First CCPA Settlement Announced

Igor Gorlach, Sydney Teng, Anne Voigts
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On August 24, the California Attorney General (“AG”) announced its first enforcement settlement under the California Consumer Privacy Act (“CCPA”). The $1.2M fine with an international retailer settled claims that the retailer did not disclose the sale of personal information to consumers and did not honor consumers’ requests to opt out of the sale of personal information that were transmitted to the retailer via a Global Privacy Control (“GPC”) signal.

The enforcement confirms the AG’s position that targeted advertising—sometimes referred to as cross-contextual advertising or behavioral advertising—constitutes a “sale” of personal information under the CCPA. As explained in the AG press release, retailers “benefit in kind” from targeted advertising arrangements because retailers can “more effectively target potential customers.” The AG alleged that by making personal information available to third parties and receiving the benefit of targeted ads, the retailer was “selling” personal information and should have disclosed this sale of personal information in its privacy policy (and the corresponding right to opt out of such sales).

Advertising cookies were not the only tracking technology scrutinized by the AG. According to the complaint, the retailer’s use of “one widely-used analytics and advertising software package” constituted a sale, both as it pertains to the “trade of personal information for analytics and the trade of personal information for an advertising option.” The complaint did not name the cookie provider and suggested that a compliant service provider contract could have addressed the situation, such that the exchange of personal information would not be considered a sale.

The AG also asserted that the retailer failed to honor consumers’ GPC signal requests to opt out of the sale of their personal information. GPC signals are automatically transmitted by the consumer, typically through a browser extension that the consumer independently downloads and installs. According to the complaint, the AG used commercially available browser extensions to monitor what happened when a user visited the retailer’s website with and without GPC signals enabled. The AG found that “activating the GPC had no effect and that data continued to flow to third-party companies, including advertising and analytics providers.” Subsequent investigation confirmed that the retailer was not acting on these signals, thus violating the CCPA.

GPC signals did not appear in the statutory text of the CCPA as it was originally enacted. However, the current CCPA regulations introduced the term as a valid means of exercising opt out requests, stating that “businesses shall treat user-enabled global privacy controls . . . that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request [to opt the consumer out of the sale of personal information] for that browser or device, or, if known, for the consumer.”

As part of the settlement, the retailer must amend its privacy policy to clarify that it sells personal information and provide mechanisms for consumers to opt out of the sale, including via GPC signal. Additionally, the retailer must provide reports to the AG for the next two years detailing its compliance efforts, including the retailer’s testing of GPC functionality as well as details on all data-sharing relationships.

This CCPA enforcement actions offers several lessons to other businesses. First, the AG takes seriously CCPA’s current obligations pertaining to GPC signals as a means to communicate requests to opt out of the sale of personal information. These obligations will likely become more onerous once the California Privacy Rights Act (“CPRA”) amendments become effective on January 1, 2023. The current CPRA draft regulations do not address the technical specifications to accommodate GPC signals, but nonetheless, the draft regulations expand businesses’ obligations to “known” consumers and generally specify that GPC signals override the consumer’s business-specific privacy choices.

Second, California regulators appear highly concerned with targeted advertising, or as they describe it, “commercial surveillance.” Thus, businesses must be mindful of third-party cookies and tracking technologies, specifically those used for targeted advertising and data analytics. As covered in earlier articles, CPRA expands the contractual requirements for all data-sharing relationships, with more restrictive contracts required for “service providers” as opposed to “third parties.”

Third, the privacy policy is not the only place where businesses display their state of CCPA compliance. Tech-savvy users and regulators can use widely available cookie scanning tools to externally assess and reveal tracking technologies that are enabled on any website. Coupled with the fact that after January 1, 2023, entities may no longer expect 30 days’ written notice before an enforcement action, businesses should consider prioritizing their digital environment for CPRA compliance.

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide