今注目されるカリフォルニア州消費者プライバシー法(CCPA):　データプライバシーに関する近時の事例から学ぶこと

With the rise in comprehensive state privacy laws, states are taking different approaches to informing the public of the details of the enforcement actions taken by their respective enforcement authorities. For example, Connecticut has opted to issue periodic reports providing updates as to its broader privacy efforts, the consumer complaints it received, and its takeaways and updates from enforcement efforts. While enforcement actions work to correct unlawful behavior, they also serve as a guide for businesses to assess what issues enforcement authorities are prioritizing.

Alternatively, the California Attorney General (“AG”) and California Privacy Protection Agency (“CPPA”), the state agencies responsible for implementing and enforcing the California Consumer Privacy Act (“CCPA”), issue press releases of their settlements under the CCPA. Between these enforcement authorities, there have been a total of 5 settlements for alleged violations of the CCPA, with fines averaging approximately $610,535, against the following businesses: (1) Sephora, (2) DoorDash, (3) Tilting Point Media LLC, (4) American Honda Motor Co. (“Honda”), and (5) Todd Snyder. The first three enforcement actions were brought by the California AG, and the latter two by the CPPA.

The key themes and violations implicated by California’s first enforcement actions under the CCPA include:

• Requiring consumers to verify their identity to exercise non-verifiable data subject rights (“DSR”) requests. Under the CCPA, businesses are prohibited from requiring consumers to verify themselves before processing consumers’ requests to: (i) opt-out of the sale or sharing of personal information, and (ii) limit use and disclosure of sensitive personal information. Both Todd Snyder and Honda utilized uniform online webforms for all DSR requests resulting in consumers having to provide certain information, even when exercising non-verifiable DSRs.
• Requiring excessive information to exercise verifiable DSR requests. Similar to the above, even when a business is required to verify consumer requests, it must avoid requesting more information than necessary for the consumer to exercise their DSRs. When verifying certain DSR requests, the CCPA requires businesses to consider several enumerated factors and, if possible, match provided information to that already maintained. According to the CPPA, Todd Snyder and Honda both unlawfully required excessive information, including government identification in Todd Snyder’s case, which discouraged consumers from submitting DSR requests.
   
• Failing to honor DSR requests or making it difficult to exercise consumer rights. DSR requests can be submitted in a variety of methods under the CCPA, including through user-enabled global privacy controls and website banners. Ensuring that your website and its technical infrastructure are properly configured is important, as the Sephora and Todd Snyder settlements resulted from a lack thereof. Todd Snyder’s cookie consent banner allegedly rendered it impossible for consumers to opt-out of sharing personal information and Sephora’s website failed to detect or process any global privacy control signals. This resulted in these businesses wholly disregarding consumers’ DSR requests in violation of the CCPA.
   
• Sharing information without the legally required contractual provisions and safeguards. The CCPA requires businesses that are disclosing personal information to third parties, such as service providers, to include certain consumer safeguards in their contracts with those service providers. These include explicit provisions limiting the purposes for which personal information can be used, and that require the third party to provide the same level of privacy protection as required of businesses under the CCPA, among other things. The CPPA alleged that Honda was sharing information with third parties but failed to include required safeguards in contracts. Further, both DoorDash and Sephora were ordered, as part of their settlements, to review and amend their contracts to include such required provisions and update the California AG on their progress of the same.

Please contact Jake Bennett at jbennett@masudafunai.com or any member of Masuda Funai’s Intellectual Property, and Technology group if you have any questions about the CCPA or privacy compliance more generally.

Masuda Funai is a full-service law firm with offices in Chicago, Detroit, Los Angeles, and Schaumburg.