November 4, 2022
Stroock Client Alert
By: Stephen J. Newman, Jeffrey M. Mann, Dustin A. Linden
Businesses subject to the California Consumer Privacy Act (“CCPA”)[1] and the California Privacy Rights Act (“CPRA”)[2] can expect increased enforcement actions starting in 2023, as the CPRA’s provisions become fully effective and the notice-and-cure provisions of the CCPA expire.
The CCPA and CPRA are the first comprehensive consumer privacy statutes in the country and have become a model for similar laws in other states. Broadly speaking, the CCPA and CRPA create a host of new consumer privacy rights and impose obligations on covered businesses with respect to how they collect, use, and share consumers’ personal information. Some of the significant new privacy rights created by the CCPA and CPRA include the right to know what personal information businesses collect and how that information is used;[3] the right to delete that information;[4] the right to correct inaccurate personal information;[5] the right to limit use and disclosure of sensitive personal information (e.g., identification numbers, account login information, geolocation, racial or ethnic origin, religious beliefs, and genetic data);[6] and the right to non-discrimination for exercising these rights.[7]
The CCPA also gives consumers the important right to opt out of businesses selling their personal information.[8] Businesses are required to prominently display links on their websites or privacy policies so consumers can easily exercise this right.[9] Businesses must also process opt-out requests made through “Global Privacy Control,” an internet privacy management tool or extension that consumers can download for their browsers. It allows them to make a single opt-out request covering all websites at once so those consumers do not have to make individual requests on every website they visit.[10]
Enforcement of the CCPA and CRPA is largely the joint province of the California Attorney General and the newly-established California Privacy Protection Agency,[11] but the Attorney General has taken the lead thus far.[12] The Attorney General’s primary enforcement tool has been to issue letters notifying businesses of their alleged CCPA violations and giving them thirty days to cure before initiating enforcement actions. This notice-and-cure procedure is required by the CCPA in its first two years. After December 31, 2022, however, the Attorney General is permitted to commence an enforcement action without first giving the offending business an opportunity to cure the alleged violation.
The Attorney General has issued notice-and-cure letters to major companies operating across many industries, including technology, health care, retail, fitness, data brokerage, and telecommunications, for a variety of different alleged violations. These violations have included the companies’ failure to inform consumers that they were receiving a financial incentive (through loyalty programs) in exchange for the consumers’ personal information; failure to include all required information in privacy disclosures or make disclosures understandable to the average consumer; and failure to make opt-out links work on all internet browsers or without confusing additional steps.
The Attorney General’s most significant enforcement action to date has been against cosmetics retail giant Sephora. On August 24, 2022, the Attorney General announced a major settlement with Sephora for allegedly violating the CCPA. The Attorney General claimed that Sephora failed to disclose to consumers that it was “selling” their personal information by making it available to third parties; failed to adequately process consumer opt-out requests made through Global Privacy Control; and failed to cure these violations within the thirty-day notice-and-cure period.
The settlement provides that Sephora will pay $1.2 million in civil penalties and comply with a consent decree that requires it to clarify its online disclosures and privacy policy to include an affirmative representation that it sells data; provide mechanisms for consumers to opt out of the sale of personal information, including through Global Privacy Control; conform its service provider agreements to the CCPA’s requirements; and file reports with the Attorney General regarding its compliance over the next few years.
The Sephora settlement indicates that the Attorney General intends to aggressively pursue CCPA and CPRA violations, especially after the notice-and-cure requirements expire at the end of the year. Indeed, Attorney General Rob Bonta stated that he hopes the settlement sends “a strong message to businesses that are still failing to comply with California’s consumer privacy law” that his “office is watching” and “will hold [noncompliant businesses] accountable.” Bonta further warned that it has “been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.”
The Attorney General also made clear that compliance with consumer opt-out requests will be a central focus going forward. “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale . . . Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” The same day that the Sephora settlement was announced, the Attorney General issued a new round of notice-and-cure letters to businesses alleging that they failed to process consumer opt-out requests made through Global Privacy Control.
With the Attorney General’s aggressive posture, and the California Privacy Protection Agency yet to weigh in, businesses who handle California consumers’ data can expect to see a wave of new enforcement actions in 2023. Compliance with all provisions of the CCPA and CPRA is of course important to forestall any enforcement effort, but it is most important to provide consumers and other website users with accurate, clear, and conspicuous disclosures regarding how the business collects and uses their personal information. Further, businesses who collect personal information must be sure to provide consumers with an easy-to-use opt-out feature on their websites. Businesses must also ensure that they are able to process and comply with opt-out requests, including requests made through Global Privacy Control.
We will continue to monitor the enforcement conduct of the Attorney General and the California Privacy Protection Agency throughout 2023 and beyond.
[1] Cal. Civ. Code § 1798.100 et seq.
[2] Id. § 1798.199.10 et seq.
[3] Id. §§ 1798.110, 1798.115.
[4] Id. § 1798.105.
[5] Id. § 1798.106.
[6] Id. § 1798.121.
[7] Id. § 1798.125.
[8] Id. § 1798.120.
[9] Id. § 1798.135.
[10] 11 C.C.R. § 7026.
[11] See Cal. Civ. Code §§ 1798.155, 1798.185, 1798.199.90.
[12] The CCPA and CPRA also provide a private right of action in certain circumstances. See Id. § 1798.150.
November 4, 2022
Stroock Client Alert
By: Stephen J. Newman, Jeffrey M. Mann, Dustin A. Linden
Businesses subject to the California Consumer Privacy Act (“CCPA”)[1] and the California Privacy Rights Act (“CPRA”)[2] can expect increased enforcement actions starting in 2023, as the CPRA’s provisions become fully effective and the notice-and-cure provisions of the CCPA expire.
The CCPA and CPRA are the first comprehensive consumer privacy statutes in the country and have become a model for similar laws in other states. Broadly speaking, the CCPA and CRPA create a host of new consumer privacy rights and impose obligations on covered businesses with respect to how they collect, use, and share consumers’ personal information. Some of the significant new privacy rights created by the CCPA and CPRA include the right to know what personal information businesses collect and how that information is used;[3] the right to delete that information;[4] the right to correct inaccurate personal information;[5] the right to limit use and disclosure of sensitive personal information (e.g., identification numbers, account login information, geolocation, racial or ethnic origin, religious beliefs, and genetic data);[6] and the right to non-discrimination for exercising these rights.[7]
The CCPA also gives consumers the important right to opt out of businesses selling their personal information.[8] Businesses are required to prominently display links on their websites or privacy policies so consumers can easily exercise this right.[9] Businesses must also process opt-out requests made through “Global Privacy Control,” an internet privacy management tool or extension that consumers can download for their browsers. It allows them to make a single opt-out request covering all websites at once so those consumers do not have to make individual requests on every website they visit.[10]
Enforcement of the CCPA and CRPA is largely the joint province of the California Attorney General and the newly-established California Privacy Protection Agency,[11] but the Attorney General has taken the lead thus far.[12] The Attorney General’s primary enforcement tool has been to issue letters notifying businesses of their alleged CCPA violations and giving them thirty days to cure before initiating enforcement actions. This notice-and-cure procedure is required by the CCPA in its first two years. After December 31, 2022, however, the Attorney General is permitted to commence an enforcement action without first giving the offending business an opportunity to cure the alleged violation.
The Attorney General has issued notice-and-cure letters to major companies operating across many industries, including technology, health care, retail, fitness, data brokerage, and telecommunications, for a variety of different alleged violations. These violations have included the companies’ failure to inform consumers that they were receiving a financial incentive (through loyalty programs) in exchange for the consumers’ personal information; failure to include all required information in privacy disclosures or make disclosures understandable to the average consumer; and failure to make opt-out links work on all internet browsers or without confusing additional steps.
The Attorney General’s most significant enforcement action to date has been against cosmetics retail giant Sephora. On August 24, 2022, the Attorney General announced a major settlement with Sephora for allegedly violating the CCPA. The Attorney General claimed that Sephora failed to disclose to consumers that it was “selling” their personal information by making it available to third parties; failed to adequately process consumer opt-out requests made through Global Privacy Control; and failed to cure these violations within the thirty-day notice-and-cure period.
The settlement provides that Sephora will pay $1.2 million in civil penalties and comply with a consent decree that requires it to clarify its online disclosures and privacy policy to include an affirmative representation that it sells data; provide mechanisms for consumers to opt out of the sale of personal information, including through Global Privacy Control; conform its service provider agreements to the CCPA’s requirements; and file reports with the Attorney General regarding its compliance over the next few years.
The Sephora settlement indicates that the Attorney General intends to aggressively pursue CCPA and CPRA violations, especially after the notice-and-cure requirements expire at the end of the year. Indeed, Attorney General Rob Bonta stated that he hopes the settlement sends “a strong message to businesses that are still failing to comply with California’s consumer privacy law” that his “office is watching” and “will hold [noncompliant businesses] accountable.” Bonta further warned that it has “been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.”
The Attorney General also made clear that compliance with consumer opt-out requests will be a central focus going forward. “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale . . . Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” The same day that the Sephora settlement was announced, the Attorney General issued a new round of notice-and-cure letters to businesses alleging that they failed to process consumer opt-out requests made through Global Privacy Control.
With the Attorney General’s aggressive posture, and the California Privacy Protection Agency yet to weigh in, businesses who handle California consumers’ data can expect to see a wave of new enforcement actions in 2023. Compliance with all provisions of the CCPA and CPRA is of course important to forestall any enforcement effort, but it is most important to provide consumers and other website users with accurate, clear, and conspicuous disclosures regarding how the business collects and uses their personal information. Further, businesses who collect personal information must be sure to provide consumers with an easy-to-use opt-out feature on their websites. Businesses must also ensure that they are able to process and comply with opt-out requests, including requests made through Global Privacy Control.
We will continue to monitor the enforcement conduct of the Attorney General and the California Privacy Protection Agency throughout 2023 and beyond.
[1] Cal. Civ. Code § 1798.100 et seq.
[2] Id. § 1798.199.10 et seq.
[3] Id. §§ 1798.110, 1798.115.
[4] Id. § 1798.105.
[5] Id. § 1798.106.
[6] Id. § 1798.121.
[7] Id. § 1798.125.
[8] Id. § 1798.120.
[9] Id. § 1798.135.
[10] 11 C.C.R. § 7026.
[11] See Cal. Civ. Code §§ 1798.155, 1798.185, 1798.199.90.
[12] The CCPA and CPRA also provide a private right of action in certain circumstances. See Id. § 1798.150.
