The More You Know

California AG Provides Additional Information on Focus of Recent CCPA Notices of Non-compliance

If “knowledge is power,” companies subject to the California Consumer Privacy Act (CPPA) may be interested in some recent comments from Xavier Becerra, California’s Attorney General (AG), regarding his office’s enforcement focus. The more you know about their focus, the more you can do to ensure that your company’s CCPA compliance program remains outside of their focus.

On July 1, 2020, the Office of the California Attorney General (OAG) began sending notices of noncompliance to companies. An attorney from the OAG previously indicated that notices were sent to companies with online operations and that consumer complaints weighed heavily in their decision to target certain companies.

On September 23, 2020, Attorney General Becerra testified in a hearing before the U.S. Senate Committee on Commerce, Science, and Transportation on “Revisiting the Need for Data Privacy Legislation.” In his testimony, Attorney General Becerra provided additional insights on his office’s targets in the initial notices of noncompliance, as follows:

Starting July 1, 2020, we began issuing notices to cure to companies with non-compliant privacy policies or missing “Do Not Sell My Personal Information” links. We are verifying that service provider contracts specify limitations on the use personal information. We continue to conduct investigative sweeps and review consumer complaints. Overwhelmingly, we have seen substantial compliance.

There is no indication that the OAG plans to stop sending notices of noncompliance to companies as long as they retain enforcement authority under the CCPA. Based on Attorney General Becerra’s recent comments, it may be prudent to ensure that your company’s privacy policies, data sales practices, and service provider contracts will pass OAG scrutiny.

Privacy Policies and Data Sales Practices

Problem

A company’s privacy policies must match its privacy practices and include the specific disclosures required under the CCPA, including content addressing whether a company sells the personal information (PI) of California consumers. Three problems can arise in the intersection of CCPA privacy policies and data sales:

1. If a company sells PI, the company’s privacy policy must disclose this practice. If this disclosure is missing, the company has a problem.
2. If a company’s privacy policy includes this disclosure, but the company is not providing these same consumers with the right to opt-out of the sale of their PI, the company has a problem.
3. If a company does not sell the PI of California consumers, but this is not disclosed in the company’s privacy policy, the company has a problem.

Solution

Companies should ensure that there is no disconnect between their business practices and their California privacy policies. A company must disclose if it is selling PI or not selling PI and if the company is selling PI, the company must provide additional disclosures.

If a company sells the PI of California consumers, a clear and conspicuous link, titled “Do Not Sell My Personal Information,” must be provided on the company’s Internet homepage. This link must take the consumer to a page that enables the consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s PI. In addition, a description of a consumer’s opt-out rights, along with a separate link to the “Do Not Sell My Personal Information” page, must be provided in the following locations:

1. Any online privacy policy or policies, if the company has an online privacy policy or policies; and
2. Any California-specific description of consumers’ privacy rights.

A company is not required to comply with the disclosure requirements above by including the required links and text on its homepage made available to the public generally, if the company:

1. Maintains a separate and additional homepage that is dedicated to California consumers and that homepage includes the required links and text; and
2. Takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not to the homepage made available to the public generally.

If a company does not sell the PI of California consumers and has not sold such PI in the preceding 12 months, the company must disclose this fact in the following locations:

1. Any online privacy policy or policies; and
2. Any California-specific description of consumers’ rights; or
3. One the company’s website, if the company does not maintain an online policy or policies.

Service Provider Contracts

Problem

Companies must understand their data sharing practices. If companies are exchanging the PI of California consumers with service providers, companies must ensure that appropriate contracts are in place that include the specific provisions required under the CCPA. The CCPA defines a “service provider” as a person to whom a company discloses a consumer’s PI for a business purpose pursuant to a written contract, provided that the contract includes the following provisions:

1. Prohibits the person receiving the PI from (a) selling the PI, (b) retaining, using, or disclosing the PI for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the PI for a commercial purpose other than providing the services specified in the contract; and (c) retaining, using, or disclosing the PI outside of the direct business relationship between the person and the business; and
2. Includes a certification made by the person receiving the PI that the person understands the restrictions above and will comply with these restrictions.

The CCPA does not include template language for this purpose so companies are left with some discretion in drafting these provisions in their contracts with service providers.

The CCPA defines “third parties” in the negative. A third party does not collect PI directly from consumers or receive PI from a business for a business purpose pursuant to a written contract as described above. Instead, third parties are entities to which a company sells, or otherwise discloses, PI for monetary or other valuable consideration.

If a company is exchanging consumer information with another entity that it believes is a “service provider,” but there is no contract in place between the parties or the contract does not include the specific provisions required under the CCPA, the company has a problem. Poor contract drafting practices can inadvertently convert the transfer of consumer PI from a company to another entity into a data sale.

Solution

Raymond Evershed, 1st Baron Evershed, PC, a British judge who served as Master of the Rolls from 1949 to 1962 and later became a Law Lord, once said “This contract is so one-sided that I am astonished to find it written on both sides of the paper.” The CCPA also assumes that contracts must be one-sided in favor of the consumer. If a company is exchanging PI with service providers, the company should ensure that its contracts with those services providers include the specific provisions required under the CCPA.

Next Steps

The OAG has put companies on notice that it intends to enforce the CCPA. Companies are also now on notice that the focus of the OAG’s initial enforcement efforts has been on consumer complaints, privacy notices, data sales practices, and service provider contracts. The OAG’s focus can change, particularly now that they can also enforce the CCPA regulations released on August 14, 2020. The California Privacy Rights and Enforcement Act, a ballot initiative amending the CCPA, would also add a curve ball if passed California voters on November 3, 2020 by transferring enforcement from the OAG to a new state privacy agency.

The future will always bring changes. The more you know now about the OAG’s current enforcement focus, the more you can do now to ensure that your company’s CCPA compliance program is in “substantial compliance” with these current statutory and regulatory requirements. The more you can do now to move all pages of your CCPA compliance program to “substantial compliance,” the less likely your company will be included in broader investigative sweeps by the OAG in the future.