes provided more coverage.

Finally, on December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the CCPA.  The comment period is set to expire on December 28, 2020.  Stayed tuned to ConsumerPrivacyWorld to know the final outcome.

What Does the Future Hold?

With the CCPA now in effect, all eyes are focused on the significant changes that will be ushered in by the CPRA.  One of the most significant changes will be the creation of a new state agency, the California Privacy Protection Agency (“CalPPA”).  By July 1, 2021, the CalPPA will take over rulemaking and beginning January 1, 2024, the CalPPA will implement and enforce the CPRA.

The CalPPA will be the first enforcement agency in the United States dedicated solely to privacy.  For those familiar with the Consumer Financial Protection Bureau and its significant impact on the industry, the CalPPA is speculated to strengthen the enforcement and compliance with CCPA.  With the creation of the CalPPA – which is set to operate as a key privacy regulator — we know that the CCPA is here to stay.

Additionally, with a new administration and Congress arriving in the new year, the stage may finally be set for enacting comprehensive federal data privacy laws.  ConsumerPrivacyWorld previously reported on the status of federal legislation and glimpsed at the preemption issues that federal legislation would almost surely create.

The CCPA continues to evolve and  remains poised to reshape the data privacy landscape, including in the context of consumer litigation.  How will the CalPPA function?  Will the new administration and Congress make federal regulations?  Will it preempt the CCPA?  We guarantee to keep you informed on everything you need to know.  Stay tuned and do not hesitate to reach out for any questions or advice!

We have scheduled a make-up session with CLE for June 4, 2019 at 3p EST.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts. Continue Reading Did You Miss Our Recent CCPA webinar? Understanding and Preparing for the California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts.

Join us for a webinar on May 7, 2019, when Phil Zender and Ivan Rothman will provide an overview of the CCPA and discuss the act’s:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Contextual comparisons to existing US law and GDPR
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

California’s Consumer Privacy Act of 2018 (“CCPA”) which was signed into law in June 2018 will take effect on January 1, 2020.

California Attorney General Xavier Becerra has announced that the California Department of Justice has organized six public forums throughout the State that will provide those impacted by the new law an opportunity to comment on the rulemaking process. Continue Reading California to Hold Public Forums on California Consumer Privacy Act as Part of Rulemaking Process

Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.

The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.

Continue Reading Amendments to the California Consumer Privacy Act of 2018: Progress toward Clarity

California’s newly enacted Consumer Privacy Act of 2018 is the strictest of the US’s patchwork of privacy related regulations. The Act will impact any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:

  • Has an annual gross revenue of over $25 million
  • Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices, or
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

Continue Reading California’s Consumer Privacy Act of 2018

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.

Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business

Companies in all industries take note: regulators are scrutinizing how companies offer and manage privacy rights requests and looking into the nature of vendor processing in connection with application of those requests. This includes applying the proper verification standards and how cookies are managed. Last month, the California Privacy Protection Agency (“CPPA” or “Agency”) provided yet another example of this regulatory focus in a March 2025 Stipulated Final Order (“Order”) against a global vehicle manufacturer (referred to throughout this blog as “the Company”). We discuss this case in further detail, and provide practical takeaways from the case, further below.

On the heels of the CPPA’s landmark case against the Company, various state AGs and the CPPA announced a formal agreement to promote collaboration and information sharing in the bipartisan effort to safeguard the privacy rights of consumers. The announcement Attorney General Bonta of California can be found here. The consortium includes the CPPA and State Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon. According to an announcement by the CPPA, the participating regulators established the consortium to share expertise and resources and coordinate in investigating potential violations of their respective privacy laws. With the establishment of a formal enforcement consortium, we can expect cross-jurisdictional collaboration on privacy enforcement by the participating states’ regulators. On the plus side, perhaps we will see the promotion of consistent interpretation of these seven states’ various laws that make up almost a third of the current patchwork of U.S. privacy legislation.

CPPA Case – Detailed Summary

In the case against the Company, the CPPA alleged that it violated the California Consumer Privacy Act (“CCPA”) by:

  • requiring Californians to verify themselves where verification is not required or permitted (the right to opt-out of sale/sharing and the right to limit) and provide excessive personal information to exercise privacy rights subject to verification (know, delete, correct);
  • using an online cookie management tool (often known as a CMP) that failed to offer Californians their privacy choices in a symmetrical or equal way and was confusing;
  • requiring Californians to verify that they gave their agents authority to make opt-out of sale/sharing and right to limit requests on their behalf; and
  • sharing consumers’ personal information with vendors, including ad tech companies, without having in place contracts that contain the necessary terms to protect privacy in connection with their role as either a service provider, contractor or third party.

This Order illustrates the potential fines and financial risks associated with non-compliance with the state privacy laws. Of the $632,500 administrative fine lodged against the company, the Agency clearly spelled out that $382,500 of the fine accounts for 153 violations – $2,500 per violation – that are alleged to have occurred with respect to the Company’s consumer privacy rights processing between July 1 and September 23, 2023. It is worth emphasizing that the Agency lodged the maximum administrative fine – “up to two thousand five hundred ($2,500)” – that is available to it for non-intentional violations for each of the incidents where consumer opt-out/limit rights were wrongly applying verification standards. It Is unclear to what the remaining $250,000 in fines were attributed, but they are presumably for the other violations alleged in the order, such as disclosing PI to third parties without having contracts with the necessary terms, confusing cookie and other consumer privacy requests methods and requiring excessive personal data to make a request. It is unclear the number of incidents that involved those infractions but based on likely web traffic and vendor data processing, the fines reflect only a fraction of the personal information processed in a manner alleged to be non-compliant.

The Agency and Office of the Attorney General of California (which enforces the CCPA alongside the Agency) have yet to seek truly jaw-dropping fines in amounts that have become common under the UK/EU General Data Protection Regulation (“GDPR”). However, this Order demonstrates California regulators’ willingness to demand more than remediation. It is also significant that the Agency requires the maximum administrative penalty on a per-consumer basis for the clearest violations that resulted in denial of specific consumers’ rights. This was a relatively modest number of consumers:

  • “119 Consumers who were required to provide more information than necessary to submit their Requests to Opt-out of Sale/Sharing and Requests to Limit;
  • 20 Consumers who had their Requests to Opt-out of Sale/Sharing and Requests to Limit denied because the Company required the Consumer to Verify themselves before processing the request and;
  • 14 Consumers who were required to confirm with the Company directly that they had given their Authorized Agents permission to submit the Request to Opt-out of Sale/Sharing and Request to Limit on their behalf.”

The fines would have likely been greater if applied to all Consumers who accessed the cookie CMP, or that made requests to know, delete or correct. Further, it is worth noting that many companies receive thousands of consumer requests per year (or even per month), and the statute of limitations for the Agency is five years; applying the per-consumer maximum fine could therefore result in astronomical fines for some companies.

Let us also not forget that regulators also have injunctive relief at their disposal. Although, the injunctive relief in this Order was effectively limited to fixing alleged deficiencies, it included “fencing in” requirements such as use of a UX designer to evaluate consumer request “methods – including identifying target user groups and performing testing activities, such as A/B testing, to access user behavior” – and reporting of consumer request metrics for five years. More drastic relief, such as disgorgement or prohibiting certain data or business practices, are also available. For instance, in a recent data broker case brought by the Agency, the business was barred from engaging in business as a data broker in California for three years.

We dive into each of the allegations in the present case further below and provide practical takeaways for in-house legal and privacy teams to consider.

Requiring consumers to provide more info than necessary to exercise verifiable requests and requiring verification of CCPA sale/share opt-out and sensitive PI limitation requests

The Order alleges two main issues with the Company’s rights request webform:

  • The Company’s webform required too many data points from consumers (e.g., first name, last name, address, city, state, zip code, email, phone number). The Agency contends that requiring all of this information necessitates that consumers provide more information than necessarily needed to exercise their verifiable rights considering that the Agency alleged that the Company “generally needs only two data points from the Consumer to identify the Consumer within its database.” The CPPA and its regulations allow a business to seek additional personal information if necessary to verify to the requisite degree of certainty required under the law (which varies depending on the nature of the request and the sensitivity of the data and potential harm of disclosure, deletion or change), or to reject the request and provide alternative rights responses that require lesser verification (e.g., treat a request of a copy of personal information as a right to know categories of person information). However, the regulations prohibit requiring more personal data than is necessary under the particular circumstances of a specific request. Proposed amendments the Section 7060 of the CCPA regulations also demonstrate the Agency’s concern about requiring more information than is necessary to verify the consumer.
  • The Company required consumers to verify their Requests to Opt-Out of Sale/Sharing and Requests to Limit, which the CCPA prohibits.

In addition to these two main issues, the Agency also alluded to (but did not directly state) that the consumer rights processes amounted to dark patterns. The CPPA cited the policy reasons behind differential requirements as to Opt-Out of Sale/Sharing and Right to Limit; i.e., so that consumers can exercise Opt-Out of Sale/Sharing and Right to Limit requests without undue burden, in particular because there is minimal or nonexistent potential harm to consumers if such requests are not verified.

In the Order, the CPPA goes on to require the Company to ensure that its personnel handling CCPA requests are trained on the CCPA’s requirements for rights requests, which is an express obligation under the law, and confirming to the Agency that it has provided such training within 90 days of the Order’s effective date.

Practical Takeaways

  • Configure consumer rights processes, such as rights request webforms, to only require a consumer to provide the minimum information needed to initiate and verify (if permitted) the specific type of request. This may be difficult for companies that have developed their own webforms, but most privacy tech vendors that offer webforms and other consumer rights-specific products allow for customizability. If customizability is not possible, companies may have to implement processes to collect minimum information to initiate the request and follow up to seek additional personal information if necessary to meet CCPA verification standards as may be applicable to the specific consumer and the nature of the request.
  • Do not require verification of do not sell/share and sensitive PI limitation requests (note, there are narrow fraud prevention exceptions here, though, that companies can and should consider in respect of processing Opt-Out of Sale/Sharing and Right to Limit requests).
  • Train personnel handling CCPA requests (including those responsible for configuring rights request “channels”) to properly intake and respond to them.
  • Include instructions on how to make the various types of requests that are clear and understandable, and that track the what the law permits and requires.

Requiring consumers to directly confirm with the Company that they had given permission to their authorized agent to submit opt-out of sale/sharing sensitive PI limitation requests

The CPPA’s Order also outlines that the Company allegedly required consumers to directly confirm with the Company that they gave permission to an authorized agent to submit Opt-Out of Sale/Sharing and Right to Limit requests on their behalf. The Agency took issue with this because under the CCPA, such direct confirmation with the consumer regarding authority of an agent is only permitted as to requests to delete, correct and know.

Practical Takeaways

  • When processing authorized agent requests to Opt-Out of Sale/Sharing or Right to Limit, avoid directly confirming with the consumer or verifying the identity of the authorized agent (the latter is also permitted in respect of requests to delete, correct and know). Keep in mind that what agents may request, and agent authorization and verification standards, differ from state-to-state.

Failure to provide “symmetry in choice” in its cookie management tool

The Order alleges that, for a consumer to turn off advertising cookies on the Company’s website (cookies which track consumer activity across different websites for cross-context behavioral advertising and therefore require an Opt-out of Sale/Sharing), consumers must complete two steps: (1)  click the toggle button to the right of Advertising Cookies and (2) click the “Confirm My Choices” button.

The Order compares this opt-out process to that for opting back into advertising cookies following a prior opt-out. There, the Agency alleged that if consumers return to the cookie management tool (also known as a consent management platform or “CMP”) after turning “off” advertising cookies, an “Allow All” choice appears. This is likely a standard configuration of the CMP that can be modified to match the toggle and confirm approach used for opt-out. Thus, the CPPA alleged, consumers need only take one step to opt back into advertising cookies when two steps are needed to opt-out, in violation of and express requirement of the CCPA to have no more steps to opt-in than was required to opt-out.

The Agency took issue with this because the CCPA requires businesses to implement request methods that provide symmetry in choice, meaning the more privacy-protective option (e.g., opting-out) cannot be longer, more difficult or more time consuming than the less privacy protective option (e.g., opting-in).

The Agency also addressed the need for symmetrical choice in the context of “website banners,” also known as cookie banners, pointing to an example cited as insufficient symmetry in choice from the CCPA regulations – i.e., using “’Accept All’ and ‘More Information,’ or ‘Accept All’ and ‘Preferences’ – is not equal or symmetrical” because it suggests that the company is seeking and relying on consent (rather than opt-out) to cookies, and where consent is sought acceptance and acceptance must be equally as easy to choose. The CCPA further explained that “[a]n equal or symmetrical choice” in the context of a website banner seeking consent for cookies “could be between “Accept All” and “Decline All.”” Of course, under CCPA consent to even cookies that involve a Share/Sale is not required, but the Agency is making clear that where consent is sought there must be symmetry in acceptance and denial of consent.

The CPPA’s Order also details other methods by which the company should modify its CCPA requests procedures including:

  1. separating the methods for submitting sale/share opt-out requests and sensitive PI limitation requests from verifiable consumer requests (e.g., requests to know, delete, and correct);
  2. including the link to manage cookie preferences within the Company’s Privacy Policy, Privacy Center and website footer; and
  3. applying global privacy control (“GPC”) preference signals for opt-outs to known consumers consistent with CCPA requirements.

Practical Takeaways

  • It is unclear whether the company configured the cookie management tool in this manner deliberately or if the choice of the “Allow All” button in the preference center was simply a matter of using a default configuration of the CMP, a common issue with CMPs that are built off of a (UK/EU) GDPR consent model. Companies should pay close attention to the configuration of their cookie management tools, including in both the cookie banner (or first layer), if used, and the preference center, and avoid using default settings and configurations provided by providers that are inconsistent with state privacy laws. Doing so will help mitigate the risk of choice asymmetry presented in this case, and the risks discussed in the following three bullets.
  • State privacy laws like the CCPA are not the only reason to pay close attention and engage in meticulous legal review of cookie banner and preference center language, and proper functionality and configuration of cookie management tools.
  • Given the onslaught of demands and lawsuits from plaintiffs’ firms under the California Invasion of Privacy Act and similar laws – based on cookies, pixels and other tracking technologies – many companies turn to cookie banner and preference center language to establish an argument for a consent defense and therefore mitigate litigation risk. In doing so it is important to bear in mind the symmetry of choice requirements of state consumer privacy laws. One approach is to make it clear that acceptance is of the site terms and privacy practices, which include use of tracking by the operator and third parties, subject to the ability to opt-out of some types of cookies. This can help establish consent to use of cookies by using the site after notice of cookie practices, while not suggesting that cookies are opt-in, and having lack of symmetry in choice.
  • In addition, improper wording and configuration of cookie tools – such as providing an indication of an opt-in approach (“Accept Cookies”) when cookies in fact already fired upon the user’s site visit, or that “Reject All” opts the user out of all, including functional and necessary cookies that remain “on” after rejection – present risks under state unfair and deceptive acts and practices (UDAAP) and unfair competition laws, and make the cookie banner notice defense to CIPA claims potentially vulnerable since the cookies fire before the notice is given.
  • Address CCPA requirements for GPC, linking to the business’s cookie preference center, and separating methods for exercising verifiable vs. non-verifiable requests. Where the business can tie a GPC signal to other consumer data (e.g., the account of a logged in user), it must also apply the opt-out to all linkable personal information.
  • Strive for clear and understandable language that explains what options are available and the limitations of those options, including cross-linking between the CMP for cookie opt-outs and the main privacy rights request intake for non-cookie privacy rights, and explain and link to both in the privacy policy or notice.
  • Make sure that the “Your Privacy Choices” or “Do Not Sell or Share My Personal Information” link gets the consumer to both methods. Also make sure the opt-out process is designed so that the required number of steps to make those opt-outs is not more than to opt-back in. For example, linking first to the CMP, which then links the consumer rights form or portal, rather than the other way around, is more likely to avoid the issue with additional steps just discussed.

Failure to produce contracts with advertising technology companies

The Agency’s Order goes on to allege that the Company did not produce contracts with advertising technology companies despite collecting and selling/sharing PI via cookies on its website to/with these third parties. The CPPA took issue with this because the CCPA requires a written contract meeting certain requirements to be in place between a business and PI recipients that are a CCPA service provider, contractor or third party in relation to the business. We have seen regulators request copies of contracts with all data recipients in other enforcement inquiries.

Practical Takeaways

  • Vendor and contract management are a growing priority of privacy regulators, in California and beyond, and should be a priority for all companies. Be prepared to show that you have properly categorized all personal data recipients and have implemented and maintain processes to ensure proper contracting practices with vendors, partners and other data recipients, which should include a diligence and assessment process to ensure that the proper contractual language is in place with the data recipient based on the recipient’s data processing role. To state it another way, it may not be proper as to certain vendors to simply put in place a data processing agreement or addendum with service provider/processor language. For instance, vendors that process for cross-context behavioral advertising cannot qualify as a service provider/contractor. In order to correctly categorize cookie and other vendors as subject to opt-out or not, this determination is necessary.
  • Attention to contracting is important under the CCPA in particular because different language is required depending on whether the data recipient constitutes a “third party,” “service provider” or a “contractor,” the CCPA requires different contracting terms be included in the agreements with each of those three types of personal information recipients. Further, in California, the failure to have all of the required service provider/contractor contract terms will convert the recipient to a third party and the disclosure into a sale.

Conclusion

This case demonstrates the need for businesses to review their privacy policies and notices, and audit their privacy rights methods and procedures to ensure that they are in compliance with applicable state privacy laws, which have some material differences from state-to-state. We are aware of enforcement actions in progress not only in California, but other states including Oregon, Texas and Connecticut, and these states are looking for clarity as to what specific rights their residents have and how to exercise them. Further, it can be expected that regulators will start, potentially in multi-state actions that have become common in other consumer protection matters, looking beyond obvious notice and rights request program errors to data knowledge and management, risk assessment, minimization and purpose and retention limitation obligations. Compliance with those requirements requires going beyond “check the box” compliance as to public facing privacy program elements and to the need to have a mature, comprehensive and meaningful information governance program.

If you have any questions, or for more information, contact the authors or your SPB relationship attorney.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.