Key takeaways
- Confirm that privacy policies accurately reflect how companies process personal information, and verify that consumer request / opt-out practices are clearly disclosed and have been tested to ensure functionality.
- Ensure that company processes for honoring requests for access, deletion and correction of consumers’ personal information aligns with the applicable regulations, and implement and test systems to confirm that they work.
- Test whether sites are responding to global privacy control / opt-out preference signals.
It’s 2024 and the California Privacy Protection Agency (CPPA) and California Attorney General’s Office haven’t skipped a beat in investigating potential non-compliance with the California Consumer Privacy Act (CCPA). The California AG’s Office recently celebrated Data Privacy Day by announcing an investigative sweep focused on streaming services’ compliance with opt-out requirements under which consumers may “opt out” of any practice by such businesses to sell or share consumers’ personal information.
Prior CCPA investigative sweeps have focused on loyalty programs, mobile applications, employee data, and recognition of global privacy control (GPC) signals, also now known as out-out preference signals (OOPS).
The AG’s announcement is just the start of what some anticipate will be a busy enforcement year for privacy compliance. Given the broad scope of the AG’s efforts, is there anything that companies can do proactively? The answer is yes. To help focus compliance efforts, it’s possible to glean insights about future enforcement priorities from prior enforcement actions, as well as from the CPPA’s and AG’s public comments.
Lessons learned from public statements and past enforcement actions
Both the CPPA and the AG can pursue enforcement under the CCPA. The AG’s Office also has available to it other causes of action, such as claims under the California Unfair Competition Law. Thus, it is important to review activity from both agencies in assessing future risk.
The following brief enforcement timeline may provide a useful starting point:
In various public comments, including at the CPPA’s July 2023 board meeting, the agency has outlined several enforcement priorities, namely:
- (1) privacy policy and notice compliance, including ensuring accuracy in the description of privacy practices;
- (2) compliance with and implementation of the right to delete; and
- (3) honoring consumer requests, including how such requests are effectuated and whether consumers face barriers in exercising their rights.
CPPA enforcement is also likely to prioritize matters involving vulnerable communities, such as children, the elderly, or marginalized communities susceptible to privacy violations. Based on comments during the CPPA’s July 2023 meeting, in deciding whether to pursue a matter, the agency may consider “the overall circumstances of the case,” which, in our experience, suggests that the enforcement division will weigh the following factors, among others:
- (1) harm to consumers;
- (2) the nature and severity of the harm;
- (3) the business’ ability to comply with the law and good-faith efforts in compliance; and
- (4) the size and resources of the business.
These priorities are also reflected in the AG’s past enforcement of the CCPA, and companies can look at prior enforcement actions and case examples for how the AG’s Office interprets CCPA obligations, gleaning lessons for potential future enforcement. We previously summarized these in depth in October 2022 and August 2021.
What to expect
Enforcement has focused on six broad issues, which we expect will continue to dominate the enforcement landscape into 2024:
Failure to provide or honor opt-out of sale/sharing requests
The majority of AG enforcement actions concern companies’ failure to comply with requirements concerning the sale of personal information. This has been and is expected to remain a priority. A company is required to disclose whether it sells or shares (for cross-contextual advertising) personal information, and to provide a clear “Do Not Sell or Share My Personal Information” link if it does.
In addition, companies should be testing the request process to confirm that it is working and that exercising this right is easy with minimal steps. This includes ensuring that requests are honored immediately with respect to tracking technologies on websites and in mobile apps.
The enforcement history highlights what the AG does not consider adequate: directing consumers to a third-party trade association’s opt-out tool for targeted advertising. This is no substitute for a fully operational “do not sell” process. Coordinating with technology personnel and reviewing the user experience will be important in ensuring that the request process works properly.
Failure to honor GPC/OOPS signals
Hand in hand with the above, regulators are expected to assess whether companies are honoring GPC/OOPS signals. Businesses must treat opt-out requests made by GPC/OOPS signals the same as requests made by users who have submitted a do not sell/share request.
What is clear from prior enforcement actions is that regulators are actively reviewing websites to determine if the sites are (1) detecting GPC/OOPS signals and (2) restricting the collection of information through tracking technologies once detected. We expect such proactive website reviews to continue.
Deficient privacy policies and notices
Also high on the list of enforcement priorities, and easily assessable by regulators, are deficient privacy policies and notices. As highlighted by the CPPA, when conducting reviews of policies, regulators are not engaging in a check-the-box review. Instead, they are checking if the policy adequately and accurately describes the business’ privacy practices, for example, disclosures in connection with the “sale” or “sharing” of personal information as well as descriptions of request processes.
Broad and sweeping statements in privacy notices will likely not be acceptable, as regulators push companies to be clear, concise, and transparent about their data practices. Deficiencies in policies can become gateways to further investigation. Businesses should also keep in mind that regulators are not just reviewing online policies, but also checking for compliance with notice requirements at POS and other in-person and over-the-phone points of data collection.
Failure to honor consumer requests; burdensome request process
Several prior enforcement actions examined whether request processes actually worked. These actions scrutinized whether certain steps and requirements hindered consumers’ ability to exercise their rights, including through the use of authorized agents. These cases teach a number of lessons.
For example, avoid requiring consumers to
- (1) provide unnecessary personal information;
- (2) create a new account; or
- (3) accept additional terms or policies in order to exercise their CCPA rights.
Businesses may verify consumer identities and establish verification methods for requests to delete, correct, or otherwise access personal information, proportionate to the nature of the personal information at issue. However, requests to opt out and limit processing of sensitive information should not require verification, and businesses should ensure such processes are not burdensome. Here too it would be prudent to confirm that the request workstreams are operational and review the user experience, including for risks of dark patterns.
Non-compliant offerings of financial incentives
The AG’s prior sweep on loyalty programs and financial incentives, covered in more detail on our website, provides key takeaways for businesses that offer loyalty programs, discounts, or other offers to consumers in relation to the collection, retention, or sale of their personal information. Compliance with financial incentives requirements is rooted in proper disclosures, including ensuring notices are provided electronically and at POS where applicable.
Financial incentive programs also require opt-in and a right to withdraw from the program, and those processes should be reviewed for ease and functionality, similar to other opt-out processes.
Employee and B2B data
Companies should keep in mind that all of the above compliance triggers will also apply to employee and B2B data. Just as with consumer data, businesses now have certain legal obligations for employee and B2B data, such as providing notice of privacy practices and fulfilling consumer requests to exercise their right to access or delete their personal information or opt out of the selling/sharing of their personal information.
As a result, HR and privacy teams should be coordinating efforts, and systems should be developed to maintain compliance. Considerations include the vendor management of data, especially considering the sensitivity of the data, as well as having a process for correction and deletion of data that is compliant with applicable employment laws and practices.
What now?
Regulators will continue to rely on broad sweeps and consumer complaints to evaluate compliance based on their enforcement priorities. Several public comments have made clear that the CPPA and AG’s Office believe that businesses have been on notice of the CCPA’s requirements, and they expect businesses to be in full compliance. Keep in mind that the California Privacy Rights Act (or CPRA) removed the 30-day cure period, so businesses should not expect an opportunity to fix deficiencies after a notice of violation.
In fact, non-compliance in this environment could be deemed an aggravating factor. To address this concern, contemporaneously documented good-faith efforts to work toward compliance should be considered. Businesses should review their compliance practices, not just to check that the basics are in place, but also to test processes and the user experience and confirm that policies and procedures are implemented correctly. This is especially true for businesses that may be deemed to serve vulnerable communities.
In addition, businesses may wish to be mindful of the following:
- Prioritize external-facing compliance elements, such as do not sell/share requests, and limit processing links, privacy notices (online and offline), and GPC/OOPS signal recognition.
- Legal should be involved in reviewing the functionality of compliance tools and the user experience to make sure that (1) requests are operationalized properly (including down streaming requests as applicable) and (2) processes are not overly burdensome or subject to dark patterns.
- Utilize available tools to help evaluate privacy practices and processes. Regulators are aware of and use such tools, and will expect businesses to take advantage of the same.
- Develop internal systems to ensure consistent compliance and data governance, as well as strategies for rectifying any errors or failures when they are revealed.
- Have a plan to explain and address deficiencies. In this aggressive enforcement climate, it would be prudent to take a proactive, as opposed to reactive, compliance posture.
Monique N Bhargava (“Nikki”) is a partner, she focuses on the convergence of advertising and emerging technology. Sarah L Bruno is a partner and trusted adviser to companies in the fields of privacy, intellectual property and advertising. Daniel H Ahn is one of Reed Smith’s leading West Coast and Asia-Pacific White-Collar Defense and Investigations partners.