Since its enactment just over a year ago, some companies have struggled to interpret the California Consumer Privacy Act (CCPA) and the circumstances that might subject them to penalties and fines for violations. In an effort to inform the marketplace and minimize uncertainties, the office of the California attorney general (OAG) recently published examples of companies who received a notice for alleged non-compliance, along with the steps taken by each company in response.
Ankura reviewed the 27 narrative case examples to identify enforcement trends and guide companies on where to focus their compliance efforts. Ankura identified 64 discrete non-compliant actions across the examples and grouped results into 16 categories of alleged non-compliance in the below table:
|
Table 1 – Summary of California AG's CCPA Non-Compliance Actions
|
|
ID
|
Description of Non-Compliance
|
Frequency (#)
|
Frequency (%)
|
|
1
|
Missing Method to Submit Requests or Missing Proper Instructions Related to Consumer Rights
|
15
|
23%
|
|
2
|
Missing Reference to Sale Position (e.g., "No knowledge of sales in prior 12 months")
|
9
|
14%
|
|
3
|
Missing Do Not Sell My Personal Information Link or Opt-Out Process
|
9
|
14%
|
|
4
|
Missing Pre-Collection Notice at Point of Collection
|
8
|
13%
|
|
5
|
Missing Consumer Rights Instructions Regarding Discrimination
|
4
|
6%
|
|
6
|
Privacy Notice or Opt Out Process was Difficult to Understand and Needed Revisions
|
3
|
5%
|
|
7
|
Missing Identification in Notice as Being a Service Provider
|
3
|
5%
|
|
8
|
Missing Service Provider Clauses in Contract
|
2
|
3%
|
|
9
|
Missing Categorical Information Related Personal Information Disclosures
|
2
|
3%
|
|
10
|
Missing Notice Requirements for Minors and/or Obtaining Parental Consent
|
2
|
3%
|
|
11
|
Missing Instructions for Authorized Agents
|
2
|
3%
|
|
12
|
Invalid Consent Mechanism for Sharing Personal Information
|
1
|
2%
|
|
13
|
Missing Notice Disclosure About What was Sold
|
1
|
2%
|
|
14
|
Not Responding to Requests in a Timely Manner
|
1
|
2%
|
|
15
|
Missing Notice of Financial Incentive
|
1
|
2%
|
|
16
|
Global Privacy Control (GPC) not Functioning
|
1
|
2%
|
|
|
Total
|
64
|
100%
|
Key Takeaways:
Privacy Notices Must Include Information on Consumer's Rights: Non-compliance allegations relating to consumer's rights were most common. Businesses received notices from the OAG for privacy notices that were missing instructions on specific consumer rights as well as methods for submitting consumer requests. The CCPA regulations are very prescriptive in terms of the information that should be included in the consumer rights section of a CCPA pre-collection notice. Additional areas of non-compliance allegations included privacy notices that were missing:
- instructions for an authorized agent;
- the consumer's right to protection from discrimination; and
- inclusion of a toll-free phone number.
In one example, the OAG wrote about how it received complaints from the public, which confirms that that OAG is taking action based on targeted complaints.
Companies must properly address Do Not Sell My Personal Information (Do Not Sell) requirements: Alleged non-compliance related to Do Not Sell is common within the OAG's examples. In fact, if we combine Do Not Sell topics such as missing references to the business' position on the sale of data, missing the Do Not Sell link on the website, and missing service provider clauses in contracts, then the sale of personal information is the most frequently cited area of non-compliance. This makes sense, given the sale of data is also the most complex topic of the CCPA for businesses to identify and solve for.
Grocery Store Retailers Process Personal Information: Three of the 27 examples of non-compliance include grocery store retailers. We typically don't associate the collection of personal information with grocery stores (although we probably should). The non-compliance topics cited in these examples include:
- lack of information in privacy notice relating to financial incentives for consumers participating in their loyalty program;
- lack of guidance in privacy notice about how authorized agents may submit CCPA requests on behalf of consumers; and
- insufficient information in privacy notice relating to consumer's rights.
