First passed into law in 2018, the California Consumer Privacy Act (CCPA) received its first major update in 2020 by way of the California Privacy Rights Act (CPRA), through which the California Privacy Protection Agency (CPPA) was established. Now, in 2024, the CPPA and California Attorney General (AGO) have swung into action with advisory and enforcement activity.
The CPPA began the year by launching a dedicated privacy website to educate consumers on the CCPA. The website includes information on consumer rights under the CCPA and how consumers can submit a complaint if their rights were violated. It also provides businesses with resources to understand their compliance obligations. Meanwhile, the AGO implemented an “investigative sweep” and sent letters to businesses with streaming apps and devices “alleging that they fail to comply with the [CCPA].” The purpose of the sweep was to identify potential violators of the CCPA and put others on notice that the AGO was committed to enforcing the statute.
In February, the California AGO reached a stipulated judgment with a food delivery platform regarding allegations that it sold personal information of customers without first providing notice or an opportunity to opt out. The platform was participating in a marketing cooperative, where it contributed personal information of its customers and in turn was permitted to advertise its products to other participants’ customers. The California AGO called its success “a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this very important privacy law. Violations cannot be cured.” The platform agreed to pay a $375,000 civil penalty and injunctive terms.
In April, the CPPA issued its first advisory opinion, encouraging entities collecting consumer data to minimize the information collected: “Data minimization is a foundational principle in the CCPA.” The CPPA discussed hypotheticals of the principle in action, such as how to minimize data collection in the process of fulfilling a consumer’s request to opt out of data collection and how to verify the identity of a consumer requesting their data be deleted.
Two months later, in June, the California AGO reached another stipulated judgment with a mobile video game company that collected and shared children’s data without parental consent. The company’s popular mobile game did not encourage children to correctly enter their age. Additionally, third-party software development kits were misconfigured and resulted in the collection and sale of minors’ data. The company was required to pay half a million dollars in civil penalties and agree to several injunctive terms. The California AGO noted that “[b]usinesses have a legal obligation to protect kids’ data and to comply with important state and federal privacy laws designed to protect children online.”
The CPPA released a second advisory opinion in September, cautioning businesses to avoid using “dark patterns,” that is, utilizing interfaces that interfere or impair consumers’ autonomy, decision-making, or choice. The CPPA explained that businesses considering interface designs seeking to obtain consumers’ consent should include language that is easy to understand and symmetrical choices. Importantly, the CPPA cautioned against interfaces that make it challenging to say “no,” contain long response pathways, or are time-consuming.
What’s Next?
While enforcement of the CCPA has been incremental, the California AGO and CPPA have made it clear that businesses processing personal data cannot remain complacent. We anticipate additional enforcement from the California AGO in 2025 and encourage businesses to stay attuned to CPPA guidance and alert to additional enforcement actions.
Additionally, entities must remain watchful to changes in the law. On November 8, 2024, the CPPA Board met and voted to adopt new data broker registration regulations and sought to advance rulemaking related to insurance, cybersecurity audits, risk assessments, automated decision-making technology, and more.
Among the changes contemplated, the Board approved a proposed rulemaking package that would implement requirements for businesses to complete annual cybersecurity audits, conduct risk assessments, and establish access rights and opt-out rights related to automated decision-making technologies. After approval by the Board, the proposed regulations now advance to a formal rulemaking process.
For additional assistance with the California CCPA and other privacy needs, consult with a Morgan Lewis lawyer today.