CCPA Financial Sanctions: Four Takeaways From California AG’s $1.2 Million Enforcement Action That Should Inform Your Compliance Strategy | Kilpatrick Townsend & Stockton LLP

We warned you last summer that the application of the California Consumer Privacy Act (“CCPA”) was intensifying! The California Attorney General (“CAG”) has announced an agreement with cosmetics retailer Sephora. This, among other penalties, forces Sephora to pay a fine of $1.2 million. The enforcement action and settlement were primarily based on Sephora’s failure to post a “Do Not Sell My Information” link, respond to Global Privacy Control (“GPC”) opt-out signals at the browser and adequately describes the relevant sale of data in its privacy policy.

This CAG action provides a glimpse into the future of CCPA enforcement, even as the law is slated for a statutory and regulatory update next year. The CAG press release summarizing the settlement is available here.

1. The CAG application is configured to continue.

Although California’s new privacy agency, the California Privacy Protection Agency (“CPPA”), has CCPA enforcement authority, the CAG appears determined to continue to enforce the law, consistent with its statutory authority. to do. Signaling only that enforcement may escalate, the CAG reiterated that “[t]there are no more excuses” for a company’s failure to comply with the law (despite substantially changing and unstable regulations). Given the talk of a potential federal law that would supersede most of the CCPA, the CAG was also likely sending a signal that a vigorously enforced California privacy law has value and should not be replaced.

Businesses should be alarmed by CAG’s treatment of the CCPA’s Notice and Remedy Period, under which businesses have 30 days to remedy alleged CCPA violations. The notice and remedy period becomes optional from January 2023, and the CAG highlighted the expiration of the remedy period in its Sephora settlement press release, likely signaling that the CAG will choose not to provide such remedy period from next year.

2. Responding to the GPC is mandatory.

The settlement outlines the CGA’s view that responding to the GPC as a request to remove “sales” is a mandatory aspect of CCPA compliance. The CAG claimed that user-enabled privacy controls are a game-changer for consumers and companies should treat them like takedown requests. This advice, significantly, appears to align with the CPPA’s understanding that responding to the GPC will not become optional when the California Consumer Privacy Rights Act (the “CPRA”) amends the CCPA next year. Companies (and, if applicable, their privacy providers) should immediately operationalize the processing of GPC as a Discontinued Sale request, at least at the browser level.

3. CAG priorities remain consistent.

CAG enforcement priorities do not appear to have changed since last summer. Along with the announcement of the settlement, the CAG released information about a series of loyalty programs (available here) and new execution case examples (available here). Loyalty programs, which can constitute a “financial inducement” under the CCPA, and consumers’ right to opt out of “sales” have long been a particular focus of the CAG since last summer.

CAG can focus on financial incentives based on the belief that the personal information collected through these programs is more valuable than the corresponding discounts offered to consumers. Companies with loyalty programs should mitigate this risk by disclosing, in at least reasonable detail, that any discount offered to consumers under a loyalty program is commensurate with any value obtained by the companies from collecting the information. consumer personal.

In light of the CAG’s activity, companies would be well advised to review their websites and online trackers to comply with the CCPA. The CAG and CAPP continue to promulgate regulations and take enforcement action regarding consumers’ right to refuse sales in the context of online advertising/tracking. Such a focus is interesting for several reasons. First, the very broad interpretation of “sale” given by the CAG seems to make obsolete the future right of consumers to opt out of “sharing” (sharing for cross-contextual advertising purposes). Second, the CCPA’s concept of “selling” is not limited to online tracking, but the CAG has a much easier time checking a website to see if “online” selling is taking place rather than gathering information about the background information flows of a business (i.e. » ​​sale). Third, many companies rely on relationships with service providers to exclude (at least some) online tracking from the “sales” scope, while the CAG complaint notes that Sephora had not entered into a “valid” service provider agreements. As online tracking technology customers are often required to sign provider paperwork, consider reviewing these agreements for CCPA service provider requirements after Sephora settles.

4. Write your privacy policy as if the CAG is going to read it.

CAG reads your privacy policy, so write it accordingly. Sephora’s claim contains detailed descriptions of Sephora’s privacy policy – and not just the plain text of the policy, but also how a user navigates the policy. Recent CAG enforcement action summaries also tend to include notes about errors in the company’s privacy policy. Overall, companies should ensure that (i) their privacy policies strictly comply with the detailed substantive requirements set out in the regulations and (ii) navigating a policy is a seamless user experience (e.g., not broken or circular links).

California continues to lead the way in US privacy law. It is therefore essential to review your existing privacy program to ensure that it is ready for further regulatory scrutiny.