On August 24, 2022, the AG announced the first public settlement of an enforcement action against a retail company for alleged violations of the California Consumer Privacy Act (CCPA). The settlement is for $1.2 million and includes an injunction. The AG alleged that a global beauty retailer failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of sale via user-enabled Global Privacy Control (GPC) browser signals in violation of the CCPA, and did not cure these alleged violations within the 30-day period currently allowed by the CCPA. The AG’s actions were based on the retailer’s use of third-party analytic cookies on its website and apps. The AG’s complaint noted that the analytics provider could “determine who the shopper was, using extensive data gathered from other sources, and then present [the retailer] with the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.”1
This week’s settlement is a continuation of a clear message by the AG’s office: The definition of “Sale” under the CCPA and the new California Privacy Rights Act includes digital advertising. In an injunction order that will last for two years, the AG’s office stated in the definitions section of the order that:
“SALE USING ONLINE TRACKING TECHNOLOGY means SALE where the business discloses or makes available CONSUMERS’ PERSONAL INFORMATION to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies, in exchange for monetary or other valuable consideration, including, but not limited to: (1) personal information or other information such as analytics; or (2) free or discounted services.”2
The AG’s enforcement actions published last week reflect that it is currently expecting that businesses will honor the Global Privacy Control (GPC) signal to opt out of third-party targeted advertising. Businesses that fail to honor consumers’ right to opt out of the sale of their information will be held accountable. On July 19, 2021, the AG issued a report highlighting case examples of CCPA violations, without naming businesses by name because the investigations are confidential. Most of the case examples related to sale issues. On August 24, 2022, the same day as the press release related to the first public enforcement action, the AG updated these case examples, which further underscores the AG’s focus on businesses that are allegedly trying to, among other things, circumvent the obligation to honor opt-out-of-sale requests.
The AG’s office has also previously signaled support of user-enabled opt-out browser signals. The GPC, spearheaded by Ashkan Soltani, who is now the executive director of the California Privacy Protection Agency, allows users to enable a default opt-out-of-sale signal in their browser settings. Former AG Xavier Becerra tweeted last year that GPC signals are valid opt-out-of-sale requests under the CCPA. The AG’s office also published a Frequently Asked Questions page, which also states that GPC signals are valid opt-outs.
The AG’s office considers this a priority. In his August 24, 2022 online press conference, AG Rob Bonta announced that the “kid gloves” are coming off. As the CCPA is rounding its second anniversary, businesses need to get in line and comply with its requirements. Another round of notice of violation letters relating to failure to comply with opt-out-of-sale requests is expected soon.
- Violations relating to sales issues continue to be a priority for the AG’s office. Based on notice of violation letters, more than one-third of alleged CCPA violations pertain to “Do Not Sell My Personal Information” link, GPC signal, and other sale issues. AG Bonta’s press release and updated enforcement report further confirm that failure to comply with opt-out-of-sale issues is an important priority of the AG’s office. Thus, it is critical for businesses to evaluate compliance with this and other requirements under the CCPA.
- AG Bonta emphasized that businesses need to honor opt-outs via opt-out preference signals. The AG announced a “new investigative sweep” focused on compliance with GPC and has issued notices of noncompliance to over a dozen businesses. Businesses that receive a notice will have 30 days to cure their noncompliance—but this right to cure will expire when the California Privacy Rights Act becomes effective on January 1, 2023. If businesses are “sellers” under the CCPA, they should consider whether their websites are equipped to receive and honor opt-out requests communicated through opt-out preference signals such as GPC. Businesses can either enter the GPC code on their website or use data privacy compliance tools that provide this service. (You can learn more about GPC on the Global Privacy Control website.)
- These AG enforcement trends are consistent with increased federal scrutiny of digital advertising. On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a press release warning that digital marketers involved in the identification or selection of prospective customers or content to affect consumer behavior are typically service providers for the purposes of CFPB rules. As service providers, digital marketers can be held liable for committing unfair, deceptive, or abusive acts or practices as well as other consumer financial protection violations.
1 People of the State of California v. [Retailer], Complaint at ¶12.
2 People of the State of California v. [Retailer], [Proposed] Final Judgment and Permanent Injunction at ¶ 6.