[co-author: Yarazel Mejorado]
The California attorney general has created a tool for consumers to report situations where companies sell information but do not have an opt-out of sale link on their website. The release of the tool came at the same time as the AG’s update on its CCPA enforcement actions. In that update, the AG highlighted one of the most common problems it had found: not having appropriate disclosures around “sales.”
Under CCPA, companies (for whom the law applies) must indicate if they do or do not sell information, as that term is defined. If a company does sell information it needs to provide individuals with the ability to opt out of such sales. Failure to comply with this requirement of CCPA carries no private right of action. Instead, after being notified of noncompliance, a company has 30 days to cure. If the company fails to do so, the AG may bring action.
The advent of this tool creates an interesting wrinkle to the 30 day period. Using the tool, individuals can create a “notice of noncompliance to send” to businesses they believe are not complying with the do-not-sell provisions of CCPA. According to the AG, the notice a consumer sends “may satisfy [the 30 day notice] prerequisite.” If a business does not cure a violation then the consumer is directed to report the issue to the AG.
For now, the tool only allows consumers to notify of do-not-sell concerns. The AG has signaled that it may update the tool to allow for consumers to submit notices about other issues. If the AG report on enforcement actions gives any direction, those other issues might be lack of required disclosures in privacy policies, not giving people a way to exercise rights, or not telling people about whether information was (or was not) sold. All three of these, according to the report, were common areas of non-compliance.
Putting it Into Practice: Business subject to CCPA should be on the lookout for potential notices generated by this tool. The suggested subject line generated by the tool is “Notice of Noncompliance with the California Consumer Privacy Act (CCPA).” The consumer is not given instructions about what point of contact to use with the company. It may thus be useful to train those who monitor the most common entry points such as general “help” or “info” email addresses on how to handle these notices, as well as to work with the CEO or President (to whom the form notice is drafted) and those who monitor that email address (if others do monitor it).