CCPA Enforcement Actions Take Aim at Sales of Personal Information

On August 24, 2022, the California Attorney General announced updates to its California Consumer Privacy Act’s (“CCPA”) enforcement case examples. A large number of the examples focused on compliance with the CCPA’s requirements for “sales” of personal information, including the obligation that businesses honor consumers’ use of a Global Privacy Control (“GPC”) opt-out signals. In a similar vein, the California Attorney General also announced its first formal settlement for CCPA violations, which arises out of an “enforcement sweep of online retailers” looking specifically at whether such businesses honored consumers’ GPC signal. Together with the California Attorney General’s prior enforcement examples, these enforcement examples shed light on how the California Attorney General views the definition of a “sale” under the CCPA, and suggest compliance steps that businesses might consider undertaking to mitigate enforcement risks.

Trends

1. Online advertising and third-party trackers are a focus: Of the thirteen new examples published by the California Attorney General, at least six touch on cookies or third-party trackers, ad tech, or targeted advertising. Similarly, the California Attorney General’s settlement press release describes the California Attorney General’s focus on supporting “the critical rights that consumers have under the CCPA to fight commercial surveillance” and provides that the use of such technologies constitutes a sale of personal information under the CCPA. The California Attorney General’s focus echoes a similar concern with cookies under GDPR, which we’ve written about here and here.
2. The CCPA broadly defines a “sale,” which the California Attorney General believes encompasses third-party trackers used for analytics and serving ads: Collectively, the enforcement actions confirm that the California Attorney General views the use of third-party trackers used for analytics or serving ads to be sales of personal information under the CCPA, subject to additional disclosures and opt-out rights. It is clear that the California Attorney General views such exchange of personal information as a “sale” that require businesses to offer an opt-out mechanism unless an exception applies or they ensure that the third party is a CCPA-compliant service provider with CCPA-specific contractual addenda in place. Examples cited as sales of personal information under the CCPA include: (a) “web tracking technologies that make consumers’ personal information available to third parties in exchange for services like advertising or analytics”; (b) “personal information that was exchanged for targeted advertising”; (c) “third-party cookies…in connection with targeted advertising”; and (d) a “widely-used analytics and advertising software package … [involving] the trade of personal information for analytics and the trade of personal information for an advertising option.”
3. The California Attorney General expects strict adherence when providing consumers the right to opt out of the sale of personal information: Where the California Attorney General believes that businesses are selling personal information, it expects them to strictly adhere to the CCPA’s opt-out requirements, including by recognizing a user-enabled GPC. Businesses that have relied on their privacy policies directing consumers to a third-party trade association’s tool designed to manage online advertising and cookie preferences were prompted by the California Attorney General to update their privacy policies to more clearly explain how they used third-party cookies and allow consumers to fully opt out of the sale of personal information, including in connection with targeted advertising.
4. Other operational hints: The enforcement examples also shed light on what remedial measures the California Attorney General believes sufficiently cure alleged defects. In addition to those described above, the California Attorney General cited approvingly a business that cured its alleged CCPA non compliance with respect to opt-out rights by initiating a technical solution to block all third-party advertising cookies for anyone visiting their website using a California internet protocol (IP) address, which may be a less burdensome solution for businesses whose sale of personal information only stems from the use of third-party advertising cookies. The enforcement examples also include instances where the California Attorney General believed that businesses failed to meet the notice at collection or financial incentive notice requirements. Businesses were prompted to change user interfaces to make such notices readily available to consumers—such as by “deep linking” to the relevant language or section of their privacy policy or by adding a link in the first screen of their mobile app to their notice at collection.

Takeaways

1. Make an inventory of third-party cookies, trackers, and analytics tools and asses whether their use constitutes a sale of personal information under the CCPA: Understanding what cookies, trackers, and analytics tools a website or app use is an initial step businesses should consider to understand their potential enforcement risk and take steps to mitigate it. Now may be a good time to inventory such cookies, trackers, and analytics tools and then “clean up” those that are unused or underused on digital properties. Where such tools are necessary, businesses should consider operationalizing a clear and conspicuous “Do Not Sell My Personal Information” link and updating any relevant disclosures in their privacy policies regarding the sale of personal information. Businesses should also consider negotiating CCPA-compliant service-provider data protection addenda so that these disclosures are not considered sales of personal information, but they must be mindful that the Consumer Privacy Rights Act’s amendments, effective January 1, 2023, prohibit cross-context behavioral advertising from being a valid business purpose for service provider agreements.
2. Honor GPC signals: Given the California Attorney General’s “enforcement sweep” that appears to be looking at multiple online retailers’ responses to GPC signals, businesses should consider how to operationalize the CCPA’s requirement to recognize a user-enabled global privacy control.
3. Implement easy-to-understand mechanisms to opt out of the sale of personal information: Aside from the GPC, businesses should ensure that, where they are selling personal information, they are providing an easy-to-use mechanism for consumers to fully opt out of those sales.
4. Be sure to hit the basics: Finally, businesses should make sure that their public-facing privacy disclosures are hitting all of the CCPA’s requirements. The enforcement examples demonstrate that the California Attorney General need not look much further than businesses’ websites to send notices of alleged noncompliance. CCPA-compliance failures drawing the attention of the California Attorney General included (a) not explicitly stating whether or not the business sells personal information; (b) failing to describe the information required in order to make a verifiable consumer request, list the categories of personal information collected or disclosed in the past twelve months, and list the categories of third parties for each category of personal information disclosed for a business purpose; and (c) failing to maintain a functional CCPA portal for accepting consumer-rights requests.

To subscribe to the Data Blog, please click here.