In a nod to Data Privacy Day, California Attorney General Rob Bonta recently announced an “investigative sweep” directed primarily at ensuring that businesses can accept and timely process consumer opt-out requests. Although not limited in scope, the attorney general noted an emphasis on retail, travel, and food services businesses in this wave of enforcement.
Since 2020, the California Consumer Privacy Act (CCPA) has given California residents the right to opt out of the sale of their personal information. Covered businesses are required to provide consumers with a straightforward way to exercise this right, and they must process the opt-out requests within 15 business days.
The California Office of the Attorney General (AG) chose to focus on this right and sent letters to many businesses alleging violations of the CCPA. The AG is focusing specifically on (1) mobile applications that do not have the required mechanism in place to allow consumers to opt out of the sale of their personal information, and (2) businesses that received consumer opt-out requests and may not have processed them within the required timeframe.
One important player in this sweep is Permission Slip, a recently launched service created by Consumer Reports that acts as an authorized agent under the CCPA and submits consumer opt-out requests directly to multiple businesses at the same time. Permission Slip appears to have been in communication with the AG, sharing data about the number of opt-out requests it has sent to companies that may have gone unanswered. The AG has made this data the basis for at least some of the recent actions.
The enforcement letters sent to businesses seek additional information and data on business practices, point to the significant consequences of noncompliance with the CCPA, and note that the requirement to provide notice and a cure period expired effective January 1, 2023.
Also effective January 1, 2023: the new amendments to the CCPA, by way of the California Privacy Rights Act. In addition to the right to opt out of the sale of personal information, consumers have two new, similar rights:
As with the existing right to opt out of the sale of personal information, businesses must present consumers with a straightforward way to submit these requests, and they must also be processed within 15 business days.
Now more than ever, it is critical that covered businesses in California have an efficient and functioning system for receiving and processing opt-out requests. In the wake of recent settlements of claims by the AG resolving allegations that companies failed to process CCPA opt-out requests, this investigative sweep demonstrates that the AG intends to actively enforce the landmark privacy law.
If you have received a letter from the California AG alleging violations of the CCPA, we can assist in preparing a response.
Even if your business did not receive a letter in this sweep, this is a good opportunity to review your procedures to ensure that opt-out requests are readily available and being timely processed.
For more information on complying with consumer privacy laws in California and Virginia, as well as upcoming requirements in Colorado, Connecticut, and Utah, please contact our privacy and cybersecurity team.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: