If you didn’t celebrate Data Privacy Day this year, the California attorney general did for you.
Attorney General Rob Bonta sent a series of warning letters on Friday to an undisclosed group of businesses with mobile apps over alleged violations of the California Consumer Privacy Act (CCPA).
Bonta alleged the businesses either did not honor consumer opt-out requests or did not offer a mechanism for consumers to opt out of having their data sold, which are requirements under CCPA and under the newly enacted California Privacy Rights Act (CPRA), an extension of the CCPA.
“Respect my authoritah”
The warning letters are the fruit of an investigative sweep of popular mobile apps in the retail, travel and food service industries, with a particular focus on apps that neglected to process consumer requests submitted through an authorized agent, such as Permission Slip.
The AG specifically refers to Permission Slip, which is an app developed by Consumer Reports to make it easier for consumers to exercise their CCPA rights. Under the CCPA, consumers are allowed to submit data subject requests through authorized agents acting on their behalf.
Although it makes sense for the AG to highlight the importance of allowing authorized agents to submit requests, it’s very unusual to name-check an individual authorized agent, said Gary Kibel, a partner with law firm Davis+Gilbert.
“I did find it a bit unique to identify a specific industry,” Kibel said, “but very unique to identify a specific authorized agent.”
So, what’s the takeaway?
Businesses need to be extra careful about honoring all CCPA data requests they get from designated third parties.
Mobile apps, in particular, need to be even more vigilant because the AG’s sweep concentrated on mobile app compliance for a reason.
There is a “wide array of sensitive information that these apps can access from our phones and other mobile devices,” Bonta said in a statement. “I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.”
An ounce of prevention
But there’s another noteworthy takeaway here, which is that we’re rapidly nearing the end of a six-month compliance grace period for CPRA enforcement.
Although CPRA went into effect on January 1 and technically eliminates the 30-day cure period for violations under CCPA, the law won’t actually be enforced until July 1.
“These warning letters are being sent out subject to the obligations in the old CCPA,” said Daniel Goldberg, partner at Frankfurt Kurnit Klein & Selz and chair of the firm’s privacy and data security group. “Any violations under CCPA still have the required 30-day notice window.”
But warning letters could soon become a thing of the past.
Starting in July, companies will only be given an opportunity to rectify errors or complaints at the discretion of the California Privacy Protection Agency, which was created under CPRA for privacy enforcement.
In the meantime, the consensus is to expect enforcement – and lawsuits – to ramp up this year.
For instance, the CPRA extends the CCPA’s private right of action by adding to the categories of personal information that could trigger a data breach lawsuit, including if a bad actor is able to log into an individual’s account using stolen info, such as an email address together with a security question and answer or a password.
And the AG’s office has already demonstrated an appetite to enforce CCPA.
Bonta sued Sephora for failing to tell consumers it shared personal information collected from its website with third parties and for neglecting to process opt-out requests through user-enabled privacy controls, including the Global Privacy Control.
Sephora settled that case in late August for $1.2 million.
