A new list from the Attorney General’s office that shows enforcement actions brought under the California Consumer Privacy Act (CCPA) is raising questions about what opt-out measures may trigger notices from the state other than what’s specified in the statute.
In one enforcement example, an electronics company received a notice of non-compliance for not processing an opt-out request sent by GPC, now included in the Attorney General’s FAQs about the CCPA.
“After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA,” the list announcement states.
The release date for the list was July 19, and it includes two dozen other examples of violations since CCPA enforcement started on July 1. 2020.
A list compiled by Perkins Coie shows a breakdown of CCPA-related lawsuits. A number of class actions have been filed under the CCPA, the New York Law Journal reported.
"CJAC is particularly concerned about a regulation that the Attorney General’s office is enforcing under California Consumer Privacy Act (CCPA) that is in direct conflict with the CCPA statute,” Kyla Christoffersen Powell, president and CEO of the Civil Justice Association of California (CJAC) told the Northern California Record by email.
“Specifically, the AG’s office is requiring businesses to treat Global Privacy Control (GPCs) settings as opt-outs from the sale of data under CCPA and recently reiterated the mandate in its FAQs on its website. But neither the CCPA statute nor the California Privacy Rights Act (CPRA) require it – setting up a clear contradiction,” Powell said. “Additionally, GPCs such as browser or device settings are not reliable indicators of consumer choice for interactions with individual businesses, such as participation in rewards and loyalty programs.”
Businesses have found compliance with CCPA and the coming California Privacy Rights Act (CPRA) to be extremely complicated and burdensome, Powell said.
“To pile on a mandate that the statute doesn’t even require demonstrates a disappointing disregard for challenges businesses are facing, especially with the ongoing pandemic and economic downturn,” Powell said. “The Office of the Attorney General should clarify in the regulation and the FAQ that honoring GPCs is optional, in line with the law."