On Aug. 24, California’s Attorney General announced a settlement for $1.2 million with a powerhouse beauty retailer (Sephora) due to a violation of consumer privacy rights related to opt-outs under the California Consumer Privacy Act (CCPA). Specifically, the company was found to be using third-party marketing and advertising platforms for targeting activities. Users were not given the ability to effectively opt-out of the collection of their data for these targeting purposes.
Advertisers are waking up to the news asking:
“Wait, aren’t we doing that also?”
“Could we be at risk?”
The answer? Yes and yes.
Let’s review this news and what you should be doing now to avoid such headlines.
What was the violation?
Per the California Attorney General, the violation was centered around:
- Failure to disclose to consumers that they were selling their personal information.
- Failure to process user requests to opt out of the sale via user-enabled global privacy controls.
- Failure to cure these violations within the 30-day cure period following initial notification as currently allowed under the CCPA.
“Selling their personal information”—what does that mean in this context?
This means that a company is found using third-party platforms (marketing and advertising technologies) to collect data while consumers are shopping on its digital properties. These third-party platforms could create profiles about consumers based upon things like their device type, brand of products viewed, products being added to a “shopping cart”, and location data. Because a company benefits from these activities by being able to more effectively target potential customers, the activities are found to be within the “selling” definition.
Ummmm, this sounds a lot like standard digital advertising… Are you saying we’re also “selling” consumers’ personal information?
If you are using any third-party platforms to monitor user behavior on your digital properties and creating audiences for targeting through those platforms, then yes, you are “selling” consumers’ personal information as defined in the CCPA.
So, then what do we need to do?
Here are the specific injunctive terms related to the recent settlement that can be instructive. You must:
- Clarify online disclosures and privacy policies to include affirmative representation that you sell data;
- Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control; and
- Conform your service provider agreements to the CCPA’s requirements
It is also important to note that if you find yourself the next to be served a notice, you’ll need to provide documentation of how you are addressing each of these points. This is just for the “selling” activities; CCPA has other requirements that you’ll want to make sure are addressed, as well as the Attorney General ramps up other enforcement sweeps to ensure compliance.
When you say “provide mechanisms for consumers to opt out,” what would those be?
The best place to start is with a Consent Management Platform (CMP). This you will use to manage the actual opt-out experience for users and raise the indication to third-party technologies on your digital properties that the user has opted-out of the sale of their personal information.
Once the mechanism to allow users to express their opt-out wish is present, you’ll then need to begin restricting third-party platform behavior accordingly. A company can choose to go the blunt route of blocking third-parties from loading and collecting any data upon the user opt-out request, or it could go with a more scalpel approach and just restrict activities that are part of the “sale” process. Here’s a guide that we put together for options with Google Analytics 4 as an example.
I saw something called “Global Privacy Control” was mentioned. What is this?
In the most recent round of draft regulations published by the California Privacy Protection Agency, the concept of “global opt-outs” took center stage. These are mechanisms that allow a user to indicate a global preference to opt-out of things like the “sale” of their personal information that would be set at the browser or device level. Essentially, something a person turns on in their browser and then every website they visit would need to respect the indication as an opt-out. Global Privacy Control is one of the leading mechanisms that users have for this.
It is really important to make sure that whatever solution you end up using to listen for consumers’ privacy preferences, be that a CMP or a home grown solution, has support to respect these signals.
Makes sense, I think. You also mentioned a 30-day cure period in the case of a violation—this means I have some time even if California does send us a notice, right?
Unfortunately, the 30-day cure period clause expires on Jan. 1, 2023. After that date, if you are not properly respecting user opt-out requests, then you will be at risk of an immediate violation. In the words of California Attorney General Rob Bonta, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
I’ll let you be the judge if you think the California Attorney General will be aggressive in this enforcement.
This seems like a lot. How am I supposed to handle this along with everything else I’m responsible for?
Fear not! Partners such as InfoTrust can help you understand what is required, as well as actions your organization should be taking now to properly implement technologies such as Google Analytics 4 and consent management platforms. We work with hundreds of global organizations to help them build privacy-centric data architectures that respect user privacy rights while still addressing core business use cases. From audits of your consent architecture, to configuration of third-parties on your website to respect user privacy preferences, to helping glean insights from the data that is compliantly collected, we can provide the knowledge and experience your team needs.
**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**