First CCPA Enforcement Action Sheds Light on Definition of “Sale of Data”
California Attorney General Rob Bonta announced the state’s first California Consumer Protection Act (CCPA) enforcement action this week. The Office of the Attorney General (OAG) released their proposed final judgment and permanent injunction against Sephora, stating that Sephora not only violated the CCPA’s “Do Not Sell” provisions and ignored Global Privacy Control (GPC) signals, but also failed to cure the violations within the provided 30-day period, resulting in a $1.2 million settlement.
Through this enforcement, the OAG set a new precedent by defining what “selling data” means. A “Sale Using Online Tracking Technology” means a CCPA-defined sale “where the business discloses or makes available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies, in exchange for monetary or other valuable consideration, including, but not limited to: (1) personal information or other information such as analytics; or (2) free or discounted services.”
Entities that sell consumers’ data must declare any sales of data, cannot misrepresent whether they sell that data, and offer a “Do Not Sell My Personal Information” link or similar opt-out mechanism for the sale. Because Sephora used third party pixels for analytics and marketing purposes “in exchange for valuable consideration” of analytics, this use constituted a “sale” under CCPA. Sephora did not comply accordingly as a seller of data under the CCPA after receiving notice from the OAG, resulting in their injunction and settlement.
The GPC, a relatively new concept in the world of privacy and an enforceable control under the CCPA, also played a role in this enforcement action. The GPC is a new signal that browsers can use to convey a user’s rights, like their right not to have their data sold. In essence, it acts as a proactive “Do Not Sell” flag that works at the HTTP header level once the user has set their preference. The GPC can only be set to “true” or “false,” leaving no ambiguity, and it is already being used in browsers like Brave, Firefox, and Duck Duck Go, the highest ranked browsers for user privacy.
It is notable that while the CCPA was passed in 2018 and went into effect in 2020, there have been no enforcement actions until now. The lack of enforcement may have contributed to a lesser degree of compliance, with a recent study that surveyed over 5,000 U.S. companies with revenues ranging from $25 million to $5 billion showing only an 11% CCPA compliance rate by the first quarter of this year.
Along with the gap in compliance, there is also a disconnect in the Act’s enforcement. The California Privacy Rights Act (CPRA), which expanded the CCPA in 2020, established the California Privacy Protection Agency (CPPA) to enforce the amended CCPA. Despite this, the first enforcement action was brought by the California OAG rather than the CPPA. The CPPA shares its enforcement of the Act because it “may not limit the authority of the Attorney General to enforce [the CCPA]” under the CPRA.
Considering that the Act disallows “mak[ing] available consumers’ personal information” and the judgment’s definition of personal information includes unique identifiers like IP addresses, this sets a broad standard for the enforcement of CCPA and creates new compliance trends for entities covered under the Act. All 39 of the entities that received the California OAG’s CCPA violation warning notices before Sephora had quietly cured their violations within the provided 30 business days. However, beginning January 1, 2023, the 30 day notice and cure provision will only remain in effect for security breach violations. Accordingly, attorneys should advise their organizations to abide by the notices while the cure period is still available, determine if they use third party analytics services on their website, and if so, provide an opt-out mechanism for such a “sale.”
Anokhy Desai is a Westin Fellow at the International Association of Privacy Professionals.