{"id":2619,"date":"2022-09-30T12:17:00","date_gmt":"2022-09-30T18:17:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2619"},"modified":"2024-10-15T13:06:53","modified_gmt":"2024-10-15T19:06:53","slug":"ccpa-compliance-lessons-ag-enforcement","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/","title":{"rendered":"Critical CCPA Compliance Lessons to Learn from AG Enforcement"},"content":{"rendered":"\t\t<section id=\"block_17dd880d64729b1d03a91fee5f40b4be\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Critical CCPA Compliance Lessons to Learn from AG Enforcement<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_026f22d89f0d98c67c2160001e289520\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<h2>California AG announces first enforcement actions from the California Consumer Privacy Act (CCPA)<\/h2>\n<p>Following an investigation into the privacy practices of Sephora surrounding its collection, use, and sale of consumers\u2019 online activities and other personal information, the California Attorney General (AG) and Sephora agreed to a settlement.<\/p>\n<p>On August 24, 2022, the California AG announced its first enforcement actions arising from the California Consumer Privacy Act \u2013 marking a new dawn for CCPA compliance.<\/p>\n<p>In the settlement, Sephora agreed to become compliant with the CCPA in the following ways:<\/p>\n<ul>\n<li>Provide notice to consumers that clearly states that it sells their personal information and they have the right to opt-out of all sales<\/li>\n<li>To process consumer requests to opt-out signaled via the\u00a0<a href=\"https:\/\/blog.trustarc.com\/2021\/09\/10\/global-privacy-control\/\" target=\"_blank\" rel=\"noopener\">Global Privacy Control (GPC)<\/a><\/li>\n<li>To comply with the provisions of the California Privacy Rights Act (CPRA) related to providing notice of sale of consumers\u2019 personal information and their rights to opt-out once the CPRA becomes operative on January 1, 2023<\/li>\n<li>To establish a compliance program that enables businesses to adhere to assessment and reporting requirements to the AG for two years within 180 days<\/li>\n<li>To pay a $1.2 million settlement fine<\/li>\n<li>To conduct an annual regular review of its website and mobile applications to determine the entities with which it makes available personal information<\/li>\n<li>To enter into contracts that meet the requirements laid in CCPA for service providers (\u00a71798.140(v)). Sephora must document this and include it in the annual report<\/li>\n<\/ul>\n<p>The settlement terms add a significant administrative obligation that Sephora must meet.<\/p>\n<p><strong>These sanctions carry more than a financial cost in terms of fines; they also add to the executive and overall compliance costs.<\/strong><\/p>\n<p>There\u2019s a fresh spotlight on the immediate need for CCPA compliance with this\u00a0<a href=\"https:\/\/news.bloomberglaw.com\/privacy-and-data-security\/sephora-settles-with-california-over-sales-of-customer-data\">settlement<\/a>\u00a0for violating State laws.\u00a0Simply put, non-compliance will only result in a long and painful road for businesses.<\/p>\n<p>This calls for a scrutinizing look at internal processes \u2013 adding time, cost, and other resources for course correction. In this competitive age, brands shouldn\u2019t risk diluting trust with today\u2019s informed and privacy-oriented consumers.<\/p>\n<h2>The AdTech state of affairs \u2013 A very narrow scope<\/h2>\n<p>Since its inception, the CCPA has granted California consumers the right to opt-out of a sale of their personal information.<\/p>\n\t\t\t\t\t\t\t\t<blockquote class=\"w-indent\">\n\t\t\t\t\t\t\t\t\t<p>The CCPA defined sale as:<br \/>\n\u201cSelling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer\u2019s personal information by the business to another business or a third party for monetary or other valuable consideration.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t<p>One of the major challenges from this definition has been how to interpret\u00a0<strong><em>or other valuable consideration.<\/em><\/strong><\/p>\n<p>In the Sephora case, the AG and Sephora agreed to what appears to be a new term:\u00a0<em><strong>Sale Using Online Tracking Technology<\/strong><\/em>.<\/p>\n<p>In interpreting the definition of\u00a0<em>sale<\/em>, keep in mind that\u00a0<strong>Sephora\u2019s decision is very narrow and limited<\/strong>\u00a0with respect to this new definition pertaining to just\u00a0<em>sales \u201cUsing Online Tracking Technology.\u201d<\/em><\/p>\n<p>Earlier businesses had not been provided insight into what a sale would look like in the context of a company using online tracking technology.<\/p>\n<p><strong>Pre-Sephora, businesses had to rely on the statutory definition of sale to interpret whether their activities fell within scope.<\/strong><\/p>\n<p>Accordingly, the Final Judgment\u2019s construing\u00a0<em>valuable consideration<\/em>\u00a0to include (but not limited to) receiving \u201cpersonal information or other information such as analytics; or free or discounted services\u201d only pertains to those\u00a0<em>sales<\/em>\u00a0involving the use of online tracking technology.<\/p>\n<h2>Dissecting the non-compliance issues: 13 enforcement examples, and the Global Privacy Control (GPC)<\/h2>\n<h3>13 enforcement examples<\/h3>\n<p>On the same day it released details about the Sephora settlement, the AG bolstered its case that CCPA compliance meant more than evaluating a\u00a0<i>Sale\u00a0<\/i>and processing preference signals through\u00a0<i>GPCs<\/i>.<\/p>\n<p>The AG listed 13 new enforcement examples in its revised\u00a0<a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\/enforcement\" target=\"_blank\" rel=\"noopener\">enforcement examples<\/a>,\u00a0making it a whopping 40 total examples that have been provided.<\/p>\n<p>While the details of the investigations are not made public, the examples provide insight into what is on the AG\u2019s radar.<\/p>\n<p>To start, the AG\u2019s enforcement focus did not zero in on any particular\u00a0industry: consumer retail, hospitality, home improvement, technology, healthcare, medical devices, and the fitness industry.<\/p>\n<h3>Some of the issues identified are not new<\/h3>\n<p>A common theme for the AG continues to be finding non-compliant privacy policies, notice of financial incentives, and notice of collection.<\/p>\n<p>The importance of complying with the\u00a0<a href=\"https:\/\/govt.westlaw.com\/calregs\/Document\/I02617090FEC711EC9BE2E932C3E0B302?viewType=FullText&amp;originationContext=documenttoc&amp;transitionType=CategoryPageItem&amp;contextData=(sc.Default)\" target=\"_blank\" rel=\"noopener\">CCPA\u2019s privacy notice requirements<\/a>\u00a0cannot be overstated.\u00a0The latest examples include new issues not previously identified.<\/p>\n<p>For example, failure to honor consumer opt-outs of sales, no request methods; erroneous treatment of requests to know;\u00a0 required consumers to waive\/limit CCPA rights; limited number of requests to know; and sale of personal information.<\/p>\n<p><strong>The addition of new issues from the 27 previous examples should be a sign that the AG is willing to leave no compliance stone left unturned.<\/strong><\/p>\n<p>Including challenging a covered business\u2019s self-assessment of whether they\u00a0<em>sell<\/em>\u00a0but also testing those companies\u2019 willingness to recognize signals sent via GPCs.<\/p>\n<h3>The Global Privacy Control\u00a0(GPC)<\/h3>\n<p>Under the CCCPA, a business must configure its website to detect or process user-enabled global privacy control signals, such as using the GPC.<\/p>\n<p>The\u00a0<a href=\"https:\/\/oag.ca.gov\/news\/press-releases\/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement\" target=\"_blank\" rel=\"noopener\">Global Privacy Controls<\/a>\u00a0(GPC) enable consumers to opt-out of\u00a0all online sales in one fell swoop by broadcasting a \u2018do not sell\u2019 signal across every website they visit.\u00a0These controls eliminate the need for consumers to click on an opt-out link each time manually.<\/p>\n<p>Organizations must treat such GPC opt-out requests the same as requests made by users who have clicked the\u00a0<em>Do Not Sell My Personal Information<\/em>\u00a0link.<\/p>\n<p>The AG\u2019s complaint alleged Sephora was selling its consumers\u2019 personal information. In Sephora\u2019s case, consumers who made requests via the GPC did not have those requests processed.<\/p>\n<p>The enforcement action made it clear that brands should make sure consumers can easily opt-out of any\u00a0<em>selling<\/em>\u00a0of their personal information.<\/p>\n<p>Introduced in October 2020, GPC aimed to help consumers universally communicate their privacy preferences with ease on supported browsers. The initiative also received support from California AG back in January 2021.<\/p>\n<p>By July 2021, further backing support for GPC. In a fresh round of CCPA enforcement, the California AG office of Rob Bonta issued letters to several organizations for failing to comply with GPC requirements under CCPA.<\/p>\n<h2>Harmonizing opt-out preference signal requirements between the states: A trend to watch<\/h2>\n<p>If a website detects a GPC that signals a preference not to sell\/ share PI, the website must block the PI from being sold or shared in a way that is consistent with the user\u2019s GPC signal (ignore the signal\u2019s \u201crequest to\u201d to opt-out).<\/p>\n<p>Colorado and Connecticut have different requirements for whether businesses must recognize opt-out preference signals.<\/p>\n<p>In\u00a0<a href=\"https:\/\/blog.trustarc.com\/2021\/06\/16\/colorado-privacy-act-guide\/\" target=\"_blank\" rel=\"noopener\">Colorado\u2019s Privacy Act (CPA)<\/a>, the requirements around recognizing an opt-out preference signal are less onerous on controllers (or covered businesses in CA).<\/p>\n<p>While\u00a0<a href=\"https:\/\/blog.trustarc.com\/2022\/06\/30\/connecticut-personal-data-privacy-and-online-monitoring-act\/\" target=\"_blank\" rel=\"noopener\">Connecticut\u2019s privacy law<\/a>\u00a0is more aligned with the CCPA, requiring controllers to recognize opt-out preference signals sent via a mechanism or platform<\/p>\n<p>In requiring businesses to recognize preference signals, the AG has pushed technology to catch up with the law, encouraging privacy-driven innovation.<\/p>\n<p>&nbsp;<\/p>\n\t\t\t\t\t\t\t\t<div class=\"wide-img\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/The-evolution-of-user-enabled-optouts.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/The-evolution-of-user-enabled-optouts.png 1024w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/The-evolution-of-user-enabled-optouts-300x225.png 300w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/The-evolution-of-user-enabled-optouts-768x576.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<h4>DAA &amp; NAI initiatives<\/h4>\n<p>Allowed participating consumers to opt-out of targeted advertising by the companies in the NAI\u2019s and DAA\u2019s initiatives.\u00a0 The participation was voluntary, so of course the participation was limited.<\/p>\n<p>Consumers could opt-out in general, or consumers could opt-out individually.<\/p>\n<p>This arrangement didn\u2019t stop the collecting of personal information or identifying the consumer. It prevented targeted advertising and wasn\u2019t really a privacy solution because PI could still be collected.<\/p>\n<h4>Do Not Track (DNT)<\/h4>\n<p>There was a mechanism used to send a consumer preference signal. Companies would adhere to the signal if they received it.<\/p>\n<p>So, many companies invested, and some browsers implemented the header. There was even a user interface where the DNT signal could be easily turned on or turned off globally.<\/p>\n<p>The downfall, however, was no legislation backed the DNT, which created a false sense of consumer protection.<\/p>\n<h4>Present enforcement \u2013 Consent flows<\/h4>\n<p>Today, consumer preferences are handled through Notice and Consent via cookie banners and multi-step consent flows.<\/p>\n<p>In some cases, cookie banners can be managed by going to opt-out cookie sites, which will require a browser to send signals to all companies that participate in the site, including those with websites we have never even visited.<\/p>\n<p>The downfall is that people become very confused and frustrated, creating a bad user experience. This is especially impossible to avoid with mobile browsing. In general, this is just an inconsistent enforcement mechanism.<\/p>\n<h4>The future \u2013 GPCs<\/h4>\n<p>With legislation backing (CCPA, CPA, CTDPA) and an easy user experience, global privacy controls look to be the future of opt-outs.<\/p>\n<p>Consumers can either use browsers that have already implemented the GPC (Firefox, Brave, DuckDuckGo) or download a browser extension to send the opt-out preference signal.<\/p>\n<h2>Beyond the fine \u2013 Immediate red flags for organizations<\/h2>\n<p>For comprehensive CCPA compliance, organizations must perform multiple controls besides honoring GPC and Do Not Track signals.<\/p>\n<p>Besides Sephora in retail, businesses in fitness, technology,\u00a0<a href=\"https:\/\/blog.hubspot.com\/marketing\/what-is-ad-tech\" target=\"_blank\" rel=\"noopener\">ad tech<\/a>, and fintech, among other industries, have also been served notices for non-compliant opt-outs.<\/p>\n<p>Apart from opt-out issues within retail, organizations across industries have been served notices for numerous CCPA violations.<\/p>\n<p>The\u00a0<a href=\"https:\/\/oag.ca.gov\/news\/press-releases\/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99\">latest round of CCPA investigations<\/a>\u00a0targeted businesses\u2019 mobile apps that allegedly failed to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data and businesses that are not recognizing authorized agent requests, including those made through the<em>\u00a0Permission Slip (a<\/em>\u00a0mobile app developed by Consumer Reports).<\/p>\n<h3>Immediate issues:<\/h3>\n<ul>\n<li>Non-compliant Privacy Policy Notices<\/li>\n<li>No Request Methods<\/li>\n<li>Limited Number of Requests to Know<\/li>\n<li>Missing Do Not Sell\/Sale of Personal Information Links<\/li>\n<li>Non-Compliant Verification Procedures<\/li>\n<li>Non-compliant Service Provider Contracts<\/li>\n<li>Untimely Responses to CCPA Requests<\/li>\n<\/ul>\n<p>The\u00a0<a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\/enforcement\" target=\"_blank\" rel=\"noopener\">list<\/a>\u00a0goes on.<\/p>\n<p><strong>And organizations have already taken or are undertaking measures to achieve CCPA compliance quickly.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<table class=\" aligncenter\">\n<tbody>\n<tr>\n<td><strong>Industry<\/strong><\/td>\n<td><strong>Enforcement Issue\u00a0<\/strong><\/td>\n<td><strong>Corrective Action<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>Technology<\/strong><\/td>\n<td>Non-compliant privacy policy and no request methods for CCPA compliance.<\/td>\n<td>Privacy policy updated<\/p>\n<p>Request Methods implemented<\/p>\n<p>Compliant opt-out link<\/td>\n<\/tr>\n<tr>\n<td><strong>Healthcare<\/strong><\/td>\n<td>Requests to know were incorrectly matched with requests to delete<\/td>\n<td>Request response process improved<\/p>\n<p>Staff training imparted<\/td>\n<\/tr>\n<tr>\n<td><strong>Social media<\/strong><\/td>\n<td>Delayed responses to CCPA requests to know and delete personal information.<\/td>\n<td>Outstanding requests addressed<\/p>\n<p>Systems updated to avoid delays<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>The office of the AG does not generally release this information to the public about its investigations. With notices of noncompliance, firms have already started executing remedial measures.<\/p>\n<p>The message is clear \u2013<i>\u00a0businesses must fix curable violations within 30 days of notification to avoid consequences!<\/i><\/p>\n<h2>Immediate priorities: Your CCPA compliance checklist<\/h2>\n\t\t\t\t\t\t\t\t<div class=\"wide-img\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/3-Steps-to-CCPA-Compliance.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/3-Steps-to-CCPA-Compliance.png 1024w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/3-Steps-to-CCPA-Compliance-300x225.png 300w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/09\/3-Steps-to-CCPA-Compliance-768x576.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<p>Sephora isn\u2019t an isolated example. The AG is focused on the company\u2019s abilities to operationalize CCPA with technical solutions. During the recent mobile app investigations, the AG specifically searched\u00a0<i>for a mechanism for consumers\u2019 requests to opt out of the sale of their personal information.<\/i><\/p>\n<h4>What primary steps must organizations take to ensure they remain CCPA compliant?<\/h4>\n<ul>\n<li>Reevaluate whether you are \u201cselling\u201d personal information.\n<ul>\n<li>If yes, reassess third-party contracts, privacy notices, and opt-out compliance.<\/li>\n<\/ul>\n<\/li>\n<li>Assess whether policies are updated to disclose the sale of consumers\u2019 Personal Information (PI).<\/li>\n<li>Is sufficient Notice at the Point of PI Collection provided?<\/li>\n<li>Review opt-out capabilities.<\/li>\n<li>Provide Notice of Financial Incentive (if applicable).<\/li>\n<li>Review processes of responding to requests and security considerations.<\/li>\n<li>Ensure disclosures to \u201cservice providers\u201d meet CCPA\u2019s contractual obligations.<\/li>\n<li>Review processes and verifications for accepting requests.<\/li>\n<li>Review Access and Individual Rights Management.<\/li>\n<\/ul>\n<h3>Don\u2019t forget mobile apps are within the scope of CCPA<\/h3>\n<p>Even though the amended CCPA is not enforceable until July 1 \u2013 the CCPA regulation enacted in 2020 still applies, and enforcement is ongoing. AG Bonta explains that apps can access an array of sensitive information from mobile devices.<\/p>\n\t\t\t\t\t\t\t\t<blockquote class=\"w-indent\">\n\t\t\t\t\t\t\t\t\t<p>\u201cI urge the tech industry to innovate for good \u2014 including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.\u201d <\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t<h3>Consumer trust trumps non-compliance<\/h3>\n<p>As consumer-obsessed and privacy-driven organizations, brands are better off safeguarding themselves for CCPA compliance rather than taking the \u201930-day rectification\u2019 route.<\/p>\n<p>While brands are left understanding and researching the rules, authorities have started slapping fines. The time for research is behind; brands need to comply. And fast!<\/p>\n<p>A privacy-driven approach will only help fortify consumer trust.<\/p>\n<p><a href=\"https:\/\/info.trustarc.com\/Web-Resource-2020-11-13-CPRA-Privacy-Advisory_LP.html\" target=\"_blank\" rel=\"noopener\">CPRA<\/a>, the more stringent version of CCPA, is also expected to tighten the waters for businesses. Non-compliance and imprecise privacy programs will not suffice.<\/p>\n<h3>Missing a compliance action plan for your organization?<\/h3>\n<p>The California Attorney General\u2019s enforcement examples serve as a warning and caution to businesses. More enforcement and actions are bound to follow suit, but organizations cannot afford a wait-and-watch approach.<\/p>\n<p>While deciphering the technicalities and nitty-gritty of achieving compliance may seem time-consuming and daunting, it doesn\u2019t have to be. TrustArc has solutions to accelerate your path to\u00a0<a href=\"https:\/\/trustarc.com\/california-privacy-assessment\/\" target=\"_blank\" rel=\"noopener\">CCPA compliance<\/a>.<\/p>\n<p><strong>Receive a\u00a0<a href=\"https:\/\/trustarc.com\/truste-certifications\/#\" target=\"_blank\" rel=\"noopener\">CCPA Compliance Validation\u00a0<\/a><\/strong>by passing a thorough evaluation of program-level measures and evidences to ensure that you and third-party vendors process personal information in compliance with the CCPA<strong>.<\/strong><br \/>\n<strong><br \/>\nEvaluate tracking technologies on your website with the most mature\u00a0<a href=\"https:\/\/trustarc.com\/website-monitoring-manager\/\" target=\"_blank\" rel=\"noopener\">Website Monitoring Manager<\/a>\u00a0in the market.\u00a0<\/strong>Secure digital experiences with improved compliance risk identification and cookie analysis.<\/p>\n<p><strong>Simplify GPC recognition\u00a0<\/strong>and<strong>\u00a0honor GPC opt-outs\u00a0<\/strong>with our\u00a0<strong><a href=\"https:\/\/trustarc.com\/cookie-consent-manager\/\" target=\"_blank\" rel=\"noopener\">consent<\/a>\u00a0solutions<\/strong>.<\/p>\n<p>Privacy-driven frameworks form the foundation for organizations that prioritize consumer preferences. With some insight into how brands should think about compliance, this is the time to act.<\/p>\n<p>Proactive businesses will be leading the pack on the road to CCPA compliance. Our privacy experts are ready to help your organization navigate the CCPA as amended by the California Privacy Rights Act.<\/p>\n<a href=\"\/products\/consent-consumer-rights\/\" class=\"btn\"><span>Find out more<\/span><\/a>\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/ccpa-cpra\/\" class=\"badge\">CCPA\/CPRA<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/privacy-governance\/\" class=\"badge\">Privacy Governance<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/us-consumer-privacy-laws\/\" class=\"badge\">US Consumer Privacy Laws<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>On August 24, 2022, the California Attorney General announced its first enforcement actions arising from the California Consumer Privacy Act &#8211; marking a new dawn for CCPA compliance.<\/p>\n","protected":false},"featured_media":1686,"template":"","topic-resource":[75,56,114],"type-resource":[6],"class_list":["post-2619","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-ccpa-cpra","topic-resource-privacy-governance","topic-resource-us-consumer-privacy-laws","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Critical CCPA Compliance Lessons to Learn from AG Enforcement | TrustArc<\/title>\n<meta name=\"description\" content=\"On August 24, 2022, the California Attorney General announced its first enforcement actions arising from the California Consumer Privacy Act - marking a new dawn for CCPA compliance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/\",\"name\":\"Critical CCPA Compliance Lessons to Learn from AG Enforcement | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"datePublished\":\"2022-09-30T18:17:00+00:00\",\"dateModified\":\"2024-10-15T19:06:53+00:00\",\"description\":\"On August 24, 2022, the California Attorney General announced its first enforcement actions arising from the California Consumer Privacy Act - marking a new dawn for CCPA compliance.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/ccpa-compliance-lessons-ag-enforcement\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Critical CCPA Compliance Lessons to Learn from AG Enforcement | TrustArc","description":"On August 24, 2022, the California Attorney General announced its first enforcement actions arising from the California Consumer Privacy Act - marking a new dawn for CCPA compliance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/","url":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/","name":"Critical CCPA Compliance Lessons to Learn from AG Enforcement | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","datePublished":"2022-09-30T18:17:00+00:00","dateModified":"2024-10-15T19:06:53+00:00","description":"On August 24, 2022, the California Attorney General announced its first enforcement actions arising from the California Consumer Privacy Act - marking a new dawn for CCPA compliance.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/ccpa-compliance-lessons-ag-enforcement\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1686"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2619"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2619"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}