Search CCPA

The California Attorney General recently announced an initiative to investigate employers’ non-compliance with the California Consumer Privacy Act/California Privacy Rights Act (collectively the CCPA).

At the beginning of this year, the CCPA’s disclosure requirements and consumer rights provisions became applicable to job applicants, employees (and their beneficiaries), and independent contractors. Now, the California AG’s office has started to send out inquiry letters to California employers requesting information about their CCPA compliance. This is a big step forward for enforcement under the CCPA and this initiative focuses on employee data. The initial set of inquiry letters has gone out to large California employers, but this should be a reminder for ALL businesses to confirm they are in compliance with the CCPA if it applies to their business.

Businesses that have implemented CCPA compliance programs should evaluate whether they have met certain requirements, such as:

  • Issuing or updating privacy notices to job applicants and employees, and addressing applicant and HR data;
  • Updating any procedures or policies related to consumer requests to be sure that employees are included, and training HR professionals regarding the handling of those requests;
  • Review and potentially revise data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
  • Conducting assessments pertaining to the business’ use of “sensitive personal information” (as defined by the CCPA) to support reliance on exceptions and offering opt-out rights to employees where required.

Note that the CCPA applies to for-profit entities that do business in California and have annual gross revenues over $25 million. If you have not yet assessed the applicability of the CCPA and issued an employee notice of collection, now is the time.

A plan for an enforcement program under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) (collectively CCPA) is on its way from the California Privacy Protection Agency (CPPA). Despite a recent court ruling that the enforcement of some of the amendments under the CPRA cannot begin until March 2024, last week the CPPA revealed three key areas of its enforcement focus. While the CPPA is still in the process of building and hiring the enforcement team, the agency indicated that despite the court ruling it will still begin enforcing the underlying statute and previous regulations this year. The CPPA Deputy Director of Enforcement, Michael Macko, said, “There’s no vacation here from enforcement. When we find violations, we will take aggressive action to protect the public.”

The CPPA will focus its efforts on three areas of enforcement:

  1. privacy notices and policies;
  2. consumers’ right to delete personal information; and
  3. the handling and implementation of consumer requests.

Deputy Director Macko also said, “We expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.” The CPPA will be reviewing companies’ privacy policies to see if what they say they are doing matches with what they are actually doing. The agency sees non-compliance with a company’s own privacy policy to likely lead to other issues of non-compliance such as not respecting consumers’ privacy rights. Since the consumer right to delete their data is “well-established” and “long-standing” this will be a focus for enforcement. Another area under scrutiny includes proper notification of a consumers’ right to opt-out of the sale of their data. Deputy Director Macko added in his statement that companies that implement smooth experiences for consumers exercising their rights will more likely be found in compliance.

The CPPA will consider many factors in determining which violations to pursue such as the severity of the harm to consumers, good-faith efforts to comply, and the company’s size and resources. However, incidents that involve children, older adults, marginalized communities, and other vulnerable populations will receive special scrutiny and focus.

One of the ways in which the CPPA will find potential violations will be through its new consumer complaint system. So far, 13 complaints have been submitted via this system. While this statement from the CPPA is certainly helpful guidance for companies struggling with CCPA compliance issues, there are still some unanswered questions. Companies still do not know how fines per number of violations will be calculated or the process for the agency to coordinate with the state attorney general to request an injunction against a business. Next steps for your business: get ready and make sure you are in compliance.

The Office of the California Attorney General recently announced that it will initiate an investigative sweep and will start sending letters to businesses about their mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). There is also a new online tool that allows consumers to directly notify a business of an alleged CCPA violation, so we may see an influx of direct-from-consumer complaints.

The Attorney General’s office will focus its investigation on popular apps in the retail, travel, and food services industries. The goal is to determine whether these apps are complying with consumer opt-out requests and do not sell or share requests under the CCPA. The investigation will also focus on the apps’ failures to process consumer requests submitted through an authorized agent under the CCPA. For example, Consumer Reports’ app, Permission Slip, acts as an authorized agent for consumers to submit requests under the CCPA such as opt-outs and deletion requests.

Attorney General Rob Bonta said in the office’s recent press release, “[B]usinesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. [The] sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” Businesses that are subject to the CCPA – and the newly effective amendments under the California Privacy Rights Act (CPRA) – should continue to update and implement their policies, procedures, and processes to ensure compliance with the requirements of these regulations and to hopefully avoid being caught up in this investigative sweep.

A class action lawsuit, Seirafi et al v. Samsung Electronics America, Inc., Case 4:22-cv-05176-KAW, filed recently in the Northern District of California, alleges that Samsung’s unnecessary personal information collection, and failure to secure that information, violate the California Consumer Privacy Act (CCPA). This lawsuit was inspired by two recent data breaches that allegedly included personal data of American users. The plaintiffs go beyond the facts of the breaches, though, to allege that Samsung should never have collected that information in the first place.

The California Consumer Privacy Act provides: “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” According to the plaintiffs, Samsung acted unreasonably by requiring them to register accounts to use smart televisions and other devices. If this theory succeeds, tech companies could find that locking devices behind online registration is more risk than it’s worth.

In the first of its kind under the California Consumer Privacy Act (CCPA), Sephora settled an enforcement action with the California Attorney General for violation of the CCPA. Sephora must pay $1.2 million in penalties and implement a CCPA compliance program. The enforcement action alleged that Sephora permitted third parties to create customer profiles that included details related to the brand of their laptops or concealer and eyeliner to use for targeted advertising without consumer knowledge or consent.  

Sephora must inform customers in California that it sells their personal data, including their location and items in their online shopping cart, and let them opt out of a sale of that information if they choose to do so.

Attorney General Rob Bonta said in the office’s public statement, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.” This should be a reminder for companies to determine if the CCPA applies to them and get their processes in place before the AG’s office comes knocking on their door, too.

California Attorney General Rob Bonta is serious about compliance with the California Consumer Privacy Act (CCPA). So serious, that on January 28, 2022, also known as Data Privacy Day, he announced that his office was commencing an investigative “sweep” of “businesses operating loyalty programs in California” and sent notices of noncompliance to businesses requiring them to cure within thirty days.

According to the AG’s press release, “Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.” Although the AG did not reveal how many letters were issued, he did say that letters were sent “to major corporations in the retail, home improvement, travel, and food services industries.”

The timing of the issuance of the letters appears to be no coincidence. The AG stated, “On Data Privacy Day, we’re issuing notices to business that operate loyalty programs and use personal information in violation of California’s data privacy law. I urge all businesses in California to take note and be transparent about how you’re using your customer’s data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

Warnings from a regulator are words to follow closely. If you offer a loyalty program, these words from the enforcer of the CCPA are clear and strong. If you haven’t implemented a CCPA compliance program, there is no better time than now.

This is the time of year for thought pieces reflecting on the past year or so to speculate on the hot topics for next year. I began to wonder about California Consumer Privacy Act (CCPA) enforcement actions over the past year as this was something that we speculated about not that long ago. The California Attorney General’s office has been busy and has even posted a list on its website of 27 examples of recent California Consumer Privacy Act enforcement actions.

The most common violation on the list is that a company’s privacy policy was non-compliant with CCPA requirements. Of the 27 cases cited, at least 16 had some form of privacy policy violation. Some of the privacy policies failed to provide consumers with the required CCPA rights, failed to state whether the company sold personal information, or failed to provide a method for consumers to submit requests about their data. Other violations included failure to provide notice to consumers of opt-out processes and the failure to include a “Do Not Sell My Personal Information” link. One company even tried to charge consumers for making CCPA requests.

All the cases cited appear to have begun with consumer complaints that resulted in a notice of alleged non-compliance. That notice provided the companies the opportunity to correct their deficiencies. In one privacy policy violation, the company updated its privacy policy in response to a complaint that it failed to provide notice of the required CCPA consumer rights and also failed to state whether it had sold personal information within the past 12 months. The company updated its privacy policy, however it was “not easy to read or understandable to the average consumer, e.g. contained unnecessary legal jargon.” The company received a second notice of non-compliance and then revised its privacy policy accordingly.

Enforcement actions will no doubt continue in 2022, but the lesson learned from 2021 is that for companies that must comply with CCPA, having a CCPA-compliant privacy policy will be a great way to start the new year.

Blackbaud, which suffered a data breach of its customers’ data in a ransomware attack in 2020, in which it admitted paying the ransom in a double extortion attack [view related posts], is facing multiple class action cases following the attack. The cases have been consolidated in multi-district litigation and now comprise 29 cases.

The federal judge overseeing the cases has refused to dismiss all of the claims that the plaintiffs alleged against Blackbaud, and ruled that Blackbaud must face claims of violation of the California Consumer Privacy Act (CCPA), deceptive and unfair trade practice allegations made by Florida and New York plaintiffs, and a separate claim by a California plaintiff alleging the compromise of medical information.

The judge declared that the plaintiffs had sufficiently alleged that Blackbaud was a “business” as that term is defined in CCPA partly because Blackbaud was a registered data broker in the state of California.

The judge did dismiss several state statutory claims that had been made by the plaintiffs. We will continue to watch this case and Blackbaud’s defenses to the CCPA claims.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.

Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.