With the January 1 CPRA enforcement date came new compliance rules from California privacy regulators. California Attorney General Rob Bonta recently announced an investigation focusing on popular retail, travel and food service mobile apps that have violated the California Consumer Privacy Act. The Data Privacy Day investigative sweep comes with added urgency, as the affirmative right to cure within a 30-day period expired at the end of 2022. The theme of this year’s sweep is consumer choice.
Similar to last fall’s Sephora enforcement, the Attorney General is focused on whether organizations are providing consumers with the option to opt-out, offering a mechanism for consumers who want to stop the sale of their data, or failing to comply with opt-out requests by consumers or their agents. This emphasis on determining whether organizations are respecting consumer choice comes at a time when the notice and choice method is fading as the privacy profession’s go-to mechanism. The recent investigative sweep provides some insight on areas that organizations should focus on in the near future.
Organizations that offer a mobile app and are unsure of where to start will first want to double check their process for respecting opt-out requests, regardless of the strength of their California presence. This should include both technical measures and written processes that are user-tested. While it can be tricky to address a consumer request to access their information and delete it, organizations should enable both processes rather than deleting the information to circumvent the access request.
The Attorney General also warns about respecting consumer requests that come from authorized agents. This is another developing area and, accordingly, there is a lot of confusion around some of the services that have emerged to assist consumers. It can be difficult for organizations to determine if an agent request is legitimate, especially in the midst of processing the volume of access requests from consumers themselves. Permission Slip, a service being created by Consumer Reports, is a mobile app that addresses the CCPA provision allowing a consumer to delegate a third party to exercise their data rights. The app communicates consumer-set permissions to companies and facilitates data-related requests on the individual’s behalf.
Global Privacy Control
The statement from the Attorney General also mentions, for the second privacy action in a row, the importance of respecting universal opt-out mechanisms. Specifically, the statement calls on technology providers to develop and adopt user-enabled global privacy controls for mobile operating systems. As of now, there is not a standard for a device setting in the mobile environment that fully complies with the California rules. During this period when full compliance is not possible, it is important for companies to stay up to date as standards develop and to support the efforts of multi-stakeholder groups to develop new opt-out mechanisms.
Sale of Data
The CCPA defines a “sale” of data as selling, renting, releasing, disclosing, disseminating or making available that data to another party. The CPRA uses nearly the same definition for “sharing” data, which can involve providing that data to another party for cross-contextual behavioral advertising purposes. The CCPA as amended by the CPRA includes both definitions, and the draft guidance indicates that the expansion of “selling” to “selling or sharing” throughout the statute was an intentional change to broaden privacy protections for consumers. Given the January 2023 enforcement date of CPRA, organizations that provide mobile apps are no doubt familiar with this change and have updated their contracts and vendor agreements to reflect it.
Organizations that use consent management providers as a one-size-fits-all solution should note that certain platforms’ default classifications, like “strictly necessary” cookies, align with GDPR and don’t always directly map to CCPA. In fact, attorneys in the AdTech space have found that there are various types of client analytics that cannot be protected by that classification and must be a category of cookies consumers are able to opt-out of if the organization falls under the scope of CCPA. For example, OneTrust’s platform activates strictly necessary cookies without user consent because they are necessary for a website to function, while other cookies can be toggled on or off. Privacy professionals should ensure that any updates to their organization’s mobile app undergo a privacy impact or similar analysis rather than relying on the CMP to catch any relevant changes.
Getting Ahead of Enforcement
Something in-house attorneys should be aware of in the wake of Sephora is receiving consumer complaints as a pre-enforcement method of making organizations aware of potential privacy issues. Like Virginia, the California Office of the Attorney General shares consumer complaints with businesses as a way to provide these organizations with real-time gaps they can address without immediately being subject to legal action. This method keeps organizations out of the spotlight while giving legal and privacy teams enough time to build a proper mitigation strategy. Businesses should develop a process to track and address these complaints and flag recurring or sensitive issues if one does not already exist.
Organizations in the retail, travel and food service industries that provide mobile apps and have not received a letter from the Attorney General must still remain vigilant. The primary focus during this enforcement cycle should be on providing consumers with an accessible method to submit opt-out requests, providing a functional “Do Not Sell or Share My Personal Information” link, and creating a process to ensure authorized agent requests are processed. Although there is no longer a right to cure, enforcers may provide discretionary period to cure based on factors like good faith compliance efforts.
Anokhy Desai is a Westin Fellow at the International Association of Privacy Professionals.