September 02, 2022

CA Attorney General Says ‘The Kid Gloves Are Coming Off’; Announces $1.2M Settlement with Retail Co. for CCPA Sales Violation


Online businesses that sell to California residents should take note of a recent enforcement action by the state’s attorney general (AG) signaling that adequate notice of sale must be provided in a business’s privacy policy, California residents’ opt-out requests must be honored, and, from the AG’s perspective, the use of third-party cookies for targeted advertising is a sale.

On August 24, 2022, the AG announced the first public settlement of an enforcement action against a retail company for alleged violations of the California Consumer Privacy Act (CCPA). The settlement is for $1.2 million and includes an injunction. The AG alleged that a global beauty retailer failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of sale via user-enabled Global Privacy Control (GPC) browser signals in violation of the CCPA, and did not cure these alleged violations within the 30-day period currently allowed by the CCPA. The AG’s actions were based on the retailer’s use of third-party analytic cookies on its website and apps. The AG’s complaint noted that the analytics provider could “determine who the shopper was, using extensive data gathered from other sources, and then present [the retailer] with the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.”1


This week’s settlement is a continuation of a clear message by the AG’s office: The definition of “Sale” under the CCPA and the new California Privacy Rights Act includes digital advertising. In an injunction order that will last for two years, the AG’s office stated in the definitions section of the order that:

“SALE USING ONLINE TRACKING TECHNOLOGY means SALE where the business discloses or makes available CONSUMERS’ PERSONAL INFORMATION to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies, in exchange for monetary or other valuable consideration, including, but not limited to: (1) personal information or other information such as analytics; or (2) free or discounted services.”2

The AG’s enforcement actions published last week reflect that it is currently expecting that businesses will honor the Global Privacy Control (GPC) signal to opt out of third-party targeted advertising. Businesses that fail to honor consumers’ right to opt out of the sale of their information will be held accountable. On July 19, 2021, the AG issued a report highlighting case examples of CCPA violations, without naming businesses by name because the investigations are confidential. Most of the case examples related to sale issues. On August 24, 2022, the same day as the press release related to the first public enforcement action, the AG updated these case examples, which further underscores the AG’s focus on businesses that are allegedly trying to, among other things, circumvent the obligation to honor opt-out-of-sale requests.

The AG’s office has also previously signaled support of user-enabled opt-out browser signals. The GPC, spearheaded by Ashkan Soltani, who is now the executive director of the California Privacy Protection Agency, allows users to enable a default opt-out-of-sale signal in their browser settings. Former AG Xavier Becerra tweeted last year that GPC signals are valid opt-out-of-sale requests under the CCPA. The AG’s office also published a Frequently Asked Questions page, which also states that GPC signals are valid opt-outs.

The AG’s office considers this a priority. In his August 24, 2022 online press conference, AG Rob Bonta announced that the “kid gloves” are coming off. As the CCPA is rounding its second anniversary, businesses need to get in line and comply with its requirements. Another round of notice of violation letters relating to failure to comply with opt-out-of-sale requests is expected soon.

Key Takeaways

  • Violations relating to sales issues continue to be a priority for the AG’s office. Based on notice of violation letters, more than one-third of alleged CCPA violations pertain to “Do Not Sell My Personal Information” link, GPC signal, and other sale issues. AG Bonta’s press release and updated enforcement report further confirm that failure to comply with opt-out-of-sale issues is an important priority of the AG’s office. Thus, it is critical for businesses to evaluate compliance with this and other requirements under the CCPA.
  • AG Bonta emphasized that businesses need to honor opt-outs via opt-out preference signals. The AG announced a “new investigative sweep” focused on compliance with GPC and has issued notices of noncompliance to over a dozen businesses. Businesses that receive a notice will have 30 days to cure their noncompliance—but this right to cure will expire when the California Privacy Rights Act becomes effective on January 1, 2023. If businesses are “sellers” under the CCPA, they should consider whether their websites are equipped to receive and honor opt-out requests communicated through opt-out preference signals such as GPC. Businesses can either enter the GPC code on their website or use data privacy compliance tools that provide this service. (You can learn more about GPC on the Global Privacy Control website.)
  • From the AG’s perspective, use of third-party cookies for targeted advertising is considered a sale. The AG found that the retailer’s use of third-party cookies—which allowed other companies to track consumers across third-party sites and collect information regarding a consumer’s precise location, purchase history, and type of device—constituted a sale of consumer personal information. Based on the AG’s position on this issue, businesses that use targeted advertising cookies should consider whether they are adequately describing this practice as a sale, including all required notices and links, and honor GPC signals based on this practice. Alternatively, businesses should consider removing the use of cookies or implementing geofencing to block use of these cookies for California residents. Indeed, the AG’s office found the geofencing option acceptable in its updated enforcement report, stating that a business corrected its alleged non-compliance by initiating “a technical solution to block all third-party advertising cookies for anyone visiting their website using a California internet protocol (IP) address.”
  • Sellers must provide adequate notice of “sale” in their privacy policy and honor opt-out requests. Businesses that disclose they may “sell” personal information but do not provide adequate opt-out mechanisms or honor consumers’ opt-out requests are noncompliant with the CCPA. Businesses need to think carefully about whether they are a seller or not. If parts of your data handling practices could be construed as a “sale” under the CCPA, do not try to circumvent providing the appropriate notices and opt-out right to consumers. It is better to simply consider yourself a “seller” and comply with the CCPA’s requirements. Remember, despite the misconception, you are allowed to sell under the CCPA as long as you are compliant with the law.
  • These AG enforcement trends are consistent with increased federal scrutiny of digital advertising. On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a press release warning that digital marketers involved in the identification or selection of prospective customers or content to affect consumer behavior are typically service providers for the purposes of CFPB rules. As service providers, digital marketers can be held liable for committing unfair, deceptive, or abusive acts or practices as well as other consumer financial protection violations.


1 People of the State of California v. [Retailer], Complaint at ¶12.

2 People of the State of California v. [Retailer], [Proposed] Final Judgment and Permanent Injunction at ¶ 6. 

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.