Search CCPA

Last week, the California Privacy Protection Agency (CPPA) settled its first non-data broker enforcement action against American Honda Motor Co. for a $632,500 fine and the implementation of certain remedial actions.

The CPPA alleged that Honda violated the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively the CCPA) by:

  1. Requiring consumers to provide more information than necessary to exercise their rights under the CCPA. When submitting a request, a consumer is required by Honda’s webform to provide their first name, last name, address, city, state, zip code, email, and phone number. The CPPA alleged that this violated the CCPA by requiring a higher level of verification than required for an opt-out or to limit the use of certain information requests.
  2. Requiring consumers to directly confirm that they have permitted another individual to act as their authorized agent to submit a request to opt-out or limit use. While a company may request written documentation indicating that an individual is an authorized agent for a consumer, a company may not require a consumer to directly confirm that they have provided the permission; companies may only contact consumers directly for requests to know, access, and correct.
  3. Failing to implement a cookie management tool that provides symmetrical choice when a consumer submits requests to opt-out of sale and/or sharing and consents to the use of their personal information. The CPPA alleged that Honda’s website automatically allows cookies by default. To turn off advertising cookies, the user must toggle a button next to “Advertising Cookies” and then click “Confirm my Choices,” but to opt back into advertising cookies, the consumer only needs to press one button. The CPPA alleges that by providing one step to opt-in but two steps to opt-out, Honda did not provide equal or symmetrical choices as the CCPA requires.
  4. Failing to execute written contracts with third-party advertising companies with whom it sold, shared, and/or disclosed consumer personal information. The CPPA alleged that Honda failed to execute CCPA-compliant agreements with the third-party cookie providers it uses on its website and that it sells, shares, and/or discloses personal information for advertising and marketing across different websites.

To resolve the allegations, Honda agreed to:

  • Implement a new and simpler process for Californians to assert their privacy rights
  • Update its cookie preference tool to include a “Reject All” button in addition to the “Accept All” button
  • Separate the methods for submitting requests to opt-out and limit the use of certain information from other rights under the CCPA
  • Train its employees
  • Consult a user experience designer to evaluate its methods for submitting privacy requests

The settlement amount is supported by the CPPA by calling out the number of consumers whose rights were implicated by some of Honda’s practices, which emphasizes that the CPPA will determine a fine on a per-violation basis. If your company hasn’t done so already, be sure to update your CCPA compliance program and dot the “I’s” and cross the “t’s” when it comes to your website’s privacy policy regarding cookie preferences and third-party advertisers.

The California Privacy Protection Agency (CPPA) the agency responsible for implementing and enforcing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (collectively the CCPA), protecting consumer privacy, and ensuring compliance with data privacy regulations, has announced an investigate sweep into companies’ collection of sensitive location data. The CPPA has already sent out inquiries to “advertising networks, mobile app providers, and data brokers that appear to be in violation” of the CCPA.

California Attorney General Rob Bonta said, “Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements.” The CPPA is concerned that this sensitive location data will be used to target vulnerable populations. The CPPA urges businesses to take responsibility as stewards of this sensitive data seriously and affirmatively protect location data.

The CPPA’s investigation will focus on how companies are informing consumers about their right to opt out of the sale and sharing of their data (as required under the CCPA), including geolocation data and other types of personal information collected by businesses. Additionally, the CPPA will investigate how companies actually apply this opt-out requirement when a consumer asserts that right.

If your company hasn’t assessed its opt-out processes and procedures lately, now is the time to confirm that consumers are clearly notified of this right and that they can readily opt-out of such tracking and collection and subsequent sale and/or sharing of that data with their parties.

As we outlined in our previous blog article, California recently became the second state to enact a law safeguarding consumer brain data, following a similar law passed by Colorado in April. Both state laws prevent the sale or unauthorized sharing of data generated by consumer neurotechnology products. Under these new state privacy laws, companies must disclose the types of brain data they collect and their uses and disclosures of it.

The amendment adds brain data (i.e., neural data) neural data to the definition of personal information and will take effect on January 1, 2025. Neural data is information derived from an individual’s brain, spinal cord, or nervous system, which is collected and interpreted by a device. Neurotechnology includes any device designed to understand brain activity or visualize brain processes. These products, which are becoming more accessible to consumers, can be beneficial as they can improve or repair brain functions. Additionally, these products have the ability to observe and record brain data, which could, in turn, be used to determine consumers’ emotions and preferences and infer thoughts, all of which raise privacy concerns.

These technologies are not novel; they have been used to diagnose and treat neurological disorders and alleviate systems of neurological diseases such as epilepsy. The novelty lies in the use of neurotechnology outside of the clinical setting by consumers on the free market.

Consumers can purchase headbands to help them meditate and earbuds to monitor stress levels and other brain activity. Without appropriate regulation of this data and its use, companies could misuse the data for behavioral advertising, profiling, and/or discrimination. Further, if not secured properly, this type of data could be sought after by cybercriminals due to its sensitive, valuable nature. Similar to biometric data, brain data is uniquely tied to an individual’s identity. If an individual’s brain data is compromised, it cannot be replaced or updated in the same way that a credit card account number can be canceled and reissued.

We’ll continue to monitor the regulatory landscape for additional state amendments that are likely to come.

Following the Sephora and DoorDash enforcement actions, on June 18, 2024, the California Attorney General announced its third California Consumer Privacy Act (CCPA) enforcement action against Tilting Point Media LLC. Tilting Point is a mobile video game developer, including children’s games. The California AG alleged that Tilting Point collected and shared children’s data without parental consent in violation of the CCPA and the Children’s Online Privacy Protection Act (COPPA). Tilting Point’s mobile app game, “SpongeBob: Krusty Cook-Off,” did not ask for the user’s age in a neutral manner, i.e., children were not encouraged to enter their age correctly. Further, the California AG alleged that Tilting Point misconfigured the third-party software development kits (SDKs) used in the mobile app game, which led to the sale of children’s data without parental consent.

Tilting Point agreed to pay $500,000 to settle these allegations and to take actions to prevent the collection or sale of children’s data without prior parental consent. For example, Tilting Point must:

  • Use only neutral age screens that encourage children to enter their age accurately;
  • Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent;
  • Minimize data collection and use of data from children;
  • Comply with laws and best practices related to advertising to minors; and
  • Implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps.

If your business collects children’s personal information or provides services to children, confirm that your practices are in compliance with federal and state privacy requirements.

Last week, the Vermont legislature passed H. 121, the Vermont Data Privacy Act. This law will make Vermont the 18th state to grant consumers privacy rights similar to those under the California Consumer Privacy Act (CCPA). It is scheduled to go into effect on July 1, 2025.

While the Vermont Data Privacy Act includes provisions similar to those granted under the CCPA (e.g., consumer rights to delete, access, correct, and opt-out), the Act also includes some provisions that are more protective than the CCPA:

  • The Act includes data minimization requirements that prohibit businesses from collecting personal information for ANY purpose outside of providing the product or service.
  • The Act grants consumers a private right of action against businesses not only when the entity causes a breach of personal information (as is the case under the CCPA) but also if the business misuses data about their race, religion, sexual orientation, health, or other categories of sensitive information. 

Note, however that the law’s private right of action must be reauthorized after two years and only applies to large data brokers. The Vermont legislature pushed this law along amidst the push by the federal government to pass a comprehensive privacy law, which has yet to come to fruition over the last decade. We will continue to monitor new consumer privacy rights laws and how these laws may affect your business and its data collection and use practices.

DoorDash, Inc. recently settled with the California Attorney General for alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is only the second public settlement with the California AG’s office for claims related to CCPA violations (the first was with Sephora in 2022).

The AG’s complaint stated that DoorDash sold California consumers’ personal information (names, addresses, and transaction histories) as part of its participation in a couple of marketing co-ops that began in 2018. The sale of personal information is not prohibited by the CCPA, but if a business engages in such sales, it must notify consumers of that sale and provide them with the opportunity to opt-out of such sales. The AG’s complaint alleged that DoorDash did neither.

The marketing co-ops that DoorDash participated in would combine consumer data that had been independently collected in exchange for the opportunity to re-target to the other co-op members’ customers. The complaint outlined the fact that under the CCPA, this act is considered a sale because a “sale” does not require the exchange of funds but could be an exchange for “other valuable consideration.”

Additionally, the data was also shared with parties external to the co-op; the data was sold to those external parties who then also sold the data.

To further support the AG’s claims that DoorDash violated consumer protection laws, the AG alerted DoorDash to these potential issues in September 2020. DoorDash responded to the notice from the AG stating that it had stopped selling the data and instructed the co-op participants to delete all California consumer data. However, the AG found that DoorDash did not cure the January 2020 sale of data “because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.”

In the complaint, the AG faulted DoorDash for losing track of the data and also for engaging in a marketing co-op agreement that did not allow DoorDash to audit the sale of the data to third parties or restrict the co-op owner from making sales of the data. Lastly, the AG alleged that DoorDash did not update its website privacy policy to disclose that it sold consumer data within the prior year.

To settle these alleged violations, DoorDash has agreed to pay a $375,000 penalty and implement a CCPA and CalOPPA compliance program. DoorDash will also have to provide annual certification of compliance for three years. 

With a settlement like this, businesses may want to assess their practices around disclosures of consumer data and take a look at their website privacy policies to confirm that those practices are clearly articulated and transparent.

Last week, California Attorney General Rob Bonta announced a new enforcement focus on streaming apps’ failure to comply with the California Consumer Privacy Act (CCPA). This investigation will examine whether streaming services are complying with the opt-out requirements for businesses that sell or share consumers’ personal information as required by the CCPA. Specifically, the agency will examine those services that do not offer an easy mechanism for consumers to exercise this opt-out right.

Attorney General Bonta said that he “urge[s] consumers to learn about and exercise their rights under the [CCPA], especially the right to tell these businesses to stop selling their personal information.” He also warned that the agency will be “taking a close look at how these streaming services are complying with requirements that have been in place since 2020.”

Under the CCPA’s right to opt-out, companies that sell or share personal information for targeted advertising purposes are required to provide consumers with the right to opt-out of such sales or sharing. Not only must the opt-out be available, but the ability to exercise the right must be easy and involve minimal steps. The agency provided an example: on your SmartTV, you should be able to enable a “Do Not Sell My Personal Information” setting in a streaming service’s app. Further, you should not have to opt-out on different devices if you are logged into your account once the opt-out request has been submitted. Lastly, a streaming service’s privacy policy should also be easily accessible to the consumer and include details on individual CCPA rights. Letters of non-compliance are forthcoming.

The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.

On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:

Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.

AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
  • Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
  • Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
  • Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
  • Processing the personal information of consumers to train AI or automated decision-making technology

If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.

Earlier this month, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), a financial free-zone in the United Arab Emirates (UAE), issued the first adequacy decision regarding the California Consumer Privacy Act (CCPA), which recognizes the CCPA as an equivalent to the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL).

This decision allows businesses to transfer data between the DIFC and companies located in California, in accordance with the DIFC DPL, without any additional contractual measures. In the DIFC Commissioner’s public statement about this decision, he said, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement, and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.” This decision will also likely serve as precedent for the DIFC to establish a similar relationship with other U.S. states. As of today, there are only 49 establishments and/or locations (countries, jurisdictions, and organizations) subject to an adequacy decision by the DIFC.

The decision comes as a result of an assessment by the DIFC commissioner of the grounds for lawful and fair processing of data under the CCPA, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability. To read the full decision, click here.  

However, since the CCPA does not have a provision related to the transfer of personal information outside of California or the U.S., DIFC exporters that send personal information to a California-based importer under the decision would still need to ensure that the onward transfer of such personal information is safeguarded. Additionally, this decision will be reviewed annually by the DIFC Commissioner to ensure that the CCPA’s protections still meet expectations.