California Attorney General Rob Bonta keeps a running list of enforcement actions taken against companies that fail to comply with the California Consumer Privacy Act (CCPA).
In the state’s latest “investigative sweep,” Bonta sent letters to businesses with mobile apps that allegedly ignore consumer opt-out requests or sell users’ data, despite the CCPA, which, among other things, prohibits these kinds of personal information sale.
This year’s sweep, which focuses on retail, travel and food service apps, also targets businesses that haven’t processed consumer requests submitted by an authorized agent. One such authorized agent is the Consumer Report’s Permission Slip mobile app, which allows consumers to send requests to opt-out and delete their personal information. The CCPA requires businesses that receive one of these requests to scrub the submitter’s info from their systems and stop collecting it for future retention purposes.
Last year’s sweep netted a $1.2 million fine levied against global retailer Sephora. It also showed the Bonta defined “sale” of consumer data in broad terms, and was willing to aggressively prosecute companies that, in the state’s view, didn’t follow the rules.
This year Bonta has another tool at his disposal: the California Privacy Rights Act (CPRA), which essentially is an amendment to the CCPA that mandates companies not “share” folks’ personal information with third parties. CPRA became operational in January, and its enforcement will begin later this year.
“In California, consumers have the right to stop the sale of their personal information, and my office is working tirelessly to make sure that businesses recognize and process consumers’ opt-out requests,” Bonta said in a statement, adding that this year’s sweep focuses on mobile apps because of the “wide array of sensitive information that these apps can access from our phones and other mobile devices.”
The state has developed its own online tool that allows consumers to directly notify businesses that may have violated the CCPA.
“I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data,” Bonta continued.
Bonta’s office declined to answer The Register‘s questions about how many, and which, companies received letters alleging CCPA violations.
“The enforcement sweep announced last Friday sent notices to apps in the retail, travel, and food service industries that collect and store consumer personal information to investigate their compliance with CCPA sale requirements,” a spokesperson said. “Letters were sent to those we allege do not comply. Beyond that, to protect their integrity, we cannot comment on ongoing investigations.”
Does the sweep have teeth?
Forrester Research analyst Stephanie Liu told The Register she doesn’t expect to see “a flood CCPA-related fines in the near future, as companies will have a chance to bring their apps into compliance before they get slapped with a fine.”
But, she added, Bonta’s sweep has teeth.
“The CCPA is still a relatively young law, so we can’t predict how enforcement will play out, but I think we have enough evidence of how seriously the California OAG takes the CCPA to know this is not a mere publicity stunt,” Liu said.
And while the CCPA doesn’t have the nationwide reach that a federal data privacy law would have, Bonta’s enforcement actions do have an impact beyond the Golden State, according to Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC) .
“They set an example both for other states that are rolling out new privacy regimes and for federal enforcement by the Federal Trade Commission and other agencies,” Butler told The Register.
Plus, some companies may end up extending CCPA privacy protections to all of their customers, added EFF Senior Legislative Activist Hayley Tsukayama. “Many businesses have reexamined the data they keep in light of the CCPA for all customers,” Tsukayama told The Register.
In addition to California, Colorado, Connecticut, Utah, and Virginia have also passed their own privacy laws, and others have similar consumer protection rules on the books.
“One of the main challenges about the US’ state-by-state patchwork of privacy legislation is that it creates a huge compliance headache,” Liu said. “Some apps may allow opt-outs from all users, regardless of whether they’re Californians or not. Others may create a CCPA-specific opt out based on users’ location, possibly.”
Privacy advocates including EFF have highlighted the data security and privacy shortfalls of mobile apps, and despite lawsuits and regulatory agency threats, location data continues to be a cash cow for mobile app developers.
“The reality is many apps share users’ data widely, so hopefully the OAG’s announcement serves as a nudge for app owners,” Lui said. They “need to understand who they’re sharing data with and give Californians the right to opt out.” ®