On January 27, 2023 (just ahead of Data Privacy Day), California Attorney General Rob Bonta (“AG”) announced an investigative sweep focused on mobile application providers in the retail, travel, and food service industries. The AG sent out noncompliance letters targeting (a) mobile applications that either do not honor consumer opt-out requests or do not provide the appropriate mechanisms for consumers to stop the sale or sharing of their data, and (b) businesses that fail to process consumer requests submitted via an authorized agent.
As you may already know, the California Consumer Privacy Rights Act, as amended by the California Rights Act (collectively, “CCPA”) provides California consumers with the right to opt-out of the selling and sharing of their personal information, unless an exception applies (e.g., the service provider exception, as described in our most recent Client Alert). Another opt-out right under the CCPA includes the right to limit the use of sensitive personal information in certain contexts.
Remember that the CCPA has a much broader definition of “sale” than what is typically understood to be a “sale.” For example, a business is required to provide an opt-out mechanism for certain cookies that are used on its website or mobile application. As such, businesses that do sell or share personal information are required to provide an opt-out mechanism and honor opt-out preference signals (colloquially, the Global Privacy Control (“GPC”)). The opt-out mechanism must either be a “Do Not Sell or Share My Personal Information” link, “Limit the Use of My Sensitive Personal Information,” or an alternative option if the business is required to post both links. The links must be on the business’s homepage or mobile application.
An opt-out preference signal is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt-out of the sale or sharing of their personal information. This is typically a setting in a consumer’s browser or device that once set, sends the signal to every page the consumer visits. To provide a little more detail on the requirements of honoring an opt-out preference signal:
- the business must present on its website whether or not it has processed the consumer’s opt-out signal;
- the business must honor the opt-out signal as a valid request to opt-out of the sale and sharing for that browser or device; and
- the business is required to implement and maintain a process to reconcile circumstances where the consumer’s opt-out signal is incompatible with the consumer’s preferences previously shared with the business or the consumer’s participation in a financial incentive program.
As of January 1, 2023, businesses are required to be compliant with the above.
The AG alleged that the mobile applications subject to the noncompliance letters failed to process consumer requests submitted via an authorized agent. The AG stated: “On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent.” It is unclear whether the businesses will receive penalties or will negotiate terms of compliance with the AG.
The announcement specifically referenced the alleged failure of the targeted mobile applications to process requests sent by “Permission Slip.” Permission Slip is a mobile application developed by Consumer Reports that aims to help consumers manage the data companies may have about them by submitting consumer requests on behalf of such consumers. Permission Slip may serve as an authorized agent for California consumers.
Under CCPA, an “authorized agent” may exercise certain consumer rights on behalf of California consumers (e.g., requests to know, delete, and opt-out). An authorized agent is defined as “a natural person or a business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf...”. Businesses are required to:
- allow consumers to use an authorized agent to submit an opt-out request if a consumer provides signed authorizations; and
With the development of Permission Slip (and other similar mobile applications), the process of submitting consumer requests is being streamlined which may result in increased consumer requests. With the AG keeping an eye on compliance, businesses should ensure they are compliant and prepared to deal with such requests.
Businesses should ensure that they:
- provide the proper opt-out mechanisms on their website and/or mobile application. For example, implementing a “Do Not Sell or Share My Personal Information” link on the homepage of your website or landing page of a mobile application if they indeed do engage in such “sales” or “sharing” as broadly defined under CCPA;
- provide consumers with a standard procedure or format to submit consumer rights requests; and
- institute policies and procedures to ensure that authorized agent requests are processed and resolved, in compliance with imposed timeline restrictions.
As a reminder, the 30 day cure period in CCPA expired on January 1, 2023, and enforcement begins on July 1, 2023. The penalties for noncompliance are $2,500 per violation ($7,500 for violations that are willful or involve children under the age of 16). However, both the AG and the newly formed California Privacy Protection Agency (“CPPA”) maintain discretion on whether to offer a cure period in light of the lack of intent to violate the law and any voluntary efforts to cure the alleged violations. As such, good faith efforts to comply with the law may mitigate risk or the likelihood of being fined for violations.
Please reach out to us if you need any assistance in implementing opt-out mechanisms, updating your privacy policies, or have other privacy concerns related to your business.
Stay up to date on the latest privacy and security news by subscribing to our Data Privacy mailing list. Click here to subscribe.