In this digital age, safeguarding consumer privacy is of critical concern. Enter California Consumer Privacy Act (CCPA), a landmark milestone in the United State’s privacy landscape, putting California consumers’ privacy first with strict regulations. Since its enforcement on July 1, 2020, the Office of California Attorney General (OAG) has been notifying non-compliant companies, giving them a 30-day cure period to address the allegations and strengthen their privacy practices. In this article, we will take a look at case examples of CCPA enforcement on some of these companies (names not revealed by the OAG) about the specific rule(s) they broke, how they violated them, and the measures they took to cure their non-compliance.
CCPA rule enforced: Privacy policy disclosure
If the business has an online privacy policy, it must disclose the information related to its data processing practices. This information must include:
- Categories of personal information collected in the last 12 months, sources of information, and purposes.
- Categories of personal information sold or shared to third, along with the purposes and third-party recipients.
- Explanation of consumer rights under CCPA, such as the right to know, delete, correct, opt out, and not discriminate for exercising these rights.
- Instruction on how to exercise these rights and other information.
- Date of last privacy policy update.
Case example #1
A tech company that offers weblink shortening services failed to inform consumers about their rights under the CCPA, such as the right to know, delete, and avoid discrimination in their privacy policy. Additionally, they didn’t explain how consumers can exercise these rights. The company also didn’t clearly state whether they had sold consumers’ personal information and didn’t provide an easy-to-find “Do Not Sell My Personal Information” link.
Action taken by the company
Upon receiving notice of these compliance issues, the company took immediate action. They updated their privacy policy to include the required CCPA rights, added two ways for consumers to request their rights, and included a compliant opt-out link.
Case example #2
A telehealth technology company’s website had a link that sent consumers to the wrong section of their privacy policy. Additionally, their privacy policy lacked important details like the information consumers needed to provide for verifiable consumer requests, the categories of personal information collected and disclosed in the past year, and the categories of third parties receiving this information.
Action taken by the company
They resolved the problems by linking consumers directly to the relevant section in their privacy policy and updating the policy to include all required disclosures.
Case example #3
The medical device manufacturer’s privacy policy initially violated the CCPA by requiring consumers to accept their terms to access CCPA rights. Consumers were also restricted to making only one request per year and had no clear opt-out option for the sale of personal information.
Action taken by the company
After being alerted, the company improved its policy by removing restrictions, adding a “Do Not Sell My Personal Information” link, and enhancing the opt-out process for consumers to fully prevent the sale of their personal information, including for targeted advertising.
Create a CCPA-compliant Privacy Policy
Create a custom privacy policy for your business in 2 minutes with a simple questionnaire
Generate free privacy policyCCPA rule enforced: Consumer rights handling
Under the CCPA, consumers have the following rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used, sold, and shared.
- The right to delete personal information collected from them.
- The right to opt out of the sale or sharing of personal information.
- The right to non-discrimination for exercising these rights.
The CCPA requires businesses to respond to consumer requests “as soon as feasibly possible”. For most requests, the time limit is within 45 calendar days, plus another 45 days extension (90 days total) if they notify consumers. The right to opt-out, however, must be responded to within a maximum of 15 business days from the date they received the request. Businesses cannot charge any fee for submitting the requests unless the requests are manifestly unfounded or excessive.
Case example #1
A healthcare company that helps patients find COVID-19 vaccination appointments mistakenly treated some consumer requests to access information as deletion requests, leading to the permanent deletion of personal information.
Action taken by the company
To address the mishap, the company trained its staff and improved its response process for handling both information access and deletion requests accurately and appropriately.
Case example #2
A social media app had a problem with responding on time to CCPA requests. Consumers who wanted to know what personal information was collected about them or wanted their information deleted were not getting timely responses. People were also not receiving any confirmation that their requests were received or acted upon.
Action taken by the company
After being informed of the issue, they responded to all the pending requests and made improvements to their CCPA response system. Now, they ensure that future requests will be handled promptly and consumers will be acknowledged when they make a request.
Case example #3
A Children’s Toys Distribution Company failed to inform consumers about their rights under CCPA, didn’t provide methods for them to request information or deletion, and didn’t disclose the categories of personal information it shared. Additionally, the company wrongly stated that it could charge a fee for processing such requests.
Action taken by the company
After being notified of these issues, the company has now rectified its privacy policy to comply with CCPA requirements.
CCPA rule enforced: Right to opt-out
Under CCPA, consumers have the right to opt-out, i.e. tell businesses not to sell or share their personal information for purposes like targeted advertising. If they decide to opt out, businesses can’t sell or share their information unless they give them consent later. Businesses have to wait for at least 12 months before asking consumers to opt back in.
To make the opt-out process easy, businesses must have a clear and easy-to-find link on their websites, titled “Do Not Sell or Share My Personal Information.” This link will take you to a page where consumers can choose to opt out of the sale or sharing of their personal information. Businesses can also offer opt-out methods such as a toll-free phone number, a designated email address, form submission in-person or via mail, and user-enabled global privacy control (GPC), such as a browser plugin or privacy setting to let consumers express their choice to opt out of the sale of their personal information
Case example #1
Multiple online retailers faced CCPA enforcement action for failing to respect consumer opt-outs of sales. The investigations revealed them to be using web tracking technologies to share consumers’ personal information with third parties without providing an opt-out option or ensuring CCPA-compliant service providers. Specifically, they neglected to process opt-out requests made through the user-enabled GPC as mandated by CCPA regulations.
Action taken by the company
After being notified, these retailers made changes to service-provider contracts, adopted technology to signal “restricted use” of personal data to third parties, and blocked certain transfers of personal information when GPC was detected.
Case example #2
A fitness center chain had a problem with its website privacy settings. They had a link that said, “Do Not Sell My Personal Information,” but the choices were confusing and used unclear language and toggle options. For instance, when someone turned on the “opt-out of the sale of personal information” toggle, they were actually opting into third-party cookies and the sale of their personal information. To truly opt out, they had to turn this toggle off.
Action taken by the company
After being told about the issue, the fitness center chain made some important changes. They simplified the language and options for opting out of the sale of personal information, making it easier to understand. They got rid of the confusing drop-down menu and replaced it with a simple and clear toggle. They also updated their privacy policy to explain how they used third-party cookies and allowed people to fully opt out of the sale of their personal information, even in connection with targeted advertising.
Case example #3
A people search website faced issues with its “Do Not Sell My Personal Information” link and CCPA request process. The link only worked on certain browsers, and the webpage was confusing with additional steps to submit requests. The company also required an onerous verification process and limited submission methods.
Action taken by the company
After being notified, the company made several changes, including making the link work on all browsers, simplifying the CCPA request process, eliminating the verification step, providing alternative submission methods, and updating its disclosures to comply with regulations.
Case example #4
A clothing retailer had a non-compliant opt-out process. The “Do Not Sell My Personal Information” link only discussed cookie management and did not allow consumers to stop the sale of personal information.
Action taken by the company
Upon notification, the retailer updated its opt-out page to include a separate button for all consumers to opt out of the sale of personal information, regardless of location.
Case example #5
A technology platform providing financial products did not allow consumers to submit opt-out or request-to-know requests through authorized agents. Additionally, they failed to ensure that their team handling consumer rights requests was uninformed of CCPA requirements or how to assist consumers to exercise their CCPA rights.
Action taken by the company
After being informed, the platform enabled consumers to submit requests via authorized agents, updated its privacy policy, conducted employee training, and implemented a technical solution to block third-party advertising cookies for California IP addresses.
Case example #6
A wireless network provider faced issues with its CCPA portal, preventing consumer requests to know and delete their personal information.
Action taken by the company
In response, the provider fixed its online CCPA portal and implemented a response process for all CCPA requests, including those through the GPC.
Case example #7
An online advertising firm’s privacy disclosures were difficult for consumers to understand and lacked the required information. The opt-out process for the sale of personal information was also confusing and had dysfunctional links.
Action taken by the company
After receiving notice, the firm revised its privacy policy to address violations and hired a UX designer to improve the opt-out process.
Simplify consumer opt-out
with CookieYes
Add a CCPA/CPRA-compliant cookie opt-out banner and stay clear of enforcement action
Try for free14-day free trialCancel anytime
CCPA rule enforced: Notice at Collection
The CCPA makes it mandatory for businesses to inform consumers about their data collection practices through a “Notice at Collection.” This notice must include the types of personal information the business collects from consumers and the reasons they use this information. It must also provide a link to the business’s privacy policy, which gives a more detailed explanation of its privacy practices and consumer rights.
Case example #1
An email marketing company collected personal information from consumers through emails sent on behalf of its customers. They failed to inform consumers properly or provide a way for consumers to request changes.
Action taken by the company
When notified about this issue, the company clarified that it acted as a service provider for its customers, processing personal information on their behalf. They assured that personal information obtained for one customer was not used for another. To address the concern, the company updated its terms of service to clarify its obligations under the CCPA.
CCPA rule enforced: Sales of Minors’ Personal Information
If a business knows a consumer is under 16, they can’t share their personal information without consent from the consumer (if 13-16) or their parent/guardian (if under 13). Ignoring the consumer’s age is seen as knowing their age.
Case example #1
A mobile app game company used third-party software that exposed players’ personal information, including minors aged 13 to 15. They didn’t allow adults to opt out or get consent from minors.
Action taken by the company
Upon learning of the issue, the company took action by removing the problematic software and implementing better privacy measures for younger consumers. These measures include age verification and parental approval features.
CCPA rule enforced: Business obligation for third parties/service providers
A business collecting and selling consumer personal information with third parties or service providers must have agreements that:
- Personal information is used only for specific purposes.
- The third-party/service provider must adhere to the same privacy protection standards required by the contract.
- The business must ensure that the third party uses the personal information in accordance with the business’s obligations.
- The third-party/service provider must inform the business if they can no longer meet their obligations.
- Upon receiving notice, the business has the right to take appropriate measures to stop and correct any unauthorized use of personal information.
Case example #1
Social Media Network’s contracts with service providers didn’t have clear rules against service providers storing, using, or disclosing consumers’ personal information for anything other than the services specified in the contract.
Action taken by the company
When they were informed about this issue, the company made changes to the contracts by adding specific sections related to CCPA.
CCPA rule enforced: Notice of Financial Incentive
Under the CCPA, any business that offers rewards in exchange for personal information must tell consumers about it in the form of a “Notice of financial incentive” (1798.125. (b)). This means if a business offers a better price or service in return for personal information, they must give notice and get the consumer’s opt-in consent before collecting additional personal information.
The notice of financial incentive must include:
- A summary of the rewards or price difference.
- A clear description of the important terms of the program.
- Separate information on how consumers can join the program.
- The consumer’s right to leave the program anytime and how to do so.
- An explanation of how the rewards are related to the value of the consumer’s information to the business.
Case example #1
Various businesses in retail, food and beverage, hospitality, and home improvement industries were found to have non-compliant loyalty programs. These programs offered incentives, such as discounts or reduced prices, in exchange for collecting consumers’ personal information without proper notice.
Action taken by the company
After being notified of the violations, the businesses made changes to fix it. They put clear notices about the rewards at the cash registers so that customers would see the terms before joining the loyalty program. Online, they directed consumers to the notice through a special link.
The businesses also changed their enrollment process to get clear permission from consumers before collecting their information. This way, consumers could choose to leave the program whenever they wanted. They also updated their notices to include all the important details, like how consumer information would be used for sales and personalized marketing.
What are the fines and penalties for CCPA non-compliance?
If any business, service provider, contractor, or individual violates this law, they may face an administrative fine:
- Up to $2,500 for each unintentional violation.
- Up to $7,500 for intentional violations or violations involving the personal information of minors (< 16 years old).
- Consumers seek damages of at least $100 and up to $750 per consumer per incident, or actual damages, whichever is greater.
- They can also request injunctive or any other relief the court deems necessary.
The court considers various factors when determining the amount of damages, including (but not limited to):
- The nature and seriousness of the violation
- The number of violations
- The persistence of the misconduct
- The length of time over which the violation occurred
- The willfulness of the defendant’s violation
- The accused party’s assets, liabilities, and net worth
Before suing a business for damages, the consumer must first notify the business in writing about the alleged violations. If the business addresses the issues and provides written confirmation of the remedy within the 30-day cure period, the consumer cannot claim damages. However, if the consumer is seeking damages only for monetary losses, this rule does not apply. If the business continues to violate the law after the written confirmation, the consumer can sue for each breach.
Learnings from CCPA enforcement case examples
Despite the enforcement of CPRA (amended CCPA), these enforcement case examples retain their relevance, urging businesses to be aware of the best practices to respect user privacy and adhere to privacy standards. They also serve as valuable lessons on how these companies took appropriate remedial actions to protect consumers’ rights and privacy, thereby avoiding damaging fines.
Frequently asked questions on CCPA enforcement
Who enforces the CCPA?
The California Attorney General’s office primarily enforces the CCPA. The Attorney General’s office is responsible for overseeing and implementing the CCPA’s regulations and investigating complaints related to violations of the law.
CPRA, the amended version of CPRA established a new agency, the California Consumer Protection Agency (CPPA) to implement and enforce the new law. They have “full administrative power, authority, and jurisdiction to implement and enforce” the CPRA, but the attorney general still has the CCPA enforcement powers.
How is CCPA enforced?
CCPA enforcement is carried out by the Attorney General’s office. If a company is found to be in violation of the CCPA, the OAG will conduct investigations and audits. Subsequently, it will issue notices or impose penalties and fines, depending on the severity of the violation.
Has anyone been fined by CCPA?
Yes. French multinational personal care and beauty retailer, Sephora was the recipient of a $1.2 million fine for failing to: (a) inform consumers about their right to opt-opt, (b) offer adequate opt-out methods, and (c) respect the GPC signal, as required by the CCPA.
