Getty Images/iStockphoto
10 CCPA enforcement cases from the law's first year
It's been more than a year since CCPA enforcement began, and organizations started hearing from the California attorney general. Explore 10 early cases of alleged noncompliance.
What do a car dealership, a grocery store chain, an online dating platform and a pet adoption agency have in common? All were early targets of California Consumer Privacy Act enforcement, according to California Attorney General Rob Bonta.
While CCPA became law in January 2020, enforcement didn't begin until that July. If a business receives a notice of alleged noncompliance, it has 30 days to rectify the issue without facing financial penalties. Of all organizations notified in the first year of enforcement, 75% promptly took steps to comply with CCPA, Bonta said in an official statement. The remaining 25% included some businesses still within their 30-day "cure" windows, as well as others under active investigation.
The first year of CCPA enforcement marks another stage in the evolution of data privacy in the U.S., with businesses getting serious about compliance or facing real consequences. "Things are changing, and it's a good evolution, I think," said Christophe Bertrand, analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "But it's also creating many complexities for data and security management from an IT standpoint."
Research suggests organizations are well aware of the challenges they face. In May 2021, just 62% of enterprise leaders described themselves as knowledgeable or very knowledgeable about CCPA as it pertains to their businesses, according to an independent survey Golfdale Consulting conducted on behalf of privacy consultancy TrustArc.
What is CCPA?
CCPA establishes California consumers' right to control their personally identifiable information. "The philosophy behind it is that your individual rights -- your human rights, if you will -- extend to your data," Bertrand said. Then-Gov. Jerry Brown signed the bill into law in 2018, and it took effect on Jan. 1, 2020. CCPA enforcement began seven months later.
Under CCPA, California residents have the right to do the following:
- access their personal information;
- know what personal information businesses collect, keep, sell and share;
- prevent the sale of their personal information; and
- request that businesses delete their personal information.
Additionally, businesses cannot legally discriminate against consumers that choose to exercise the above rights by denying them service or charging them higher fees.
The only organizations subject to CCPA are for-profit companies doing business in California that collect consumers' personal data and do the following:
- reach annual gross revenues of at least $25 million;
- buy, sell, receive or share personal information from more than 50,000 individuals, households or devices for commercial purposes; or
- get at least half of their annual revenues from selling personal information.
It's important to note that CCPA may apply to any business with customers or clients living in California, which means the law's reach extends across the country, as well as Europe and the United Kingdom. As of 2021, California boasts the fifth largest economy in the world, with a growth rate that only China tops.
The first year of CCPA enforcement
Few, if any, observers thought businesses were largely prepared to meet CCPA requirements by mid-2020. In May of that year -- five months after the privacy law went into effect and just two months before CCPA enforcement began -- Golfdale Consulting found more than half of companies had not even begun implementing their compliance plans. Twenty-nine percent were still in the preliminary planning stage, and nearly one in 10 had not started.
Carla RoncatoAnalyst, Enterprise Strategy Group
Encouragingly, however, ESG analyst Carla Roncato said her more recent research suggested enterprise data privacy and compliance programs are healthy overall. "Privacy is mature and mainstream," she said, adding that large and midmarket companies of all kinds, across sectors, have maturity, competence and confidence in this area. "There isn't a segment of the business landscape that is struggling with compliance more than others."
But California's new regulations seem to have thrown at least some organizations curveballs. A number of companies have already faced CCPA-related civil lawsuits, while many others received alleged noncompliance notifications during the first year of enforcement. According to the attorney general's office, the latter group includes the following 10 unnamed businesses:
- Car dealership. The company collected information from consumers who test drove vehicles without notifying them accordingly, and its privacy policy did not include necessary information about CCPA rights. It also failed to provide consumers with a toll-free number for CCPA requests, and it directed consumers to a nonfunctional online CCPA request portal.
- Children's toy distributor. The business's privacy policy failed to provide consumers with notice of their CCPA rights and information on how to exercise them. It also claimed it could charge consumers fees for processing their CCPA requests, which is a violation of the law.
- Clothing retailer. Its privacy policy did not include a CCPA rights description or tell consumers how to submit CCPA requests. It also failed to state whether it had sold or transferred personal information for business purposes in the past year.
- Grocery store chain. The company collected the information of consumers participating in its customer loyalty program. It failed to provide them with the required "Notice of Financial Incentive," however, which makes clear that the business offers participation in the program in exchange for personal data.
- Mass media and entertainment conglomerate. The organization failed to provide consumers with a way to opt out of the sale of their personal information. Additionally, several of its websites lacked the required "Do not sell my personal information" links.
- Mobile app game. The company installed advertising software that relayed both adults' and minors' personal information to a third-party business. It failed, however, to ask its 13-, 14- and 15-year-old players for explicit permission to sell their personal information -- known as an opt-in request -- as required under CCPA. It also failed to provide adults with a way to opt out of the sale of their personal information.
- Online dating company. The platform failed to have a "Do not sell my personal information" link on its homepage and sold consumer data without properly disclosing that fact in its privacy policy.
- Pet adoption agency. The organization illegally required notarized verification for some CCPA requests. It also failed to clearly disclose the sale of personal data in consumer-friendly language.
- Social media company. The company collected personal information about users' online activity and shared it with third-party businesses, without appropriately notifying the consumers.
- Video game distributor. Its privacy policy inaccurately instructed consumers on how to exercise their CCPA rights.
All of the above businesses reportedly took steps to achieve CCPA compliance within the 30-day statutory cure period, and the attorney general has not announced any fines to date. Under the law, civil penalties can run as high as $7,500 per CCPA violation.
Other drivers of CCPA compliance
Roncato noted that the threat of financial penalties isn't the only, or even the primary, factor motivating companies to achieve and maintain compliance with privacy laws such as CCPA. In a 2021 survey, ESG asked 300 business and technology professionals in North America what concerns them most about noncompliance with government privacy regulations. The results were as follows:
- 17% -- legal action;
- 16% -- the cost of recovery;
- 15% -- fines and penalties;
- 13% -- decreased productivity and other internal problems;
- 13% -- impact on public perception and reputation;
- 12% -- loss of business revenue and sales; and
- 8% -- loss of accreditation or certifications.
"Really, it's the whole rainbow," Roncato said. "No single concern stands out, which suggests it's a combination of factors."
The responses show roughly equal levels of concern about possible operational, reputational and legal fallout, Bertrand added, which he took as a good sign. "It tells you people have a clear understanding that this is a business issue that goes far beyond technology," he said.
What's next?
A new, more aggressive iteration of CCPA, the California Privacy Rights Act (CPRA), will take effect in 2023. Experts say, where California goes, the country may soon follow. Colorado, Maine, Nevada and Virginia have already signed consumer privacy protection acts into law, and lawmakers in a number of other states have proposed similar bills.
The only problem? "The laws don't align," Gartner analyst Nader Henein said. Some have slightly different breach disclosure rules or varying restrictions around selling the information of minors, for example. For companies doing business in all 50 states, that could get complicated. "It's not pleasant," Henein added.
It's possible the U.S. government could pass a national consumer privacy protection law that would supersede CCPA, CPRA and other state-level legislation. Otherwise, companies may have to contend with a patchwork quilt of overlapping but inconsistent requirements. "The worst-case scenario, which we seem to be heading towards, is multiple laws for privacy per state," Henein said.
In the months and years ahead, companies can also expect increasingly large financial penalties for noncompliance with consumer protection laws, Roncato added. She cited the Canadian Consumer Privacy Protection Act as an example, which puts businesses on the hook for up to 5% of their annual revenue for violations. In the U.S. as well, "those fines are going to become very hefty," Roncato predicted. "They start with that initial legislation such as CCPA, and then they back it more heavily with penalties."
Once CPRA goes into effect in 2023, for example, each violation of a minor's data privacy rights will carry an automatic $7,500 fine -- triple what it currently is under CCPA.