California AG Announces First CCPA Settlement and There is More Enforcement to Come
The first California Consumer Privacy Act (CCPA) settlement was announced on August 24, together with a strong message from California Attorney General Rob Bonta regarding compliance with the CCPA. The settlement involves Sephora USA, Inc., and resulted from a sweep of enforcements by the Attorney General last year. As part of the settlement, Sephora agreed to pay $1.2 million and comply with requirements related to its CCPA obligations. Prior to the AG investigation, Sephora was notified of its alleged CCPA violations but failed to cure within the 30-day period allowed under law. This failure prompted the AG to initiate the enforcement action.
Companies should note that CCPA requirements are complex to implement, and the 30-day cure period may be insufficient to make all needed changes. In addition, the cure period currently allowed under the law will expire as of January 1, when the CPRA amendments to the CCPA becomes effective.
It is therefore critical for companies to evaluate their CCPA compliance posture prior January 1, 2023, as the California Attorney General’s office, together with the new California Privacy Protection Agency, appear poised to increase their enforcement efforts, and may be less tolerant of non-compliance. In a press release issued together with the Sephora settlement, Attorney Rob Bonta stated:
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.”
Together with announcing the Sephora settlement, the Attorney General’s office also issued notices to a number of other businesses alleging non-compliance relating to their failure to honor opt-out requests via the GPC or similar controls. Recipients of these notices will have 30 days to cure the violations, or they will face enforcement actions. Businesses receiving such notices after January 1, 2023, however, will have no such opportunity to cure. Examples of the notices to cure sent by Bonta’s office can be found at oag.ca.gov/ccpa.
There are several important lessons in the Sephora settlement.
- The California AG is treating GPC as a requirement, rather than an option. Although the statutory text of the CCPA does not mandate compliance with the GPC, the AG suggested this was a requirement in the 2021 amendments to the CCPA regulations, and in the CCPA FAQ page in July, 2021. Whether or not this constitutes sufficient notice and a true statutory requirement is somewhat debatable, but companies should take notice and ensure GPC compliance in order to avoid potential enforcement for non-compliance.
- Any doubts regarding whether third-party online behavioral advertising and profiling constitute data sales have now been removed (though such relationships are likely to fall within the scope of the CPRA’s new “sharing” opt-out requirements once the CPRA amendments take effect).
- Privacy policies must clearly disclose the categories of data sold, the fact that sales are taking place, and other requirements specified in the CCPA.
- Service provider contracts must meet CCPA’s service provider contract requirements in order for the relationship to be exempt from the “sale” definition. Note that each relationship must, in fact, meet relevant service provider requirements, and language alone will not accomplish this. Similarly, service provider technologies may require additional configuration for processing to be in scope of the service provider agreement.
- Companies should be aware of using targeted advertising in a manner that implicitly reveals sensitive information (e.g. pregnancy or other health conditions).
With the CPRA and other state laws becoming effective in the next year, companies have numerous tasks to do to prepare. For companies engaging in data sales, GPC implementation should be near the top of the to-do list, and more information is available at Global Privacy Control — Take Control Of Your Privacy