Home Privacy California AG Issues CCPA Warning To Mobile Apps

California AG Issues CCPA Warning To Mobile Apps

SHARE:
a warning letter
Alert message laptop notification. Danger error alerts, laptop virus problem or insecure messaging spam problems notifications. Vector illustration.

If you didn’t celebrate Data Privacy Day this year, the California attorney general did for you.

Attorney General Rob Bonta sent a series of warning letters on Friday to an undisclosed group of businesses with mobile apps over alleged violations of the California Consumer Privacy Act (CCPA).

Bonta alleged the businesses either did not honor consumer opt-out requests or did not offer a mechanism for consumers to opt out of having their data sold, which are requirements under CCPA and under the newly enacted California Privacy Rights Act (CPRA), an extension of the CCPA.

“Respect my authoritah”

The warning letters are the fruit of an investigative sweep of popular mobile apps in the retail, travel and food service industries, with a particular focus on apps that neglected to process consumer requests submitted through an authorized agent, such as Permission Slip.

The AG specifically refers to Permission Slip, which is an app developed by Consumer Reports to make it easier for consumers to exercise their CCPA rights. Under the CCPA, consumers are allowed to submit data subject requests through authorized agents acting on their behalf.

Although it makes sense for the AG to highlight the importance of allowing authorized agents to submit requests, it’s very unusual to name-check an individual authorized agent, said Gary Kibel, a partner with law firm Davis+Gilbert.

“I did find it a bit unique to identify a specific industry,” Kibel said, “but very unique to identify a specific authorized agent.”

So, what’s the takeaway?

Businesses need to be extra careful about honoring all CCPA data requests they get from designated third parties.

Mobile apps, in particular, need to be even more vigilant because the AG’s sweep concentrated on mobile app compliance for a reason.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

There is a “wide array of sensitive information that these apps can access from our phones and other mobile devices,” Bonta said in a statement. “I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.”

An ounce of prevention

But there’s another noteworthy takeaway here, which is that we’re rapidly nearing the end of a six-month compliance grace period for CPRA enforcement.

Although CPRA went into effect on January 1 and technically eliminates the 30-day cure period for violations under CCPA, the law won’t actually be enforced until July 1.

“These warning letters are being sent out subject to the obligations in the old CCPA,” said Daniel Goldberg, partner at Frankfurt Kurnit Klein & Selz and chair of the firm’s privacy and data security group. “Any violations under CCPA still have the required 30-day notice window.”

But warning letters could soon become a thing of the past.

Starting in July, companies will only be given an opportunity to rectify errors or complaints at the discretion of the California Privacy Protection Agency, which was created under CPRA for privacy enforcement.

In the meantime, the consensus is to expect enforcement – and lawsuits – to ramp up this year.

For instance, the CPRA extends the CCPA’s private right of action by adding to the categories of personal information that could trigger a data breach lawsuit, including if a bad actor is able to log into an individual’s account using stolen info, such as an email address together with a security question and answer or a password.

And the AG’s office has already demonstrated an appetite to enforce CCPA.

Bonta sued Sephora for failing to tell consumers it shared personal information collected from its website with third parties and for neglecting to process opt-out requests through user-enabled privacy controls, including the Global Privacy Control.

Sephora settled that case in late August for $1.2 million.

Must Read

LG Electronics

Alphonso Shareholders Win Their Suit Against LG Electronics Over Corporate Board Drama

After being summarily booted from the board of LG Ads in late 2022, Alphonso’s founding team has won its lawsuit against LG Electronics.

Bye-Bye Sizmek! Amazon Advances Flashtalking And Smartly As Alternatives In Advance Of The Shutdown

According to emails seen by AdExchanger that were sent to Amazon customers this week, Amazon is officially naming integration partners to offload clients of the Sizmek ad suite, now the Amazon Ad Server.

2024 Promises More Premium Inventory – And Bigger Budgets – For In-Game Ads

Given the deprecation of third-party cookies and the reemergence of contextual targeting, 2024 could be a big year for in-game ads – so long as game publishers position themselves as a source of premium inventory.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AdExchanger’s Top 3 Connected TV Newsletter Issues Of 2023

This was such a busy year in CTV land that we had to launch a dedicated newsletter just to keep up with all the trends, from measurement, currency, targeting and attribution to streaming data, identity, supply-path optimization and new ad formats – just to name a few.

M&A 2023: Ad Tech Deals Were Muted, But That Could Be A Mark Of Maturity

Who got bought in 2023, and who did the buying? Here’s a non-exhaustive list of some of the most notable ad tech M&A activity from this past year (with a few media and agency deals tossed in for good measure).

Comic: The Great Data Lakes

Snowflake Acquires Data Clean Room Startup Samooha

Snowflake has acquired Samooha, a startup that develops software to make clean room technology accessible to marketers who aren’t necessarily SQL wizards or data scientists.