Following the Sephora and DoorDash enforcement actions, on June 18, 2024, the California Attorney General announced its third California Consumer Privacy Act (CCPA) enforcement action against Tilting Point Media LLC. Tilting Point is a mobile video game developer, including children’s games. The California AG alleged that Tilting Point collected and shared children’s data without parental consent in violation of the CCPA and the Children’s Online Privacy Protection Act (COPPA). Tilting Point’s mobile app game, “SpongeBob: Krusty Cook-Off,” did not ask for the user’s age in a neutral manner, i.e., children were not encouraged to enter their age correctly. Further, the California AG alleged that Tilting Point misconfigured the third-party software development kits (SDKs) used in the mobile app game, which led to the sale of children’s data without parental consent.

Tilting Point agreed to pay $500,000 to settle these allegations and to take actions to prevent the collection or sale of children’s data without prior parental consent. For example, Tilting Point must:

  • Use only neutral age screens that encourage children to enter their age accurately;
  • Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent;
  • Minimize data collection and use of data from children;
  • Comply with laws and best practices related to advertising to minors; and
  • Implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps.

If your business collects children’s personal information or provides services to children, confirm that your practices are in compliance with federal and state privacy requirements.

Last week, the Vermont legislature passed H. 121, the Vermont Data Privacy Act. This law will make Vermont the 18th state to grant consumers privacy rights similar to those under the California Consumer Privacy Act (CCPA). It is scheduled to go into effect on July 1, 2025.

While the Vermont Data Privacy Act includes provisions similar to those granted under the CCPA (e.g., consumer rights to delete, access, correct, and opt-out), the Act also includes some provisions that are more protective than the CCPA:

  • The Act includes data minimization requirements that prohibit businesses from collecting personal information for ANY purpose outside of providing the product or service.
  • The Act grants consumers a private right of action against businesses not only when the entity causes a breach of personal information (as is the case under the CCPA) but also if the business misuses data about their race, religion, sexual orientation, health, or other categories of sensitive information. 

Note, however that the law’s private right of action must be reauthorized after two years and only applies to large data brokers. The Vermont legislature pushed this law along amidst the push by the federal government to pass a comprehensive privacy law, which has yet to come to fruition over the last decade. We will continue to monitor new consumer privacy rights laws and how these laws may affect your business and its data collection and use practices.

DoorDash, Inc. recently settled with the California Attorney General for alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is only the second public settlement with the California AG’s office for claims related to CCPA violations (the first was with Sephora in 2022).

The AG’s complaint stated that DoorDash sold California consumers’ personal information (names, addresses, and transaction histories) as part of its participation in a couple of marketing co-ops that began in 2018. The sale of personal information is not prohibited by the CCPA, but if a business engages in such sales, it must notify consumers of that sale and provide them with the opportunity to opt-out of such sales. The AG’s complaint alleged that DoorDash did neither.

The marketing co-ops that DoorDash participated in would combine consumer data that had been independently collected in exchange for the opportunity to re-target to the other co-op members’ customers. The complaint outlined the fact that under the CCPA, this act is considered a sale because a “sale” does not require the exchange of funds but could be an exchange for “other valuable consideration.”

Additionally, the data was also shared with parties external to the co-op; the data was sold to those external parties who then also sold the data.

To further support the AG’s claims that DoorDash violated consumer protection laws, the AG alerted DoorDash to these potential issues in September 2020. DoorDash responded to the notice from the AG stating that it had stopped selling the data and instructed the co-op participants to delete all California consumer data. However, the AG found that DoorDash did not cure the January 2020 sale of data “because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.”

In the complaint, the AG faulted DoorDash for losing track of the data and also for engaging in a marketing co-op agreement that did not allow DoorDash to audit the sale of the data to third parties or restrict the co-op owner from making sales of the data. Lastly, the AG alleged that DoorDash did not update its website privacy policy to disclose that it sold consumer data within the prior year.

To settle these alleged violations, DoorDash has agreed to pay a $375,000 penalty and implement a CCPA and CalOPPA compliance program. DoorDash will also have to provide annual certification of compliance for three years. 

With a settlement like this, businesses may want to assess their practices around disclosures of consumer data and take a look at their website privacy policies to confirm that those practices are clearly articulated and transparent.

Last week, California Attorney General Rob Bonta announced a new enforcement focus on streaming apps’ failure to comply with the California Consumer Privacy Act (CCPA). This investigation will examine whether streaming services are complying with the opt-out requirements for businesses that sell or share consumers’ personal information as required by the CCPA. Specifically, the agency will examine those services that do not offer an easy mechanism for consumers to exercise this opt-out right.

Attorney General Bonta said that he “urge[s] consumers to learn about and exercise their rights under the [CCPA], especially the right to tell these businesses to stop selling their personal information.” He also warned that the agency will be “taking a close look at how these streaming services are complying with requirements that have been in place since 2020.”

Under the CCPA’s right to opt-out, companies that sell or share personal information for targeted advertising purposes are required to provide consumers with the right to opt-out of such sales or sharing. Not only must the opt-out be available, but the ability to exercise the right must be easy and involve minimal steps. The agency provided an example: on your SmartTV, you should be able to enable a “Do Not Sell My Personal Information” setting in a streaming service’s app. Further, you should not have to opt-out on different devices if you are logged into your account once the opt-out request has been submitted. Lastly, a streaming service’s privacy policy should also be easily accessible to the consumer and include details on individual CCPA rights. Letters of non-compliance are forthcoming.

The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.

On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:

Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.

AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
  • Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
  • Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
  • Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
  • Processing the personal information of consumers to train AI or automated decision-making technology

If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.

Earlier this month, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), a financial free-zone in the United Arab Emirates (UAE), issued the first adequacy decision regarding the California Consumer Privacy Act (CCPA), which recognizes the CCPA as an equivalent to the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL).

This decision allows businesses to transfer data between the DIFC and companies located in California, in accordance with the DIFC DPL, without any additional contractual measures. In the DIFC Commissioner’s public statement about this decision, he said, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement, and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.” This decision will also likely serve as precedent for the DIFC to establish a similar relationship with other U.S. states. As of today, there are only 49 establishments and/or locations (countries, jurisdictions, and organizations) subject to an adequacy decision by the DIFC.

The decision comes as a result of an assessment by the DIFC commissioner of the grounds for lawful and fair processing of data under the CCPA, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability. To read the full decision, click here.  

However, since the CCPA does not have a provision related to the transfer of personal information outside of California or the U.S., DIFC exporters that send personal information to a California-based importer under the decision would still need to ensure that the onward transfer of such personal information is safeguarded. Additionally, this decision will be reviewed annually by the DIFC Commissioner to ensure that the CCPA’s protections still meet expectations.

The California Attorney General recently announced an initiative to investigate employers’ non-compliance with the California Consumer Privacy Act/California Privacy Rights Act (collectively the CCPA).

At the beginning of this year, the CCPA’s disclosure requirements and consumer rights provisions became applicable to job applicants, employees (and their beneficiaries), and independent contractors. Now, the California AG’s office has started to send out inquiry letters to California employers requesting information about their CCPA compliance. This is a big step forward for enforcement under the CCPA and this initiative focuses on employee data. The initial set of inquiry letters has gone out to large California employers, but this should be a reminder for ALL businesses to confirm they are in compliance with the CCPA if it applies to their business.

Businesses that have implemented CCPA compliance programs should evaluate whether they have met certain requirements, such as:

  • Issuing or updating privacy notices to job applicants and employees, and addressing applicant and HR data;
  • Updating any procedures or policies related to consumer requests to be sure that employees are included, and training HR professionals regarding the handling of those requests;
  • Review and potentially revise data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
  • Conducting assessments pertaining to the business’ use of “sensitive personal information” (as defined by the CCPA) to support reliance on exceptions and offering opt-out rights to employees where required.

Note that the CCPA applies to for-profit entities that do business in California and have annual gross revenues over $25 million. If you have not yet assessed the applicability of the CCPA and issued an employee notice of collection, now is the time.

A plan for an enforcement program under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) (collectively CCPA) is on its way from the California Privacy Protection Agency (CPPA). Despite a recent court ruling that the enforcement of some of the amendments under the CPRA cannot begin until March 2024, last week the CPPA revealed three key areas of its enforcement focus. While the CPPA is still in the process of building and hiring the enforcement team, the agency indicated that despite the court ruling it will still begin enforcing the underlying statute and previous regulations this year. The CPPA Deputy Director of Enforcement, Michael Macko, said, “There’s no vacation here from enforcement. When we find violations, we will take aggressive action to protect the public.”

The CPPA will focus its efforts on three areas of enforcement:

  1. privacy notices and policies;
  2. consumers’ right to delete personal information; and
  3. the handling and implementation of consumer requests.

Deputy Director Macko also said, “We expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.” The CPPA will be reviewing companies’ privacy policies to see if what they say they are doing matches with what they are actually doing. The agency sees non-compliance with a company’s own privacy policy to likely lead to other issues of non-compliance such as not respecting consumers’ privacy rights. Since the consumer right to delete their data is “well-established” and “long-standing” this will be a focus for enforcement. Another area under scrutiny includes proper notification of a consumers’ right to opt-out of the sale of their data. Deputy Director Macko added in his statement that companies that implement smooth experiences for consumers exercising their rights will more likely be found in compliance.

The CPPA will consider many factors in determining which violations to pursue such as the severity of the harm to consumers, good-faith efforts to comply, and the company’s size and resources. However, incidents that involve children, older adults, marginalized communities, and other vulnerable populations will receive special scrutiny and focus.

One of the ways in which the CPPA will find potential violations will be through its new consumer complaint system. So far, 13 complaints have been submitted via this system. While this statement from the CPPA is certainly helpful guidance for companies struggling with CCPA compliance issues, there are still some unanswered questions. Companies still do not know how fines per number of violations will be calculated or the process for the agency to coordinate with the state attorney general to request an injunction against a business. Next steps for your business: get ready and make sure you are in compliance.

The Office of the California Attorney General recently announced that it will initiate an investigative sweep and will start sending letters to businesses about their mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). There is also a new online tool that allows consumers to directly notify a business of an alleged CCPA violation, so we may see an influx of direct-from-consumer complaints.

The Attorney General’s office will focus its investigation on popular apps in the retail, travel, and food services industries. The goal is to determine whether these apps are complying with consumer opt-out requests and do not sell or share requests under the CCPA. The investigation will also focus on the apps’ failures to process consumer requests submitted through an authorized agent under the CCPA. For example, Consumer Reports’ app, Permission Slip, acts as an authorized agent for consumers to submit requests under the CCPA such as opt-outs and deletion requests.

Attorney General Rob Bonta said in the office’s recent press release, “[B]usinesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. [The] sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” Businesses that are subject to the CCPA – and the newly effective amendments under the California Privacy Rights Act (CPRA) – should continue to update and implement their policies, procedures, and processes to ensure compliance with the requirements of these regulations and to hopefully avoid being caught up in this investigative sweep.