Author

Alison Pepper

4A's EVP Government Relations & Sustainability

Topic

  • Government Relations
  • Privacy Law

On January 28, the California Attorney General (AG) announced an investigative sweep of many businesses’ mobile applications (“app”) that allegedly fail to meet the requirements of the California Consumer Privacy Act (CCPA). The announcement was timed to coincide with Data Privacy Day (January 28) – the annual day aiming to raise awareness and promote best practices surrounding digital privacy and data protection. 

The California AG’s enforcement investigations include popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data. The enforcement sting also focuses on businesses that failed to process consumer opt-out requests submitted via an authorized agent, as mandated by the CCPA. Requests submitted by authorized agents (including universal opt-out mechanisms) include those transmitted by Consumer Reports’ privacy app, Permission Slip, which allows consumers to send requests to opt-out and delete their personal information. Agencies working with clients to develop or redesign mobile apps or to assist in state privacy law compliance should take note.

Following the announcement, California Attorney General Rob Bonta provided businesses with some insight into his office’s motivation behind this continued focus by tweeting on the importance of a mobile device to an individual in today’s society, noting the nature of information stored on a mobile device, which Bonta describes as a “wide array of sensitive information.” 

The announcement from the California AG’s office comes at a time when the CCPA has recently been amended (and expanded) by the California Privacy Rights Act (CPRA) and when the California AG shares concurrent enforcement authority over the new law with the newly formed California Privacy Protection Agency (CPPA). The CPPA has been in the process of developing and finalizing rules for the CPRA, and neither the CPPA nor the California AG’s office can enforce the new provisions of the CPRA until July 1, 2023 (and only then for violations that occur after that date). Still, businesses should be aware that the CCPA is still in effect until that time and that the California AG is actively enforcing the law. The CPPA has previously said it will likely miss an initial July 1, 2023 statutory deadline to adopt regulations but has not discussed whether that deadline, and thus enforcement, will be delayed.  In February, CPPA Executive Director Ashkan Soltani said the rulemaking schedule would go “somewhat past” the July 1 deadline, with completion anticipated “in Q3 or Q4.”

Although the California AG provided forewarning through investigative letters as part of this multi-party enforcement action, agencies and their clients should be cognizant that the CCPA’s affirmative right to cure expired at the end of 2022, and that moving forward the CPRA only provides a discretionary 30-day cure period. As such, neither the California AG nor the CPPA are required to provide non-compliant businesses with an opportunity to come into compliance with CCPA/CPRA provisions before they potentially fine them. 

Helpful Compliance Steps
  • To help avoid future California privacy law enforcement actions, covered businesses must:
  • Provide consumers with an accessible format to submit CCPA/CPRA requests, particularly opt-out requests.
  • Provide a “Do Not Sell or Share My Personal Information” link connected to mechanisms or processes which will stop the sale or “sharing” of a consumer’s personal information.
  • Institute a process which will ensure that authorized agent requests (universal opt-out signals), received in all compliant formats, including those received via agent services, are processed.
  • Institute a process which facilitates consumer rights requests within the time period required under the law.

Have questions about the California AG’s recent privacy law enforcement action or CCPA/CPRA compliance? Please contact Alison Pepper, 4As EVP of Government Relations and Sustainability.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts