California Privacy Law Nears Effective Date; Businesses Risk Million Dollar Penalties

The Consumer Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA), becomes fully effective on January 1, 2023. Businesses should review the new law and recent enforcement actions before the law takes effect. The CPRA imposes additional compliance obligations on businesses and eliminates the 30-day cure period businesses are currently allowed to resolve alleged CCPA violations after notice from California’s attorney general.

As amended, the CCPA applies to for-profit businesses that do business in California and that meet any of the following: (i) have more than $25 million in gross annual revenue for the preceding year; (ii) buy, receive, or sell the personal information (PI) – broadly defined – of 100,000 or more California consumers or households; or (iii) derive 50% or more of their annual revenue from selling or sharing California residents' personal information.

In a press release announcing a settlement with beauty retailer Sephora USA, Inc., California’s attorney general warned that “businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.”

The Sephora settlement resolved the company’s alleged CCPA violations, which were the first to result in a monetary penalty. Sephora was fined $1.2 million for alleged failures to (i) disclose to consumers that the company was selling their personal information; (ii) process user requests to opt out of the sale of their personal information via user-enabled global privacy controls; and (iii) cure these violations upon notice within the currently allowed 30-day period.

The CCPA requires businesses to honor consumers’ requests to opt-out of “selling” the consumers’ personal information to third parties unless the third party is classified as a “service provider” or “contractor.” Businesses must post an active “Do Not Sell My Personal Information” icon on their website’s homepage. “Selling” is defined broadly under the CCPA and basically means “disclosing,” not the traditional transfer of personal information for monetary consideration.

The attorney general argued that Sephora failed to honor consumers’ “Do Not Sell” requests made via user-enabled global privacy controls in the same manner as requests made by users who clicked the “Do Not Sell My Personal Information” icon. Global privacy controls allow consumers to opt out of ALL online sales of their personal information when a consumer’s browser broadcasts a “do not sell” signal across every website visited, without having to click on an opt-out icon each time. When a consumer opts outs from sharing personal information via the global privacy control, the flow of data to third party advertising companies and analytics providers should cease, unless those companies qualify as “service providers” or “contractors.” There are numerous regulatory requirements to qualify as a service provider or contractor.

Other examples of CCPA notice violations issued by California’s attorney general include:

  • Businesses operating loyalty programs that offer financial incentives (such as discounts, free items, or other rewards) in exchange for personal information without providing consumers with a notice of financial incentive;

  • Online businesses with privacy disclosures that were not understandable to the average consumer and did not include required information; and

  • A business whose “Do Not Sell My Personal Information” icon only worked with certain browsers and directed consumers to a confusing webpage with additional steps to submit “do not sell” or “do not share” requests.

If you have questions about how to comply with the CCPA, please contact an attorney in our Privacy, Data Protection, and Cybersecurity practice group.