CCPA Complaints

Last updated on 07 January 2022 by William Blesch (Legal and data protection research writer at TermsFeed)

CCPA Complaints

Reporting a violation is an important way to help ensure that companies are held accountable for their actions and comply with the law. By reporting a violation of the California Consumer Privacy Act of 2018 (CCPA), consumers may be able to protect themselves and others from being harmed by that company in the future.

It is now easier than ever to report CCPA violations following a press conference held by California Attorney General Rob Bonta. During that press conference, California's AG highlighted the CCPA's effectiveness and unveiled a new Consumer Privacy Tool for individuals to report missing or unclear "Do not sell my personal information" buttons on company websites.

This article will review the major points of the CCPA, its key provisions and demands on businesses, get into specifics on how consumers can report CCPA violations, and provide a quick checklist of necessary points companies should include in their Privacy Policies to ensure CCPA compliance.

According to the AG, 75% of businesses reported for violations responded and made efforts to comply within the 30-day window allowed by CCPA regulations. Bonta said that the rest of the companies were notified and are still in the time frame to "cure the situation" or under active investigation.

Specifically, Bonta stated that:

"Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We're happy to announce that we are seeing great progress with our CCPA enforcement, but there's more work to be done.

Plain and simple: Exercise your rights under the CCPA. Any Californian is empowered to opt-out of selling their personal information online. Consumers can also join our enforcement efforts with our new Data Privacy Protection Tool that allows anyone to notice a business that appears to be out of compliance with CCPA."

Later in the day, Bonta's office gave descriptions of 27 different CCPA actions that it had taken. In other words, this meant that Bonta was referring to more than a few businesses under active investigation or within the cure period.

Each case involved several types of non-compliance, such as failure to respond promptly to consumer inquiries and failure to disclose consumer rights. Examples of businesses in violation of CCPA regulations came from various industries, including grocery chains and streaming media services.

Additionally, the AG Office's CCPA FAQ Page was updated with comments that indicate a new era for enforcement priorities. About a third of the AG's reported CCPA actions already involved "Do-Not-Sell" violations, but the new FAQs suggest that the AG will now also be looking at honoring global opt-out signals from consumers via browser or other application/device-level settings.

In light of consumers' new ability to report CCPA violations directly to the California Attorney General's office, businesses should expect more enforcement by the AG and increased scrutiny of CCPA-related information on websites.

Start generating the necessary legal agreements for your website or app in minutes with TermsFeed.

We also offer different solutions and tools for your website or app:

Businesses should also be alert for incoming CCPA requests via the AG's reporting tool. These requests could come from outside a company's existing CCPA compliance system and could be ignored if employees aren't aware of them.

With the AG's new focus on global opt-out signals, businesses should also consider increasing their ability to respond quickly to global privacy signals such as the Global Privacy Control.

What is the CCPA?

What is the CCPA?

The CCPA is a privacy law that regulates how companies share and sell private, personal consumer data.

What Does the CCPA Do?

With its goal of protecting consumers' privacy leading much of its design, this act aims to limit how a consumer's personal information can be collected and used by both online businesses as well as brick-and-mortar stores.

Enacted in 2018 and going into effect on Jan. 1, 2020, the CCPA places many responsibilities on companies similar to those required by the General Data Protection Regulation (GDPR) enacted by the European Union (EU). Still, a business that already complies with the GDPR may have additional obligations under the CCPA.

What Businesses are Regulated by the CCPA?

The law applies to all companies that provide services to California residents and generate at least $25 Million annually.

The law also applies to companies of any size, regardless of their size, that possess personal data on more than 50,000 individuals or make more than half of the revenue from selling personal data. The law doesn't require companies to be located in California or to have a physical presence. They don't even need to be located in the United States.

An amendment added later exempts "insurance agents, support organizations, and insurance institutions" since they are already regulated under California's Insurance Information and Privacy Protection Act.

Penalties for Violating the CCPA

The CCPA gives the California Attorney General the power to bring a civil suit against businesses in violation of the law in the name and for the benefit of California residents.

It also allows consumers to file a lawsuit to seek actual or statutory damages, whichever may be greater, for the failure to enact reasonable procedures and measures that result in a data breach where unencrypted personal data is taken.

Intentional violations of California's Consumer Privacy Act may result in civil penalties of up $7,500 per violation. This is in addition to any lawsuit filed by the California Attorney General for the benefit of Californians. For other offenses, the maximum penalty is $2500.

Key Provisions of the CCPA

Key Provisions of the CCPA

California residents have enhanced rights regarding their personal data. They can find out what information is being collected and how it is being used. They can also know whether or not their data has been sold to third parties and to whom. They can even oppose any sale of their information.

The CCPA is a significantly different piece of legislation from the GDPR. Companies that are affected by the CCPA should not assume their GDPR compliance efforts meet the requirements of the CCPA.

Having said that, here is a list containing key CCPA provisions which have an impact on your compliance efforts:

  • Right to opt out - The most essential rights consumers have under the CCPA are the right to deny third parties permission to sell their personal data. However, it's important to remember that the CCPA's definitions of "sale" are extremely broad. They include any communication or transfer of a customer's personal data to another business or third parties for monetary "or any other valuable consideration." This includes situations where a business receives any type of benefit in exchange for accessing personal information. You can have mutual access to the marketing lists of each other, information or insights about consumers, and the ability to target specific consumers for advertising purposes.
  • Right of access - The consumer also has the right to ask for and receive information regarding their personal data collected by businesses. This includes information about the categories of personal information that were collected, disclosed, or sold, the sources from which it was obtained, the categories of recipients, and the purpose of collecting and selling the information. Consumers have the right to see the categories and the individual pieces of personal data that a business has collected.
  • Right of portability and deletion - Consumers who request access to their personal data have the right to know which pieces the business has collected and also to obtain their information in a "readily useable format" that can be easily transferred, free of charge, and delivered within 45 calendar days. They can also request the removal of personal information they have collected, with certain exceptions. Businesses are also required to provide two separate ways for consumers to request deletion or portability.
  • The right to equal prices and services - Businesses are prohibited from discriminating against CA residents in retaliation for exercising their rights. However, companies are allowed to offer different prices and levels of service, provided that they are reasonably related to the consumer's value through their personal information.
  • Private Right of Action - California's CCPA requires that California businesses protect Californian consumers' personal information. This gives consumers the right, through the CCPA, to sue a company if they are not adequately protected.
  • Disclosures of personal information made - According to the CCPA, businesses that sell or divulge personal information for business purposes must inform consumers when they receive a verifiable request. They must maintain separate lists for data that is collected, shared, or sold for commercial purposes.
  • Privacy policy disclosures - Businesses that comply with the CCPA have to make affirmative disclosures about privacy practices. These disclosures must include an enumeration and description of the types and pieces of personal data being collected, their sources, the purpose, and the third parties with whom that information will be shared.

How Consumers Can Report CCPA Violations

How Consumers Can Report CCPA Violations

California's Attorney General has created a tool that allows consumers to generate a notice of non-compliance to businesses that have violated the California Consumer Privacy Act.

The following screenshot shows the tool's disclaimer and the first question consumers' must answer in the process of generating a non-compliance notice:

California Attorney General: Consumer Privacy Interactive Tool page screenshot

Consumers can only use this tool to draft notices to businesses that do not have an easy-to-locate "Do not sell my personal information" link on their website. The Attorney General's office may update this tool to address other potential CCPA violations. The last update of the tool was July 17, 2021 (version 1.0).

Los Angeles's KTLA Channel 5 displayed an excellent example of a "Do not sell my information" link, although the example showed the link inside a button:

KTLA Channel 5 news article: Opt out sell personal information message example from US Weekly

By filling out the questions provided by the AG's tool, you can create a non-compliance notice that you can send to businesses who may have violated CCPA by not posting the link mentioned above.

When using the tool, you'll need to answer the series of questions it asks to the best of your ability. The tool will then create a draft notice, which you can then copy into an email or print out to send to the company that you believe has violated the CCPA.

Consumers cannot sue businesses for most CCPA violation violations. However, it is possible to send a notice of non-compliance. If companies fail to remedy a CCPA violation within 30 calendar days, the Attorney General can sue them.

Sending a non-compliance notification to the offending business may satisfy that prerequisite.

CCPA Privacy Policy Checklist

CCPA Privacy Policy Checklist

If you're a California-based consumer, you now have tools at your disposal to help ensure businesses comply with the CCPA.

However, suppose you're a business owner or executive. In that case, you should understand that your company will now be under more scrutiny when it comes to CCPA compliance than perhaps it ever has.

Thus, you will want to ensure that you include specific things on your website and in your CCPA-compliant Privacy Policy to help ensure you avoid penalties for non-compliance.

For instance, as previously stated, a business selling personal information must place a prominent "Do not sell my personal information" link on their company's website. This allows consumers to request that the sale of their personal data be stopped.

The CCPA provides clear guidelines on how to ensure that your Privacy Policy complies with its terms. A Privacy Policy that complies with the CCPA must be fully transparent about the following:

  • What information a business collects
  • Why it collects personal information
  • Whom the business shares this information with, and why
  • How the business collected data
  • Whom the consumer can contact if they wish to know more about how their data is used or stored
  • The consumers' various rights under the CCPA

You must also keep your Privacy Policy current by updating it at least once every 12 months and send or provide notice if you make any material changes to that policy.

Now, for the sake of full transparency and since consumers now have the ability to report CCPA violations, you should disclose that fact in your Privacy Policy. You should also provide instructions on how a consumer can make such a CCPA non-compliance report to the Attorney General's office.

Summary

The CCPA is off to a strong start with the first year of enforcement. California AG, Rob Bonta, said that 75% of businesses his office notified about an alleged violation took steps within 30 days to comply.

He also introduced a new online tool for consumers which will allow them to file complaints against companies they think are violating their privacy rights under the CCPA directly through email or on the website.

The new reporting tool should help make sure California consumers feel they have real recourse if they feel like their personal data has been mishandled.

Finally, suppose you reside in the state of California and you believe a company is violating your rights under the CCPA. In that case, you can begin using the new reporting tool on the California Attorney General's website.

William Blesch

William Blesch

Legal and data protection research writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.