The California Office of Attorney General (OAG) is responsible for enforcing the CCPA and began sending notifications of alleged non-compliance to companies on July 1, 2020.

Almost a year later, in June of 2021, the OAG released 27 illustrative examples of alleged non-compliance and the actions taken by each company to respond to the non-compliance. For instance, one of the examples involved a social media company’s untimely response to CCPA consumer requests. The OAG wrote, “A business that operates a social media app was not timely responding to CCPA requests to know and delete personal information, and users complained that they were not receiving notice that their CCPA requests had been received or effectuated. After being notified of alleged non-compliance, the business responded to the outstanding requests. The business also updated its CCPA response system to ensure that future requests would be acknowledged and responded to in a timely manner.”

It is our understanding that the OAG sent hundreds of letters of non-compliance to companies over the last 15 months and that the 27 examples are meant to be illustrative of situations in which they sent a notice of non-compliance. Once a company is notified of alleged non-compliance, they have 30 days to address (or cure) that non-compliance. We also understand that, as of this writing, each business that received a notice has taken steps to cure the alleged violation(s), and as a result, the OAG has not yet assessed penalties.

In January 2023, the right to cure will sunset when the California Privacy Rights Act takes effect.

In July of 2021, the OAG also launched a tool for consumers to lodge complaints. Right now, the tool is limited to drafting notices to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their website. The OAG collects the information provided in the tool to assist them in investigating and enforcing the law, which submitted complaints might generate demand for a cure and may start the 30-day cure clock. The OAG’s guidance notes on the tool include tips related to how the OAG may be evaluating a company’s privacy notice for non-compliance, specifically if that company takes the position that they do not sell personal information.

Initial Observations of California AG’s Examples of CCPA Non-Compliance:

• The 27 total examples of non-compliance included the following industries:
  • Data Broker (3)
  • Grocery Retailer (3)
  • Social Media (3)
  • Video Game (2)
  • Online Event Sales (2)
  • Automotive
  • Children's Toy Distributor
  • Consumer Electronics
  • Digital Experiences Partnerships
  • Digital Media
  • Education Technology
  • Email Subscription Platform
  • Mass Media and Entertainment
  • Online Advertising
  • Online Clothing Retailer
  • Online Dating
  • Online Marketing Services
  • Online Platform (Classified Ads)
  • Pet Industry
• Companies in the business of buying and selling personal data or who share data or permit others to collect data in connection with interest-based advertising were prevalent through the examples (Data Broker, Social Media, Online Event Sales, Online Advertising, and Online Marketing).
• Companies collecting and processing minors' data and/or other sensitive data (geolocation) were also highlighted (Video Gaming, Children’s Toy Distributor, Children’s Events, Geolocation Data Broker, and Education Technology).
• Other companies that process personal data will still need to comply with the CCPA, the OAG also included Automotive, Consumer Electronics, Grocery Store, Clothing Retailer, and Pet industries in their examples.

In August, Ankura reviewed the 27 narrative case examples to identify enforcement trends and guide companies on where to focus their compliance efforts. Ankura identified 64 discrete non-compliant actions across the examples and grouped results into 16 categories of alleged non-compliance. A summary of the quantitative analysis can be found here: Top CCPA Non-Compliance Actions.

Key takeaways include:

1. the California AG is reviewing a variety of companies across many industries;
2. privacy notices must include required information on Consumer’s rights and instructions for an authorized agent;
3. privacy notices should include a toll-free number as a method of Do Not Sell opt-out for companies that do not operate exclusively online;
4. companies should execute on consumer’s rights in a clear and timely fashion; and
5. companies must properly address Do Not Sell My Personal Information (Do Not Sell) requirements.

We recently conducted a webinar titled “Key Learnings from the California AG’s Examples of CCPA Non-Compliance.” You can find the recording here or download the presentation here. During the webinar, we stepped through six examples of non-compliance and provided guidance on practical steps organizations can take to avoid hearing from the California AG.

During the webinar, we discussed key requirements of the CCPA relating to privacy notice disclosures, consumers’ rights, and Do Not Sell requirements. We also reviewed more nuanced obligations around honoring Global Privacy Controls (GPCs), financial incentives disclosures, sale of minor’s data, and whether cookies are considered a sale of data. Lastly, we shared steps companies can take to prepare for the California Consumer Privacy (CPRA), Virginia's Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA), which all take effect in January of 2023. Companies will need to be prepared for additional requirements relating to employees’ rights, additional consumer’s rights, purpose and proportionality limitations, and data retention period disclosures.

Companies can prioritize remediating gaps in their privacy programs that were highlighted in the OAG’s examples of non-compliance. Once those gaps are addressed, companies can focus on the additional requirements that will go into effect in 2023. Suppose your company doesn’t have an updated data inventory (sensitive data, profiling, cross-context behavioral advertising), an operationalized Data Privacy Impact Assessment (DPIA) process or a Document Retention Policy and Schedule. In that case, you should consider starting soon as that can take six months to 1-year to put into place. The best strategy for companies is to plan ahead by considering these additional requirements in their overall privacy roadmap.

¹https://oag.ca.gov/privacy/ccpa/enforcement

²https://oag.ca.gov/privacy/ccpa/enforcement

³https://www.caprivacy.org/annotated-cpra-text-with-ccpa-changes/

⁴For more information, see our article titled: Hidden tips related to Do Not Sell” in the CA AG’s Online Consumer Privacy Tool.