In a press release dated January 27, 2023, California Attorney General (“California AG”), Rob Bonta, announced an investigative sweep focused on compliance of mobile applications under the California Consumer Privacy Act. California (California Consumer Privacy Act, CCPA), in particular with respect to the effective processing of options. out of provisions. Attorney General Bonta noted that his office “is working tirelessly to ensure that businesses recognize and process consumer opt-out requests,” reaffirming the office’s commitment to complying with the opt-out provisions of the CCPA. To date, California AG has sent letters of inquiry to companies in the retail, travel, and food service industries that monitor mobile apps that are alleged to have failed to comply with the CCPA.
This press release from the office of the California AG comes at a time when the CCPA has recently been amended (and expanded) by the California Privacy Rights Act (CPRA) and when the California AG shares concurrent enforcement authority over the new law with the newly formed California Privacy Protection Agency (CPPA). The CPPA has been in the process of developing and finalizing the rules for the CPRA, and neither the CPPA nor the California AG’s office can enforce the new CPRA provisions until July 1, 2023 (and only then for violations occurring after that date) . Still, businesses should be aware that the CCPA is still in effect up to that point and that California AG is actively enforcing the law.
We have summarized the key provisions of the press release and outlined possible compliance steps for companies to consider as part of their CCPA/CPRA compliance programs. We are happy to answer any specific questions you may have.
Press Release Summary
Opt Out Rights. First, California AG alleges that targeted apps fail to honor consumer opt-out requests or offer any mechanism for consumers to stop the sale of their data. The California AG’s focus on this issue is not surprising, as last summer the AG announced its first public CCPA enforcement decision, against Sephora, on allegations that it failed to inform consumers that it was selling their personal information and did not process opt. -exit requests through user-enabled global privacy controls in violation of the CCPA. This investigative sweep represents an expansion of California AG’s focus beyond websites to mobile applications and indicates that California AG is committed to enforcing consumers’ opt-out rights across various platforms.
Authorized Agents. Second, California AG alleges that the implicated mobile applications have failed to process consumer requests submitted through an authorized agent, as required by CCPA §1798.130 3(A). The press release specifically targets the failure to process agent requests through agent services, such as the service created by Consumer Reports called “Permission Slip.” Permission Slip is a mobile app that aims to provide an accessible way for consumers to set general permissions on what businesses can do with consumer data. Once a consumer sets their general permissions, Permission Slip communicates with businesses and facilitates data-related requests on behalf of consumers. This example demonstrates California AG’s continued focus on the failure of companies to process authorized agent requests. In addition, it indicates an endorsement of compliance methods that are controlled by the consumer, allowing them to exercise their rights and promote corporate responsibility under the CCPA. California AG has even publicly hinted that the tech industry should “develop and adopt user-enabled global privacy controls for mobile operating systems” that would allow consumers control over information collection.
Possible compliance steps
Following the press release, California AG provided companies with insight into the motivation behind this continued focus by tweeting about the importance of a mobile device to an individual in today’s society, highlighting the nature of information stored on a mobile device. , which Bonta describes as a “broad range of sensitive information.” Although California AG provided warning via letters of inquiry in this case, companies should be aware that the CCPA’s affirmative right to cure has expired and that, going forward, the CPRA only provides a discretionary cure period of 30 days. Therefore, neither the California AG nor the CPPA are required to give noncompliant businesses the opportunity to comply with the provisions of the CCPA/CPRA before they can be fined. Businesses subject to CCPA/CPRA compliance, including those that operate mobile applications, must ensure compliance when collecting, processing, and sharing consumer data. Most importantly, companies must ensure that:
- Provide consumers with an accessible format to submit CCPA/CPRA requests, particularly opt-out requests.
- Provide a “Do Not Sell or Share My Personal Information” link connected to mechanisms or processes that stop the sale or “sharing” of a consumer’s personal information.
- Institute a process that ensures that authorized agent requests, received in all supported formats, including those received through agent services, are processed.
- Institute a process that facilitates consumer rights requests within the timeframe required by law.