In the wake of the implementation of the California Privacy Rights Act (CPRA) next year, businesses may be uncertain about what to expect from this upcoming law. However, there is plenty to learn from the enforcement history of the good old California Consumer Privacy Act (CCPA) that paved the way for the CPRA.

The first formal complaint brought by the AG under the CCPA was against the retailer Sephora for allowing third parties to collect the personal information of its users via cookies, which, the OAG argues, amounted to the “sale” of information. The company was found to be in violation of the CCPA on the following counts: it did not disclose its online and offline practices regarding the collection, use, sale, sharing, and retention of personal information, it failed to post a "Do Not Sell My Personal Information" link on its website and mobile apps for opt-out requests, and its website did not detect, and process opt-out signals sent by browsers where the user had enabled Global Privacy Control (GPC).

In its defense, Sephora could not prove that the third parties were service providers due to a lack of valid contracts that met the requirements set forth for a service provider contract under the CCPA. If the settlement is approved, Sephora will have to pay a fine of $1.2 million, take immediate action to comply with the law, and conduct regular compliance assessments for a period of two years.

The key takeaway from this case being businesses need to have contracts clearly defining the role of third parties when there is a sharing of information. Also, it is important to ensure that the company’s apps and websites have opt-out mechanisms and options for users to exercise their data subject rights.

The Office of the Attorney General (OAG) has cited several such examples where retailers were found to be using web tracking technologies to share the personal information of their users in exchange for services like advertising or analytics. These retailers did not offer an opt-out mechanism and also failed to ensure that the third party was a CCPA-compliant service provider. Data sharing in exchange for analytics or ad serving will be considered as “sale” under the CCPA, and the law also requires businesses to allow opt-out via a user-enabled global privacy control (GPC).

The OAG has been notifying companies of alleged noncompliance with the CCPA since its enforcement on July 1, 2020. Some of these notices concerning the CCPA can provide notable takeaways for privacy professionals. We have summarized the learnings from these case laws based on the issues pertaining to noncompliance with the CCPA.

Takeaway #1:

The CCPA found that businesses operating loyalty programs were offering financial incentives in exchange for consumers’ personal information without posting a compliant notice of financial incentive. These companies were required to post a notice of financial incentive so that the consumers would get to go through the terms of the loyalty program before joining it voluntarily.

Takeaway #2:

Businesses operating multiple websites under their portfolio need not require their consumers to submit multiple requests for opting out of the sale of their personal information from each website. A “Do Not Sell My Personal Information” link must be provided for all the digital properties of a business.

Takeaway #3:

Businesses need to provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against. The available request methods established for consumers to exercise their CCPA rights must also be clearly mentioned, along with the disclosure regarding whether the business sells any personal information. Businesses should list a toll-free number for consumers making CCPA requests.

Takeaway #4:

Businesses should provide timely responses to consumers’ CCPA requests and also notify them if their requests have been received or effectuated.

Businesses can’t compel consumers to accept the company’s privacy policy and terms of service in order for them to exercise their rights under the CCPA. Businesses also can’t restrict consumers from exercising their data subject rights, for example, by limiting them to have a certain number of requests within a specific period or providing only one method to submit CCPA requests. Consumers shouldn’t have to go through an onerous process for CCPA requests, including verification or asking them to create an account in order to complete their requests.

Businesses should not charge consumers for processing their data subject access requests and the company should also properly disclose CCPA metrics for the previous calendar year.

Takeaway #5:

The “Do Not Sell My Personal Information” link on the business’ website homepage should not have any confusing choices, unclear language and toggle options. The language and options to opt out of the sale of personal information should be easy to understand and without any double negatives.

The website should not require consumers to take additional steps for opting out by directing them to third-party tools designed for managing online advertising or cookie preferences. It should also not include dark patterns with “the substantial effect of subverting or impairing a consumer’s choice to opt-out of schemes where their personal data is being sold”. The links for submitting requests, including the “Do Not Sell My Personal Information” link should function across all browsers.

The company’s privacy policy should clearly explain how it uses third-party cookies and the business should allow consumers to fully opt out of the sale of personal information, including in connection with targeted advertising.

Takeaway #6:

Businesses should clearly establish whether they are operating as a service provider or a data processor. The company’s terms of service should clarify its obligations as a service provider/data processor under the CCPA.

Takeaway #7:

Businesses should provide notice of the required CCPA consumer rights, along with the methods for consumers to exercise their CCPA rights to request to know and delete. They need to list the categories of personal information they disclose, state whether or not they have sold personal information in the past 12 months and also list the categories of third parties for each category of personal information disclosed for a business purpose.

Takeaway #8:

The links provided in the notice and privacy policy should direct consumers to the relevant section. The privacy policy should describe the information a consumer must provide in order to make a verifiable consumer request.

Takeaway #9:

Businesses offering services to minors should notify consumers at or before the point of collection about the categories of personal information being collected and their purposes. The company’s privacy policy should clearly state whether it sells the personal information of minors under 18.