California’s privacy landscape continues to evolve, with the California Privacy Protection Agency (CPPA) significantly stepping up enforcement of the California Consumer Privacy Act (CCPA) and its amendments in 2024 and 2025. Businesses subject to these regulations have faced considerable administrative burdens and, more recently, substantial penalties for non-compliance.

The CPPA, which began exercising its enforcement authority alongside California’s AG on July 1, 2023, has been particularly active. Their actions stem from growing concerns over widespread non-compliance, especially among data brokers, e-commerce platforms, and ad tech companies.

Late in 2023, the CPPA initiated investigative sweeps, focusing on violations of consumer opt-out rights, dark patterns, and the improper use of tracking technologies. The CPPA found that many companies have failed to honor global opt-out signals, provide clear opt-out options, or secure adequate contracts with third-party service providers.

These enforcement efforts underscore a critical message: businesses can no longer simply deploy a consent or opt-out tool and assume compliance.

Continuous monitoring and testing of these mechanisms are essential to ensure they function correctly in practice. This ongoing vigilance is crucial, as any malfunction or excessive demand for personal information from the mechanism could lead to full liability for the company, potentially resulting in penalties and mandated operational changes.

CPPA enforcement advisories

The CCPA has issued two enforcement advisories to date, addressing specific provisions of the CCPA. These advisories provide examples of implementation, including questions that businesses may ask about the requirement, and highlight observations of non-compliance to deter violations.

The subjects of these advisories have lined up with the enforcement actions taken by the CPPA so far. Take a close look at these advisories, as they may indicate the CPPA’s areas of focus and align with their recommended implementation of the law to prevent eventual enforcement.

1. Applying Data Minimization to Consumer Requests – emphasizes that businesses should only collect, use, retain, or share the personal information necessary when handling consumers’ requests.
2. The Use of Dark Patterns – emphasizes to businesses the importance of reviewing their user interfaces to ensure they use clear and understandable language. This practice offers consumers symmetrical choices and avoids impairing their ability to make their decisions, instilling confidence in the transparency of the process.

Understanding recent CCPA enforcement actions

Let’s look at some recent high-profile cases that highlight the CPPA and the California Attorney General’s priorities:

Healthline Media LLC (California Attorney General, July 1, 2025)

In a significant settlement, the California Attorney General announced on July 1, 2025, that Healthline Media LLC agreed to pay a $1,550,000 penalty for alleged CCPA violations related to the unlawful sharing of data on Healthline.com. The allegations included:

• Continued data sharing post-opt-out: Healthline allegedly continued sharing users’ sensitive personal and health-related information for advertising purposes even after users opted out via cookie banners, forms, or Global Privacy Control (GPC) signals.
• Transmission of sensitive inferences: Article titles revealing potential medical diagnoses (e.g., HIV, MS, diabetes) were transmitted to advertising and tracking companies, enabling sensitive inferences about users.
• Misleading cookie consent banner: The cookie consent banner misrepresented its functionality, failing to block ad tracking and leaving up to 118 trackers active even after opt-out.
• Non-compliant advertising contracts: Healthline lacked CCPA-compliant contracts with advertising partners, failing to verify proper data usage or restrict use to allowed purposes.
• Cross-context behavioral advertising: The company engaged in cross-context behavioral advertising, resulting in users receiving targeted health-related ads across multiple platforms, which violated CCPA requirements.

As part of the settlement, Healthline committed to measures ensuring full CCPA compliance, including automatic honoring of GPC signals, prohibiting the sale or sharing of data that could reveal a medical condition (e.i, article titles or URLs revealing health conditions), ongoing compliance testing, and updating all third-party contracts.

This case highlights that companies sharing personal data for advertising purposes, especially when this data can lead to sensitive inferences about users’ health, must ensure that opt-out mechanisms are effective and transparent. Failure to prevent unauthorized sharing, particularly of information that can lead to inferred health conditions, carries significant legal risks.

Todd Snyder, Inc. (CPPA, May 6, 2025)

Effective May 1, 2025, the CPPA ordered clothing retailer Todd Snyder, Inc. to pay a $345,178 fine for violating the CCPA. The Enforcement Division alleged that Todd Snyder:

• Misconfigured cookie-consent banner: The website’s cookie-consent banner was misconfigured, preventing consumers from opting out of the sale or sharing of personal data, including for cross-context behavioral advertising, for a continuous 40-day period.
• Excessive identity verification: Consumers were required to submit sensitive identity documents (e.g., selfies matched to government IDs) to exercise simple opt-out rights, directly conflicting with CCPA rules prohibiting excessive verification.
• Excessive data collection for requests: The company collected more consumer data than necessary to process verifiable requests and failed to implement safeguards for sensitive information submitted during the process.

This decision highlights that simply deploying a consent tool is insufficient; companies must continuously test and maintain their functionality. Opt-out requests must be honored without requiring identity verification, demonstrating a commitment to respecting consumer privacy rights.

American Honda Motor Co., Inc. (CPPA, March 12, 2025)

Effective March 12, 2025, American Honda Motor Co., Inc. was ordered by the CPPA to pay a $632,500 fine for hindering Californians’ ability to exercise their opt-out rights. The CPPA’s allegations included:

• Excessive identity verification for verifiable requests (right to know, delete, and correct): Honda’s webform required consumers to provide at least eight data fields for verifying a consumer’s identity, despite needing only two data points to identify a consumer in its database.
• Non-verifiable requests (opt-out of sale/sharing and requests to limit use of sensitive data): Honda’s online process does not distinguish between verifiable and non-verifiable requests, using the same form for all types of requests, requiring identity verification for requests that do not require verification.
• Authorized agents: Honda required additional authorization steps for authorized agents to submit do not sell/share or restrict use of sensitive information requests.
• Confusing cookie banner design: The cookie banner design failed to present symmetrical opt-in and opt-out choices, as it required two steps to opt out but only one step to opt in, thereby undermining users’ ability to make clear privacy selections.
• Lack of compliant third-party contracts: Honda lacked or was unable to produce CCPA-compliant contracts with downstream ad-tech partners, raising doubts about whether consumer opt-out signals were honored across all parties.

Honda agreed to revise its privacy request processes, ensuring verification steps collect only the minimum necessary information for verifiable requests, do not require identity verification for non-verifiable requests, provide clear and symmetric opt-out options in its cookie banner, offer thorough CCPA training for employees, and include mandatory CCPA privacy provisions in all third-party data-sharing agreements.

This case clarifies that excessive identity checks on verifiable requests violate the CCPA’s “reasonableness” standard and may lead to significant fines. It also highlights that an individual’s identity must not be verified when exercising an opt-out request. Cookie banners must provide clearly equivalent opt-in and opt-out controls to prevent compliance failures due to design, and companies must keep and readily produce CCPA-compliant contracts with all service providers.

Want to take a deeper dive into how Honda’s case unfolded—and what it teaches us about lawful data processing under the CCPA? Read: What Honda’s $632,500 CCPA Fine Teaches Us About Lawful Data Processing.

Sephora USA, Inc. (California AG, August 24, 2022)

Although an older case, the Attorney General’s judgment against Sephora established an important precedent, resulting in a $1.2 million settlement for several violations of the CCPA. These included:

• Failure to disclose the sale of personal information to consumers.
• Failure to process consumer requests to opt out of the sale of their personal information signaled via Global Privacy Control (GPC) settings.
• Failure to cure these violations within the 30-day cure period allowed at the time.

Sephora was required to clearly disclose its intent to sell data, ensure consumers could opt out (including via GPC), update service provider contracts to be CCPA-compliant, and provide reports to the Attorney General.

Responding to CCPA enforcement: Insights for your privacy program

These decisions send a clear signal: California’s privacy regulators will hold companies fully accountable for any barriers, technical or procedural, that impede consumers from exercising their statutory rights. The “reasonableness” standard for identity verification is strictly interpreted; companies must collect only the minimum data necessary and cannot require sensitive documents, such as government IDs, for routine privacy checks.

To avoid disruptive enforcement actions and reputational harm, businesses must embed privacy compliance into everyday operations, including:

• Prioritize fortifying public-facing consent and individual rights interfaces and confirm that required website links with the required wording are present (e.g., “Do Not Sell Or Share My Personal Information”).
• Verify and monitor public-facing consent and individual rights interfaces to ensure proper implementation that meets regulatory requirements.
• Collect the minimum information necessary to fulfill a request based on the type of request received.
• Ensure that opt-out sale/sharing requests and the right to restrict the use of sensitive personal data do not require identity verification.
• Honor opt-out signals like Global Privacy Control (GPC) automatically and consistently across all platforms.
• Carefully review and assess their user interfaces to ensure that they offer symmetrical choices and use language that is easy for consumers to understand when presenting privacy options.
• Ensure parity regarding choices made on consent forms. When someone interacts with a banner or modal, the number of clicks to accept or reject should equal.
• Maintain up-to-date, CCPA-compliant contracts with all service providers/vendors.
• Train staff on how to handle or properly route individual rights requests.

Take the next step: Validate your CCPA compliance

If your business hasn’t already done so, now is the time to move beyond internal checklists and get formally validated. A TRUSTe-certified CCPA Validation offers independent, third-party assurance that your privacy practices align with California’s regulatory requirements.

It’s more than a badge. It’s proof of compliance you can share with partners, customers, and regulators alike. With TrustArc’s expert guidance and purpose-built platform, you’ll identify gaps, streamline remediation, and earn a Letter of Validation you can proudly display on your website or Trust Center.

Don’t wait for an enforcement action to test your program. Learn more about CCPA Validation and start building your privacy program’s credibility today.

Businesses must become significantly more disciplined in how they collect and use data. Excessive data collection is not only inefficient but also introduces legal and reputational risk.

The need for more responsible data practices has been evident for some time. As early as 2017, publications such as The Economist highlighted the growing tension between the rapid expansion of technology companies and increasing public concern over privacy and regulatory oversight.

In response to these concerns, major legislative actions followed. The European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. It established comprehensive data rights for individuals, including the right to limit how their data is processed and the right to request its deletion. A foundational principle of GDPR is data minimization—collecting only what is necessary for a specific purpose.

Soon after, California enacted the Consumer Privacy Act (CCPA) on June 28, 2018, with enforcement beginning July 1, 2020. The CCPA introduced similar protections for personal data and became the first U.S. law to explicitly include data minimization as a compliance requirement.

Data minimization requirements in privacy regulations worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

• Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
• Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
• Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

• Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
• Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
• Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
• Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
• Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
• Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
• Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR sets a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Limited storage periods
• Integrity and confidentiality
• Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and
• limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization in the United States

In the United States, data minimization is emerging as a common principle across state consumer privacy laws, though its implementation varies widely. Generally, these laws require that businesses limit the collection, use, and retention of personal data to what is reasonably necessary and proportionate to achieve specified purposes.

However, most U.S. laws provide broad flexibility, allowing businesses to define those purposes as long as they are disclosed to consumers. This approach contrasts with more prescriptive models like the EU’s GDPR, which imposes stricter purpose limitations.

Notably, states such as California, Colorado, and Virginia incorporate data minimization as a foundational obligation, but still permit processing for a range of operational needs. Maryland, by contrast, has adopted a narrower standard, restricting data processing to what is necessary for the specific product or service requested by the consumer—signaling a possible shift toward more restrictive U.S. interpretations of data minimization.

Below are summaries of data minimization requirements in two key U.S. states, California and Maryland, which illustrate the varying approaches to this principle.

California

The CCPA, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

• Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
  (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
• Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
• Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA rules, including data minimization requirements.

Maryland

Maryland’s data minimization requirements, introduced under the Maryland Online Data Privacy Act of 2024 (MODPA), take a more stringent and prescriptive approach compared to other U.S. consumer privacy laws.

Unlike frameworks such as the CCPA or Colorado Privacy Act, which generally require that personal data collection be limited to what is “reasonably necessary” for disclosed purposes, MODPA mandates that businesses only collect, process, and retain personal data that is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer.

This narrower scope restricts the use of personal data for broader business purposes—such as analytics, product improvement, or advertising—unless the consumer has explicitly requested the service that requires such processing. MODPA’s approach reflects a shift toward a more EU-like, purpose-limited model of data governance, elevating the standard for necessity and limiting the discretion businesses typically have under other U.S. laws.

For a closer look at MODPA’s unique provisions and how they compare to other U.S. state laws, read our overview of Maryland’s Online Data Privacy Act’s Novel Approach to Consumer Privacy.

Data minimization is no longer optional

From the EU’s GDPR to California’s CCPA and Maryland’s MODPA, one principle is increasingly consistent: collect less, prove purpose, and protect what you process. Data minimization is a strategic imperative that aligns privacy, security, and efficiency.

For privacy professionals, this means moving beyond awareness into operational excellence. Mapping data lifecycles, documenting necessity, and embedding minimization logic into product and service design aren’t just best practices—they’re risk reducers and trust builders. As more jurisdictions sharpen their stance on what’s “reasonably necessary,” organizations that over-collect or under-document may find themselves on the wrong side of enforcement and public sentiment.

Now is the time to treat data like a critical resource, not a limitless asset. Ask hard questions. Trim the excess. Architect for purpose. Because when less is truly more, your privacy program is doing its job.

Businesses can build trust with consumers (whether they’re existing or potential customers) by demonstrating they respect every individual’s privacy rights – and by making it as easy as possible for consumers to choose whether they opt in or opt out of their personal information being used to deliver targeted services and marketing.

In California, businesses must get a consumer’s consent to share or sell their personal information – before this data is collected. CCPA/CPRA gives consumers the right to change their mind and withdraw consent (opt out) via forms on websites and apps or when a Global Privacy Control (GPC) signal is detected.

Tech explained: What is global privacy control?

The GPC was designed to make it easy for individuals to tell businesses, “Do not sell or share my personal information”.

It works as a universal opt-out mechanism to save consumers from having to click through notices or locate opt-out forms or pop-ups on individual websites they visit. They simply set up an Opt-out signal once in their preferred web browser or extension that supports GPC, such as Disconnect, DuckDuckGo Privacy Browser, Firefox, or Privacy Badger by the Electronic Frontier Foundation, and the extension helps them automatically exercise their privacy rights.

Privacy laws with global privacy control requirements

The California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA) require businesses to respect consumers’ right to opt out from having their personal information sold or shared by a business to any other business.

The CCPA regulations (§999.315) explicitly state “a business shall provide two or more designated methods for submitting requests to opt out, including an interactive form … and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information”.

Other regulations, such as the Colorado Privacy Act and the European Union’s GDPR, are also set to include Global Privacy Control as an enforceable universal opt-out mechanism. The EU’s GDPR, like California’s CCPA/CPRA, already requires businesses to get opt-in consent from consumers.

In Colorado, businesses must give consumers easy access to opt-out mechanisms via privacy notices and in other conspicuous locations. From July 1, 2024, under the Colorado Privacy Act consumers will have the right to signal opt out from targeted advertising, profiling, and sale/sharing of their personal data via (the Act’s terminology) a ‘Universal Opt-Out Mechanism’ – such as Global Privacy Control – which will be enforceable in the state.

TrustArc technologies with ‘GPC detected’ and ‘known user’ features

TrustArc is very focused on helping businesses build and maintain positive customer relationships by providing best practices and compliant privacy consent management technologies.

TrustArc Customer Consent Preference Manager

We continue to develop new features in TrustArc’s Consent & Preference Manager to help businesses streamline the consent preference experience for customers, while staying abreast of updates to privacy laws such as CCPA/CPRA with our centralized privacy regulation compliance platform.

TrustArc Financial Incentive Notice Service

The CCPA regulations state: “If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”

Configurable by TrustArc account managers, our Financial Incentive Notice gives customers easy-to-understand choices about a financial incentive program that requires opt in to trackers:

• Do not Participate – and therefore opt out of the financial incentive program and related tracking; or
• Continue to participate – keeping the customer enrolled in the financial incentive program and therefore allowing the business to track the customer so it can continue to deliver marketing, discounts and/or other customer loyalty benefits.

TrustArc Cookie Consent Manager – Unique known user feature

TrustArc’s Cookie Consent software accelerates the set up and management of complex cookie activities for businesses across all domains while ensuring compliance with privacy laws in all countries they operate in.

Cookie Consent Manager includes features such as auto-detect for Global Privacy Control (GPC) signals – and the world’s first CCPA/CPRA-compliant Known User feature.

TrustArc’s Known User Feature addresses the CPRA regulations to CCPA that becomes enforceable on March 29, 2024, which requires businesses to record and remember a consumer’s consent preferences across every device and browser they might use to provide a frictionless experience.

The California Privacy Agency noted on February 3, 2023, in its Final Statement of Reasons: “Subsection (c)(1) has been modified to add language that the opt-out preference signal shall be treated as a valid request to opt out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.

“Additional language has also been included to further clarify that, if known, a business is also required to treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer.

“This change is necessary to address the realities of how the internet works, i.e., sometimes the business may only know the consumer pseudonymously and other times they may match the online actions with an offline consumer. This modification ensures that the opt-out preference signal applies to both situations.”

 

TrustArc solves the challenge of identifying customers and respecting their choices across devices and browsers with a Known User feature in our proprietary technology, which can be configured by a TrustArc Technical Account Manager on behalf of your business to ensure a frictionless consent choice experience for your customers – and compliance with CCPA amendments under CPRA.

Get help from TrustArc For managing GPC signals and known user consent

TrustArc’s privacy experts are committed to helping businesses understand and address privacy law updates – such as CCPA/CPRA rules when a GPC signal is detected – with a comprehensive and easy-to-search database of TrustArc Privacy Insights.

Consent and preferences enable brands to take customer relationships to new levels of customization and trust. But stringent regulations such as CCPA/CPRA bring new regulatory obligations (read: consent history/validity), that put in question a marketer’s ability to leverage preference data to its full potential.

Add to that, with CPRA regulations extended to employee rights in addition to consumers, businesses need to start thinking about their HR data in addition to B2B data.

In this webinar, we help you understand how to CPRA proof your consent and preferences management.

This webinar reviews:

• Tracking consent and preferences for trust and engagement
• CPRA regulations and business priorities
• Leveraging consent & preferences to track B2B and HR data for compliance

California AG announces first enforcement actions from the California Consumer Privacy Act (CCPA)

Following an investigation into the privacy practices of Sephora surrounding its collection, use, and sale of consumers’ online activities and other personal information, the California Attorney General (AG) and Sephora agreed to a settlement.

On August 24, 2022, the California AG announced its first enforcement actions arising from the California Consumer Privacy Act – marking a new dawn for CCPA compliance.

In the settlement, Sephora agreed to become compliant with the CCPA in the following ways:

• Provide notice to consumers that clearly states that it sells their personal information and they have the right to opt-out of all sales
• To process consumer requests to opt-out signaled via the Global Privacy Control (GPC)
• To comply with the provisions of the California Privacy Rights Act (CPRA) related to providing notice of sale of consumers’ personal information and their rights to opt-out once the CPRA becomes operative on January 1, 2023
• To establish a compliance program that enables businesses to adhere to assessment and reporting requirements to the AG for two years within 180 days
• To pay a $1.2 million settlement fine
• To conduct an annual regular review of its website and mobile applications to determine the entities with which it makes available personal information
• To enter into contracts that meet the requirements laid in CCPA for service providers (§1798.140(v)). Sephora must document this and include it in the annual report

The settlement terms add a significant administrative obligation that Sephora must meet.

These sanctions carry more than a financial cost in terms of fines; they also add to the executive and overall compliance costs.

There’s a fresh spotlight on the immediate need for CCPA compliance with this settlement for violating State laws. Simply put, non-compliance will only result in a long and painful road for businesses.

This calls for a scrutinizing look at internal processes – adding time, cost, and other resources for course correction. In this competitive age, brands shouldn’t risk diluting trust with today’s informed and privacy-oriented consumers.

The AdTech state of affairs – A very narrow scope

Since its inception, the CCPA has granted California consumers the right to opt-out of a sale of their personal information.

The CCPA defined sale as:
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

One of the major challenges from this definition has been how to interpret or other valuable consideration.

In the Sephora case, the AG and Sephora agreed to what appears to be a new term: Sale Using Online Tracking Technology.

In interpreting the definition of sale, keep in mind that Sephora’s decision is very narrow and limited with respect to this new definition pertaining to just sales “Using Online Tracking Technology.”

Earlier businesses had not been provided insight into what a sale would look like in the context of a company using online tracking technology.

Pre-Sephora, businesses had to rely on the statutory definition of sale to interpret whether their activities fell within scope.

Accordingly, the Final Judgment’s construing valuable consideration to include (but not limited to) receiving “personal information or other information such as analytics; or free or discounted services” only pertains to those sales involving the use of online tracking technology.

Dissecting the non-compliance issues: 13 enforcement examples, and the Global Privacy Control (GPC)

13 enforcement examples

On the same day it released details about the Sephora settlement, the AG bolstered its case that CCPA compliance meant more than evaluating a Sale and processing preference signals through GPCs.

The AG listed 13 new enforcement examples in its revised enforcement examples, making it a whopping 40 total examples that have been provided.

While the details of the investigations are not made public, the examples provide insight into what is on the AG’s radar.

To start, the AG’s enforcement focus did not zero in on any particular industry: consumer retail, hospitality, home improvement, technology, healthcare, medical devices, and the fitness industry.

Some of the issues identified are not new

A common theme for the AG continues to be finding non-compliant privacy policies, notice of financial incentives, and notice of collection.

The importance of complying with the CCPA’s privacy notice requirements cannot be overstated. The latest examples include new issues not previously identified.

For example, failure to honor consumer opt-outs of sales, no request methods; erroneous treatment of requests to know;  required consumers to waive/limit CCPA rights; limited number of requests to know; and sale of personal information.

The addition of new issues from the 27 previous examples should be a sign that the AG is willing to leave no compliance stone left unturned.

Including challenging a covered business’s self-assessment of whether they sell but also testing those companies’ willingness to recognize signals sent via GPCs.

The Global Privacy Control (GPC)

Under the CCCPA, a business must configure its website to detect or process user-enabled global privacy control signals, such as using the GPC.

The Global Privacy Controls (GPC) enable consumers to opt-out of all online sales in one fell swoop by broadcasting a ‘do not sell’ signal across every website they visit. These controls eliminate the need for consumers to click on an opt-out link each time manually.

Organizations must treat such GPC opt-out requests the same as requests made by users who have clicked the Do Not Sell My Personal Information link.

The AG’s complaint alleged Sephora was selling its consumers’ personal information. In Sephora’s case, consumers who made requests via the GPC did not have those requests processed.

The enforcement action made it clear that brands should make sure consumers can easily opt-out of any selling of their personal information.

Introduced in October 2020, GPC aimed to help consumers universally communicate their privacy preferences with ease on supported browsers. The initiative also received support from California AG back in January 2021.

By July 2021, further backing support for GPC. In a fresh round of CCPA enforcement, the California AG office of Rob Bonta issued letters to several organizations for failing to comply with GPC requirements under CCPA.

Harmonizing opt-out preference signal requirements between the states: A trend to watch

If a website detects a GPC that signals a preference not to sell/ share PI, the website must block the PI from being sold or shared in a way that is consistent with the user’s GPC signal (ignore the signal’s “request to” to opt-out).

Colorado and Connecticut have different requirements for whether businesses must recognize opt-out preference signals.

In Colorado’s Privacy Act (CPA), the requirements around recognizing an opt-out preference signal are less onerous on controllers (or covered businesses in CA).

While Connecticut’s privacy law is more aligned with the CCPA, requiring controllers to recognize opt-out preference signals sent via a mechanism or platform

In requiring businesses to recognize preference signals, the AG has pushed technology to catch up with the law, encouraging privacy-driven innovation.

 

DAA & NAI initiatives

Allowed participating consumers to opt-out of targeted advertising by the companies in the NAI’s and DAA’s initiatives.  The participation was voluntary, so of course the participation was limited.

Consumers could opt-out in general, or consumers could opt-out individually.

This arrangement didn’t stop the collecting of personal information or identifying the consumer. It prevented targeted advertising and wasn’t really a privacy solution because PI could still be collected.

Do Not Track (DNT)

There was a mechanism used to send a consumer preference signal. Companies would adhere to the signal if they received it.

So, many companies invested, and some browsers implemented the header. There was even a user interface where the DNT signal could be easily turned on or turned off globally.

The downfall, however, was no legislation backed the DNT, which created a false sense of consumer protection.

Present enforcement – Consent flows

Today, consumer preferences are handled through Notice and Consent via cookie banners and multi-step consent flows.

In some cases, cookie banners can be managed by going to opt-out cookie sites, which will require a browser to send signals to all companies that participate in the site, including those with websites we have never even visited.

The downfall is that people become very confused and frustrated, creating a bad user experience. This is especially impossible to avoid with mobile browsing. In general, this is just an inconsistent enforcement mechanism.

The future – GPCs

With legislation backing (CCPA, CPA, CTDPA) and an easy user experience, global privacy controls look to be the future of opt-outs.

Consumers can either use browsers that have already implemented the GPC (Firefox, Brave, DuckDuckGo) or download a browser extension to send the opt-out preference signal.

Beyond the fine – Immediate red flags for organizations

For comprehensive CCPA compliance, organizations must perform multiple controls besides honoring GPC and Do Not Track signals.

Besides Sephora in retail, businesses in fitness, technology, ad tech, and fintech, among other industries, have also been served notices for non-compliant opt-outs.

Apart from opt-out issues within retail, organizations across industries have been served notices for numerous CCPA violations.

The latest round of CCPA investigations targeted businesses’ mobile apps that allegedly failed to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data and businesses that are not recognizing authorized agent requests, including those made through the Permission Slip (a mobile app developed by Consumer Reports).

Immediate issues:

• Non-compliant Privacy Policy Notices
• No Request Methods
• Limited Number of Requests to Know
• Missing Do Not Sell/Sale of Personal Information Links
• Non-Compliant Verification Procedures
• Non-compliant Service Provider Contracts
• Untimely Responses to CCPA Requests

The list goes on.

And organizations have already taken or are undertaking measures to achieve CCPA compliance quickly.

 

Industry	Enforcement Issue	Corrective Action
Technology	Non-compliant privacy policy and no request methods for CCPA compliance.	Privacy policy updated Request Methods implemented Compliant opt-out link
Healthcare	Requests to know were incorrectly matched with requests to delete	Request response process improved Staff training imparted
Social media	Delayed responses to CCPA requests to know and delete personal information.	Outstanding requests addressed Systems updated to avoid delays

 

The office of the AG does not generally release this information to the public about its investigations. With notices of noncompliance, firms have already started executing remedial measures.

The message is clear – businesses must fix curable violations within 30 days of notification to avoid consequences!

Immediate priorities: Your CCPA compliance checklist

Sephora isn’t an isolated example. The AG is focused on the company’s abilities to operationalize CCPA with technical solutions. During the recent mobile app investigations, the AG specifically searched for a mechanism for consumers’ requests to opt out of the sale of their personal information.

What primary steps must organizations take to ensure they remain CCPA compliant?

• Reevaluate whether you are “selling” personal information.
  • If yes, reassess third-party contracts, privacy notices, and opt-out compliance.
• Assess whether policies are updated to disclose the sale of consumers’ Personal Information (PI).
• Is sufficient Notice at the Point of PI Collection provided?
• Review opt-out capabilities.
• Provide Notice of Financial Incentive (if applicable).
• Review processes of responding to requests and security considerations.
• Ensure disclosures to “service providers” meet CCPA’s contractual obligations.
• Review processes and verifications for accepting requests.
• Review Access and Individual Rights Management.

Don’t forget mobile apps are within the scope of CCPA

Even though the amended CCPA is not enforceable until July 1 – the CCPA regulation enacted in 2020 still applies, and enforcement is ongoing. AG Bonta explains that apps can access an array of sensitive information from mobile devices.

“I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.”

Consumer trust trumps non-compliance

As consumer-obsessed and privacy-driven organizations, brands are better off safeguarding themselves for CCPA compliance rather than taking the ’30-day rectification’ route.

While brands are left understanding and researching the rules, authorities have started slapping fines. The time for research is behind; brands need to comply. And fast!

A privacy-driven approach will only help fortify consumer trust.

CPRA, the more stringent version of CCPA, is also expected to tighten the waters for businesses. Non-compliance and imprecise privacy programs will not suffice.

Missing a compliance action plan for your organization?

The California Attorney General’s enforcement examples serve as a warning and caution to businesses. More enforcement and actions are bound to follow suit, but organizations cannot afford a wait-and-watch approach.

While deciphering the technicalities and nitty-gritty of achieving compliance may seem time-consuming and daunting, it doesn’t have to be. TrustArc has solutions to accelerate your path to CCPA compliance.

Receive a CCPA Compliance Validation by passing a thorough evaluation of program-level measures and evidences to ensure that you and third-party vendors process personal information in compliance with the CCPA.

Evaluate tracking technologies on your website with the most mature Website Monitoring Manager in the market. Secure digital experiences with improved compliance risk identification and cookie analysis.

Simplify GPC recognition and honor GPC opt-outs with our consent solutions.

Privacy-driven frameworks form the foundation for organizations that prioritize consumer preferences. With some insight into how brands should think about compliance, this is the time to act.

Proactive businesses will be leading the pack on the road to CCPA compliance. Our privacy experts are ready to help your organization navigate the CCPA as amended by the California Privacy Rights Act.

Find out more