Search CCPA

States are weighing in on whether grocery stores, hotel chains, and retailers should be using personal consumer information such as “browsing history” and “location data” to decide what price you see, when someone else might see something different. Pioneering this inquiry is California, approaching this individualized pricing as a potential privacy problem. At the end of last month, California Attorney General Rob Bonta announced an “investigative sweep” into businesses’ use of personal data to set individualized prices, warning that “surveillance pricing” may violate the California Consumer Privacy Act (CCPA). The inquiry is aimed at companies in the retail, grocery, and hotel sectors, focusing on how they use data like “shopping and internet browsing history, location, demographics, and other data” to price goods and services.

Attorney General Bonta is also asking about the surrounding governance: what businesses disclose, what “pricing experiments” they run, and how they ensure compliance with “algorithmic pricing, competition, and civil rights laws.” The core consumer-facing concern is “whether businesses are charging people different prices for the same good or service.”

Not everyone agrees that states should police this through disclosure requirements. The National Retail Federation sued New York Attorney General Letitia James over the state’s algorithmic pricing disclosure law, arguing it violates the First Amendment. The trade group’s concern is that even when consumers “know” pricing is personalized through loyalty programs, companies may still be compelled to display a disclosure that personal data was used to set the price “based on an algorithm.” California may see similar complaints and arguments.

States seem to be moving from theory to enforcement and mandates. Companies will need to respond by reassessing loyalty programs, discount targeting, and other data-driven pricing strategies for regulatory risk.

The California Consumer Privacy Act (CCPA), as amended and effective January 1, 2026, brings the most detailed and sweeping changes since the law’s introduction. If you do business in California or handle Californians’ personal information, here’s what your company must know, and do, to avoid compliance risks.

Expanded Privacy Policy and Disclosure Requirements

The updated regulations demand detailed transparency:

  • Expanded Privacy Policy: Companies must now include highly specific disclosures in their privacy policies, such as: categories of both personal and sensitive personal information collected, sources, purposes, retention periods and criteria, categories of third parties, business purposes, Automated Decision-Making Technology (ADMT) uses, and all consumer rights (including new ADMT rights and right to limit sensitive personal information use).
  • Notice at Collection: Must be given at or before the point of personal information collection, describing categories of personal information or sensitive personal information, purposes, whether info is sold and/or shared, retention schedule or criteria, and a link to your privacy policy. This applies online and offline.
  • Special Notices: Additional notices are required if you sell and/or share personal information (“Do Not Sell or Share” hyperlink), use and/or disclose sensitive personal information for non-exempt reasons (“Limit the Use” hyperlink), or offer financial incentives.

The New “Alternative Opt-Out Link”

  • Instead of posting both a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link, you may use one consolidated link, “Your Privacy Choices” or “Your California Privacy Choices” with an approved opt-out icon in your website or mobile app’s header or footer.
  • Clicking this consolidated link must bring consumers to a page explaining both the right to opt-out of sale and/or sharing and the right to limit sensitive personal information use, with simple, interactive tools to exercise both rights.
  • This option improves usability but does not exempt you from processing Global Privacy Control (GPC) or opt-out preference signals.
  • All online mechanisms must be easy, accessible, and avoid “dark patterns” (i.e., cannot use manipulative or confusing user interfaces).

ADMT: New Rights, Notices, and Risk Assessments

If your company uses ADMT, including profiling for significant decisions (e.g., employment, lending, housing, education, or healthcare), be aware of the following:

  • Pre-use Notice: You must give affected consumers a special “Pre-Use Notice” at or before the point of collection for any personal information used in ADMT, explaining the logic, output, opt-out/right to access, non-retaliation, and alternatives if the consumer opts out.
  • Opt-out and Access Rights: Consumers can request to opt out of ADMT (unless you use an approved human review process) or request detailed information about how ADMT impacted their case; this includes details about the logic, parameters, outputs, and any human involvement in the decision.
  • Risk Assessment: You must conduct and submit to the California Privacy Protection Agency (CPPA) thorough risk assessments before using ADMT for significant decisions or processing sensitive personal information for profiling, with stakeholder involvement, documentation, and periodic review.
  • Deadlines: Existing uses of ADMT must be compliant by January 1, 2027.

Cybersecurity Audits and Written Security Programs

  • Mandatory Security Programs: All businesses collecting personal information must maintain “reasonable security procedures and practices.” The 2026 regulations require written technical and organizational security controls, including multi-factor authentication, access controls, inventorying, vendor management, and regular testing.
  • Annual Independent Cybersecurity Audits: Businesses meeting specific thresholds (by size or risk) must undergo independent cybersecurity audits (internal or external) covering all technical, administrative, and organizational security measures, with a formal report and executive certifications submitted to the CPPA.
  • Retention and Executive Certification: Audit reports must be kept for five years. Annual, signed executive certification of audit completion is due to the CPPA by April 1.

Data Minimization, Purpose Limitation, and Record-Keeping

  • Data Minimization: You may only collect, use, retain or share the minimum personal information or sensitive personal information that is reasonably necessary and proportionate to the specific, disclosed purposes. You must justify and document all purposes and retention periods.
  • Comprehensive Record-Keeping: Retain records of consumer rights requests and your responses for at least 24 months. Very large businesses (i.e., collects 10 million or more consumers personal information per year) must publish annual request metrics.

New Consumer Request Channels and Requirements

  • Multiple Request Methods Required: Most businesses must provide at least two methods for submitting requests to know, delete, correct, opt-out, and (if applicable) opt-out of ADMT or to limit sensitive personal information use, including a toll-free number and online mechanism.
  • Strict Deadlines: Confirm all rights requests within 10 business days, and fulfill fully within 45 calendar days (up to 90 additional days, if necessary, with notice).
  • Verification and Transparency: All verification processes must be documented, proportionate, and not impose undue burden; special rules apply for ADMT access requests.

Service Provider and Third-Party Contracts

  • Required Contract Provisions: Contracts with service providers, contractors, and third parties must meet detailed new standards: specific purposes (not generic), privacy obligations, no use for other purposes, full cooperation with your cybersecurity audits and risk assessments, and must ensure pass-down of these obligations to any subcontractors.

Training and Large-Scale Metrics

  • Annual Training: Everyone who handles consumer requests or privacy compliance must receive up-to-date training on the regulations and the requirements.
  • Annual Metrics (for companies that collect 10 million or more consumers’ personal information): Large companies must publish the prior year’s statistics on requests to know, delete, correct, access ADMT, opt-out, limit sensitive personal information, and how fast they responded.

What Should Organizations Do Now?

The updates are coming and it’s time to act. Here’s what you can do:

  • Audit All Notices and Privacy Policy: Review and update all consumer-facing notices and your website Privacy Policy to confirm compliance with all new content, accessibility, language, and user-experience requirements.
  • Review Data Practices: Re-assess why you collect, use, share, or retain any category of personal information or sensitive personal information and update documentation.
  • Implement “Your Privacy Choices” Landing Page (if using consolidated link).
  • Assess Use of Automated Decision-Making: Update processes and prepare to provide new notices, risk assessments, opt-out, and access rights if ADMT is used for significant decisions.
  • Formalize Your Security and Compliance Program: Write and maintain new audit, training, and record policies; ensure vendor contracts will meet all regulatory requirements.

2026 is the year comprehensive, user-focused, and risk-aware privacy compliance becomes mandatory in California. Review your policies, tech, staff, and contracts; change is here, and the enforcement authority now has greater resources and reach than ever before.

The California Attorney General (CA AG) has again made waves in the privacy world, this time with a settlement requiring Sling TV to pay a $530,000 fine and make significant operational changes due to alleged violations of the California Consumer Privacy Act (CCPA) and Unfair Competition Law (UCL). This case signals an increase in CCPA enforcement and a clear mandate for companies: If you haven’t revisited your CCPA program lately, now is the time.

The Sling TV resolution is just the latest example of the CA AG pushing for aggressive interpretations and implementations of the CCPA. Essential takeaways include:

  • Demand for “One-Click” Opt-Outs: The CA AG expects companies to provide consumers with direct, frictionless controls to opt out of sales and sharing of their personal information across all channels, including websites, mobile, and TV apps;
  • Crackdown on Market Practices: Many compliance methods that have become standard practice, like cookie-only preference centers or requiring consumers to confirm opt-out requests, are now actively discouraged or seen as insufficient; and
  • Heightened Children’s Privacy Enforcement: With lots of scrutiny on how companies treat the data of consumers under 16, the CA AG continues to make children’s privacy an enforcement priority.

The CA AG alleged multiple CCPA and UCL violations by Sling TV, with a focus on “Do Not Sell or Share” compliance and children’s privacy:

  • Fragmented Opt-Out Mechanisms: Sling TV required consumers to use two different methods to opt out of sales and sharing, a cookie preference center for cookies, and a separate webform for other data. The CA AG found this “bifurcated” approach inconsistent with the CCPA’s requirements;
  • Barriers for Logged-In Users: Customers who were already logged in had to re-enter their information in a webform to make opt-out requests, instead of Sling TV using existing account details to facilitate the process;
  • No In-App Opt-Outs: Consumers using the TV app (the primary way most people access Sling TV) were not offered an in-app opt-out. Instead, they were sent to a website, which did not cover in-app sales or sharing; and
  • Children’s Data Sold Without Opt-In Consent: Sling TV allegedly collected and shared (or sold) personal information of children under 16 without obtaining the required parental or age-appropriate consent.

As a result of the settlement, Sling TV agreed to:

  • Provide Easy, Universal Opt-Outs: Implement a clear, prominent, and user-friendly opt-out mechanism on all digital properties (i.e., website, mobile app, and TV app);
  • Click-to-Opt-Out for Logged-In Users: Allow logged-in customers to opt out with a single click or link, using data already on file;
  • In-App Opt-Outs: Incorporate a seamless opt-out process directly within the TV app; Better Children’s Data Controls: Allow parents to designate user profiles as a kid’s profile, defaulting to the highest privacy protections (no sale/sharing, no targeted advertising); and
  • Delete Existing Children’s Data: Remove personal data of children known to be under 16 collected without proper consent.

The CA AG’s stance is clear: companies must move beyond the bare minimum. Here’s how your organization can stay ahead:

  • Minimize Barriers to Opting Out: Use a single, simple method for consumers to opt out of all sales and sharing of information, covering all data types and channels (not just cookies);
  • Streamline For Logged-In Users: Don’t make logged-in users re-identify themselves; leverage information you already have to honor requests easily;
  • Opt-Outs Where Consumers Interact: Provide opt-out mechanisms on every platform selling or sharing consumer data (i.e., apps, websites, and any other channels);
  • Prioritize Children’s Privacy: Audit your children’s privacy practices now. Age verification, opt-in requirements, and data deletion protocols must be robust and ready for new regulations; and
  • Plan for Development Time: Many of these changes require technical adjustments that can take months. Start planning and implementing now to avoid future enforcement actions.

The Sling TV case is a wake-up call: CCPA compliance isn’t static, and the CA AG is enforcing the letter and spirit of the law more aggressively than ever. Companies should conduct a comprehensive privacy compliance review and look for ways to make consumer rights not just technically available, but truly easy to exercise.

Jam City, Inc., a prominent mobile gaming company behind popular franchises such as Harry Potter and Frozen, has agreed to pay $1.4 million in civil penalties to resolve allegations that it violated the California Consumer Privacy Act (CCPA) by failing to provide adequate privacy opt-out mechanisms for its users. This resolution, announced by California Attorney General Rob Bonta, marks the second-largest CCPA enforcement penalty in the state’s history.

According to the complaint, here are the key allegations against Jam City:

  1. Failure to Offer In-App Opt-Outs for Data Sale/Sharing
    • The complaint alleges that Jam City develops free-to-play mobile games that earn revenue by sharing user data for advertising, but did not include required opt-out links or settings in any of its 21 mobile apps. Only one app had a nominal “Data Privacy” control, which was described as unclear and noncompliant with CCPA requirements.
  2. Sale and Sharing of Minors’ Data Without Affirmative Consent
    • Jam City’s games use “age gates” to identify users under 16, in line with CCPA protections for minors. However, the complaint alleges that for six of its games, Jam City only provided enhanced child privacy protections for users under 13, and failed to implement opt-in consent requirements for teens between 13 and 16, resulting in inappropriate sharing or sale of their data.

The suit sought injunctions and penalties under the CCPA (Civil Code §§ 1798.100 et seq.) for both general privacy failings and specific violations relating to minors (§ 1798.120 and associated regulations). Jam City was additionally accused of engaging in unfair competition under California’s Business and Professions Code § 17200. The state requested statutory damages of up to $2,663 per CCPA violation (or $7,988 for intentional or minor-related violations) and $2,500 per violation under the unfair competition statute.

The key settlement terms included the following:

  • Monetary Penalty: Jam City will pay $1.4 million in civil penalties, one of the largest CCPA settlements to date.
  • Privacy Practice Changes: The company must implement clear and accessible opt-out mechanisms for data sale and sharing across all of its apps and platforms.
  • Special Protections for Children’s Data: Jam City must not sell or share data from users under 16 without affirmative consent. The complaint highlights the significance of compliance for users between ages 13 and 16, not just those under 13.
  • Compliance Obligations: The settlement mandates robust compliance training and periodic public reporting of CCPA measures for oversight.

The Jam City case is a stark reminder that:

  • CCPA opt-out rights must be readily accessible and actionable within mobile apps, not just via privacy policies or external links.
  • Businesses must vigilantly comply with enhanced CCPA protections for minors, especially for teens aged 13 to 16.
  • California regulators are willing to pursue substantial penalties and broad injunctive relief for noncompliance.

As privacy litigation intensifies in California, companies operating websites and engaging in online marketing must be aware of the major legal risks and compliance strategies shaping digital business today. Below, I examine:

  • The surge in California Invasion of Privacy Act (CIPA) lawsuits targeting website tracking technologies;
  • Telephone Consumer Protection Act (TCPA) risks in digital marketing;
  • Key California Consumer Privacy Act (CCPA) compliance and litigation trends; and
  • The vital role of arbitration clauses and class action waivers in website Terms of Use.

CIPA and Website Tracker Claims

CIPA (Cal. Penal Code §§ 630-638) prohibits certain forms of wiretapping and eavesdropping on “confidential communications” without the consent of all parties. Recently, plaintiffs’ law firms have targeted website operators for:

  • Use of session replay tools that record user interactions for analytics;
  • Chatbots and third-party customer service widgets embedding code on websites; and
  • Allegedly “intercepting” or “eavesdropping” on website visitors’ communications.

CIPA permits statutory damages of $5,000 per violation, making claims lucrative for class actions. Multiple federal courts have declined to dismiss claims stemming from websites using third-party tracking scripts that record or transmit user communications. Companies should:

  • Assess all scripts and tracking tools on their sites, especially those relaying data to third parties;
  • Update privacy disclosures and obtain explicit user consent where required; and
  • Consider disabling or modifying session replay technologies for California visitors.

TCPA Risks in Digital Marketing

The TCPA, 47 U.S.C. § 227, restricts telemarketing and the use of automated technologies (including text messages and pre-recorded voice messages) to contact consumers.

Website operators face TCPA risks when:

  • Collecting contact information for promotional texting, call, or robodialing; and
  • Using pre-checked boxes or ambiguous consent language in lead forms.

The TCPA imposes statutory damages of $500 to $1,500 per violation, encouraging class-action litigation. To reduce risk:

  • Collect prior express written consent using clear, conspicuous language;
  • Maintain robust records of consent; and
  • Regularly review marketing workflows for TCPA compliance.

CCPA: Compliance and Litigation

The CCPA and its amendment (the California Privacy Rights Act) have created sweeping privacy rights for California residents, including:

  • The right to know, delete, and opt-out of the sale/sharing of personal information; and
  • Strict notice and transparency requirements for data practices.

Recent CCPA class actions have focused on alleged “sales” or “sharing” of personal data via analytics/ad tech scripts, and on disclosures deemed incomplete.

Best practices for CCPA compliance:

  • Implement and maintain Do Not Sell/Share links or toggles on websites;
  • Provide accurate, up-to-date privacy notices;
  • Carefully vet all service provider- and third-party data-sharing relationships;and
  • Promptly respond to access and deletion requests.

Including Arbitration and Class Action Waiver in Website Terms

Given the surge of privacy-related class actions, it is crucial to implement arbitration agreements and class action waivers in your website’s Terms of Use:

  • Arbitration clauses require disputes to be resolved in private arbitration which is  typically quicker and less costly than court; and
  • Class action waivers prevent users from aggregating claims into costly class actions.

California’s evolving privacy landscape poses major compliance and litigation risks for digital businesses. Proactive steps such as auditing website tracking, securing proper marketing consents, ensuring airtight CCPA compliance, and embedding robust dispute resolution clauses, are critical defenses against costly class actions.

Mergers and acquisitions (M&A) can be transformative, but hidden compliance risks—especially regarding privacy and data protection—often lurk beneath the surface, especially regarding privacy and data protection. In California, strict laws like the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA) are being aggressively enforced through litigation. Plaintiffs’ firms are increasingly targeting companies whose websites use certain technologies (e.g., chatbots, session replay, cookies) that may run afoul of CIPA and CCPA, potentially resulting in significant liability for acquirers post-close.

Whether you are buying or selling a company, it’s crucial to address these privacy issues early in your M&A process.

For Buyers: Ask the Right Questions—Don’t Buy Liability

Due diligence is the buyer’s opportunity to identify and mitigate risks before finalizing a deal. To avoid inheriting a ticking privacy time bomb, buyers should:

  • Incorporate Specific Privacy Diligence Questions
    • Is the target’s website CIPA and CCPA compliant?
    • Are visitors notified about the collection and sharing of personal information (including IP addresses, chat transcripts, session replays, cookies, etc.)?
    • Has the target ever received any demand letters, lawsuits, or regulatory notices relating to CCPA or CIPA compliance?
    • What third-party technologies (e.g., session replay, analytics, advertising plugins) are used on the website? Are vendor agreements in place, and do they address privacy?
  • Review Web and App Technology
    • Inventory all tracking, chat, and recording technologies on the website.
    • Ensure required consents/disclosures are in place (pop-ups, banners, disclosures in privacy policy).
  • Assess the Cost of Remediation
    • If gaps are found, estimate the financial, operational, and reputational impact of bringing the website into compliance.
    • Negotiate indemnity, escrow, or purchase price adjustments as appropriate.

For Sellers: Shore Up Compliance Before Negotiations

Buyers will discover privacy gaps, unless you address those gaps first, which can delay the deal, reduce the sale price, or create hard questions post-close. Sellers should:

  • Audit the Website Now
    • Identify all data collection, tracking, chat, or recording technologies.
    • Engage privacy counsel or consultants to flag CCPA/CIPA compliance issues.
  • Update Documentation and Policies
    • Ensure your privacy policy, cookie disclosures, and consent mechanisms are current and legally sufficient for California and other relevant jurisdictions.
  • Remediate High-Risk Practices
    • Disable or properly disclose any session replay or “trap-and-trace” technologies.
    • Review agreements with vendors that process web visitor data.
  • Document Your Compliance Efforts
    • Maintain records of your investigation and remediation steps.
    • Be transparent with buyers; proactive efforts can build trust and defend your valuation.

Website privacy litigation isn’t going away, and regulatory scrutiny will only increase. For buyers, robust due diligence can prevent expensive surprises shortly after closing. For sellers, fixing compliance weaknesses before sale preserves deal value and speeds up negotiations. In every M&A involving a consumer-facing website or app, CIPA and CCPA compliance must be an explicit part of diligence. Ask the right questions, address vulnerabilities, and avoid inheriting (or passing along) privacy liabilities that could haunt both parties for years to come.

On July 24, 2025, during a public meeting following public comment, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new obligations for businesses subject to the CCPA. Significantly, the updates emphasize CPPA’s new regulatory focus over AI decision-making and cybersecurity in addition to privacy. In addition, the CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. Below is a summary of the key updates:

Automated Decisionmaking Technology

  • ADMT Defined –The updates provide a new regulatory focus on automated decisionmaking technology (ADMT), which is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” This definition does not cover when such automated technology is used to assist in, but not to entirely substitute, human decisionmaking.
  • Consumer Rights – Under the new ADMT provisions, businesses must inform consumers of their opt-out and access rights with respect to the business’s use of ADMT to make any significant decisions about the consumer. “Significant decisions” are defined as decisions related to financial or lending services, housing, education opportunities, employment opportunities, or healthcare services.
  • Pre-Use Notice – Businesses must also provide pre-use notices regarding the use of ADMT. These notices should explain what the ADMT does, consumer rights related to opt-out and access, and a detailed description of how the ADMT works to make a significant decision about the consumer.

Annual Cybersecurity Audits

The CCPA final text introduces an annual cybersecurity audit requirement for businesses that meet a certain threshold. Businesses will be required to conduct annual, independent cybersecurity audits to assess how their cybersecurity program protects consumer personal information from unauthorized access and disclosure. Businesses are required to submit a certificate of completion to the CPPA annually.

  • Audit Components – Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor deemed to increase the risk of unauthorized access or activity.
  • Impartiality Requirement – Audits must be performed by an independent and qualified professional. If the auditor is internal to the business, the CCPA requires specific measures to be put in place to ensure the auditor’s impartiality and objectivity.
  • Repurposing Audits – A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all of the requirements outlined in the CCPA.
  • Compliance Timeline – The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on annual income.

Pre-Processing Risk Assessments

Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a business must update its risk assessment as soon as possible, but no later than 45 calendar days from the change.

  • Broad Definition of Significant Risk – The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses share personal information with third parties.
  • Risk Assessment Components – Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. Risk assessments must also document the categories of information to be processed. In addition, the risk assessment must also consider the negative impacts of processing to consumers’ privacy. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
  • Compliance Timeline – For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or five years after completion, whichever is later, and available for inspection by CPPA or the Attorney General.

Insurance

The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Since most websites use

tracking technologies, insurance companies should assess their compliance with the CCPA promptly.

Recommended Next Steps

The California Office of Administrative Law (OAL) still needs to review and approve these changes. OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. Businesses should expect the OAL to approve most of this final text. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities. For a more in-depth analysis of the new CPPA Regulations, click here.

The California Consumer Privacy Protection Agency (CPPA) Board issued a stipulated final order against Todd Snyder, Inc., a clothing retailer based in New York, requiring the company to pay a $345,178 fine and update its privacy program to settle allegations that it violated the California Consumer Privacy Act (CCPA). Specifically, Todd Snyder must update its methods for submitting and fulfilling privacy requests and provide training to its staff about CCPA requirements. Todd Snyder is also required to maintain a contract management and tracking process so that required CCPA contractual terms are included in contracts with third parties with access to or receipt of personal information.

The CPPA alleged that Todd Snyder violated the CCPA as follows:

  • Its consumer privacy rights request process collected much more information than necessary to fulfill privacy requests. Specifically, the privacy portal on Todd Snyder’s website used by consumers to submit privacy rights requests required consumers to provide their first and last name, email, country of residence, and a photograph of the consumer holding the consumer’s “identity document” (such as a driver’s license or passport which is considered “sensitive information” under the CCPA), regardless of the type of privacy request. The sensitive information is unnecessary to exercise a request to opt-out of the sale and/or sharing of personal information.
  • It failed to oversee and properly configure its third-party consumer privacy request portal for 40 days. The Todd Snyder website utilizes third-party tracking technologies, including cookies, pixels, and other trackers that automatically send data about consumers’ online behavior to third-party companies for analytics and behavioral advertising. The CPPA alleges that the opt-out mechanism on the website was not properly configured for a 40-day period. During that period, if the consumer clicked on the cookie preferences link on the website, a pop-up appeared, but then immediately disappeared, making it impossible for the consumer to opt-out of the sale or sharing of their personal information.

The lesson here is that a company cannot pass on its privacy compliance obligations to a third-party privacy management platform; the company itself is responsible for the functionality of such platforms. Michael Macko, head of the CPPA’s Enforcement Division, stated in a press release, “Using a consent management platform doesn’t get you off the hook for compliance [. . .] the buck stops with the businesses.” Your company cannot rely on its third-party privacy management platform for compliance and expect no accountability in the event of non-compliance; you must conduct due diligence and validate that the operation is functioning and compliant with CCPA requirements.

This is likely only the start of the CPPA’s enforcement sweep. The time is now—assess your CCPA compliance program and processes, and ensure they are up to par.

Last week, the California Privacy Protection Agency (CPPA) settled its first non-data broker enforcement action against American Honda Motor Co. for a $632,500 fine and the implementation of certain remedial actions.

The CPPA alleged that Honda violated the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively the CCPA) by:

  1. Requiring consumers to provide more information than necessary to exercise their rights under the CCPA. When submitting a request, a consumer is required by Honda’s webform to provide their first name, last name, address, city, state, zip code, email, and phone number. The CPPA alleged that this violated the CCPA by requiring a higher level of verification than required for an opt-out or to limit the use of certain information requests.
  2. Requiring consumers to directly confirm that they have permitted another individual to act as their authorized agent to submit a request to opt-out or limit use. While a company may request written documentation indicating that an individual is an authorized agent for a consumer, a company may not require a consumer to directly confirm that they have provided the permission; companies may only contact consumers directly for requests to know, access, and correct.
  3. Failing to implement a cookie management tool that provides symmetrical choice when a consumer submits requests to opt-out of sale and/or sharing and consents to the use of their personal information. The CPPA alleged that Honda’s website automatically allows cookies by default. To turn off advertising cookies, the user must toggle a button next to “Advertising Cookies” and then click “Confirm my Choices,” but to opt back into advertising cookies, the consumer only needs to press one button. The CPPA alleges that by providing one step to opt-in but two steps to opt-out, Honda did not provide equal or symmetrical choices as the CCPA requires.
  4. Failing to execute written contracts with third-party advertising companies with whom it sold, shared, and/or disclosed consumer personal information. The CPPA alleged that Honda failed to execute CCPA-compliant agreements with the third-party cookie providers it uses on its website and that it sells, shares, and/or discloses personal information for advertising and marketing across different websites.

To resolve the allegations, Honda agreed to:

  • Implement a new and simpler process for Californians to assert their privacy rights
  • Update its cookie preference tool to include a “Reject All” button in addition to the “Accept All” button
  • Separate the methods for submitting requests to opt-out and limit the use of certain information from other rights under the CCPA
  • Train its employees
  • Consult a user experience designer to evaluate its methods for submitting privacy requests

The settlement amount is supported by the CPPA by calling out the number of consumers whose rights were implicated by some of Honda’s practices, which emphasizes that the CPPA will determine a fine on a per-violation basis. If your company hasn’t done so already, be sure to update your CCPA compliance program and dot the “I’s” and cross the “t’s” when it comes to your website’s privacy policy regarding cookie preferences and third-party advertisers.

The California Privacy Protection Agency (CPPA) the agency responsible for implementing and enforcing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (collectively the CCPA), protecting consumer privacy, and ensuring compliance with data privacy regulations, has announced an investigate sweep into companies’ collection of sensitive location data. The CPPA has already sent out inquiries to “advertising networks, mobile app providers, and data brokers that appear to be in violation” of the CCPA.

California Attorney General Rob Bonta said, “Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements.” The CPPA is concerned that this sensitive location data will be used to target vulnerable populations. The CPPA urges businesses to take responsibility as stewards of this sensitive data seriously and affirmatively protect location data.

The CPPA’s investigation will focus on how companies are informing consumers about their right to opt out of the sale and sharing of their data (as required under the CCPA), including geolocation data and other types of personal information collected by businesses. Additionally, the CPPA will investigate how companies actually apply this opt-out requirement when a consumer asserts that right.

If your company hasn’t assessed its opt-out processes and procedures lately, now is the time to confirm that consumers are clearly notified of this right and that they can readily opt-out of such tracking and collection and subsequent sale and/or sharing of that data with their parties.