Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations
Client Alert | 3 min read | 02.09.22
The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
The CCPA provides California consumers with certain privacy rights and provides businesses with 30-day statutory periods to cure deficiencies that violate the law. Some of these privacy rights include:
- The right to know about the personal information a business collects about the consumer and how it is used and shared;
- The right to delete personal information collected from consumers (with some exceptions);
- The right to opt-out of the sale of a consumer’s personal information; and
- The right to non-discrimination for exercising a consumer’s CCPA rights.
Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. Loyalty programs often qualify as financial incentives and thus must include a notice that clearly describes the material terms of the financial incentive program to the consumer before they opt into the program.
In the last year, the California Attorney General has issued notices to cure to various businesses, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. According to the California Attorney General, upon receiving a notice of alleged violation in the summer of 2021, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violations were either within the 30-day cure period or were under active investigation.
In order to empower consumers to exercise their privacy rights, the California Attorney General launched an online tool that allows consumers to directly notify businesses of potential violations. The easy-to-use forms help consumers draft notices of noncompliance to send to businesses that may be violating the CCPA. The tool is currently limited to notices regarding businesses that do not have a readily noticeable “Do not Sell my Personal Information” link on their website. The website also notes that it will be expanded to include other potential CCPA violations.
Despite the robust enforcement actions already taken by the California Attorney General, Attorney General Bonta has made clear that “there’s more work to be done” to enforce the CCPA and has urged “all businesses in California to take note and be transparent about how [they’re] using [their] customer’s data.” He also explicitly empowered consumers to exercise the rights provided to them under the CCPA.
Attorney General Bonta’s actions signal continued enforcement of the CCPA. We anticipate other states with similar statutory privacy protections will follow suit in the near future. Crowell & Moring LLP’s State Attorney General Practice will continue to monitor developments in this area.
Contacts
Insights
Client Alert | 8 min read | 12.20.24
End of Year Regulations on Interoperability
Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Part 1), and create a new Information Blocking exception under Protecting Care Access (HTI-2 Part 2), on December 16th and 17th, respectively.
Client Alert | 4 min read | 12.19.24
Client Alert | 4 min read | 12.19.24
Key Changes to the State Attorneys General – 2024 to 2025 Transition
Client Alert | 4 min read | 12.19.24
New EU Directive Impacting Digital Platforms and Individuals Working for Them