The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website. Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.

Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation. In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties. In January 2023, however, the right to cure will sunset when the CPRA takes effect.

The examples provide insight into the types of companies and industries that the California AG focused on, including inadequate privacy policy CCPA disclosures, lack of service provider restrictions, and inefficient responses to CCPA requests. The examples also highlight the CCPA compliance issues that the California AG prioritized in its enforcement efforts, including allegations concerning:

  • Inadequate disclosures: Companies did not provide disclosures or methods to submit consumer requests.
  • Service Provider Restrictions: Companies did not add language in contracts that restricts how service providers can retain, use, or disclose personal information.
  • Sale of Personal Information or Responding to GPC signals: Companies that “sell” personal information did not include a Do Not Sell My Personal Information link on their homepage or provide disclosures about the sale of information.
    • In one case, the California AG disagreed that a business that included an “accept sharing” link had established consent to sell personal information.
    • In a number of cases, the California AG disagreed that mobile device settings or a trade association opt out tool designed to manage online advertising were sufficient in place of a Do Not Sell My Personal Information button.
  • Privacy Request Responses: Companies did not respond properly or timely to CCPA requests to know or delete personal information. Some companies did not offer the option for authorized agents to submit requests, or imposed requirements on authorized agents that the California AG said were not warranted, like the requirement to notarize requests.
  • Financial Incentives: The California AG took the position that a grocery chain that required consumers to provide personal information in exchange for participation in a loyalty program was required to provide a notice of financial incentives, but did not do so.
In response to the California AG, companies have taken corrective action to cure alleged violations. Here are examples of steps that companies have taken:
  • Classification of Service Providers: Companies cured alleged violations relating to service provider classifications by taking the following actions:
    • Amending service provider contracts to include CCPA-specific addendums.
    • Redrafting service provider contracts to contain the necessary restrictions on the use of personal information.
    • In the case of a company that acted both as a service provider and as a business, updating the company’s privacy policies to include disclosures required of businesses.
  • Inadequate Disclosures: In response to concerns that privacy policies or other required notices were inadequate, companies took steps to cure by:
    • Updating privacy policies to include notice of CCPA consumer rights and how to exercise those rights.
    • Addressing whether the business “sells” personal information.
    • Amending privacy policies with instructions on how authorized agents may submit CCPA requests on behalf of consumers.
    • Implementing notice at collection for personal information received, regardless of whether information was collected online or in-person.
    • Updating privacy policies to clarify that the business cannot charge a fee for processing a consumer’s privacy request .
  • Do Not Sell My Personal Information Link: Companies addressed concerns with the DNSMPI link by:
    • Adding the Do Not Sell My Personal Information link to the homepage.
      • In one example, the California AG initiated an inquiry focused on the business’s failure to respond to an opt out request via global privacy control signal, but the AG ultimately accepted a cure where the company worked with its third party privacy vendor to effectuate consumer opt-out requests.
    • Changing the “Do Not Sell My Personal Information” link to ensure it functioned properly.
    • Discontinuing requiring government identification and a bill showing the consumer’s address before honoring requests to opt-out of the sale of personal information.
  • CCPA Request Procedures: Companies modified CCPA response procedures by:
    • Responding more quickly to CCPA requests.
These examples signal that the California AG’s CCPA enforcement is active and ongoing. Prioritizing privacy compliance and confirming appropriate controls are in place (including those that take account of these types of updates) can help reduce the risk of receiving a letter of noncompliance. If you have questions about compliance with the CCPA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.