• by Wendy Davis  @wendyndavis, July 19, 2021

Three out of four businesses that received warning letters for failure to comply with California's broad privacy law cured the violations within 30 days, according to a new report by California Attorney General Rob Bonta.

The remaining 25% of businesses that received warnings are either under investigation, or still have time to remedy the alleged violations before facing the prospect of an enforcement action, Bonta's office stated.

The California Consumer Privacy Act gives state residents the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.

The measure went into effect in January, but wasn't enforceable until July 1 of last year. The law tasks the attorney general with enforcement, and gives businesses 30 days to cure violations.

Bonta's office also posted information about notices that were sent to 27 alleged violators. The office refused to disclose how many total warnings it sent, but the examples posted online likely represent only a small proportion of the total, given that enforcement began one year ago.

To date, the attorney general's office hasn't named any alleged violators.

One warning recipient, identified by Bonta as a “social media app,” allegedly failed to respond to consumers' requests to learn what personal information had been collected about them, and to delete that data.

After being notified about the allegations, the business “responded to the outstanding requests,” and also “updated its CCPA response system to ensure that future requests would be acknowledged and responded to in a timely manner,” according to the attorney general.

Another warning recipient, an online dating platform, failed to include a “do not sell my personal information” link on its homepage. That company also said on its site that users consented to the sale of their personal information by clicking an “accept sharing” button.

That company “added a clear and conspicuous 'Do Not Sell My Personal Information' link and updated its privacy policy with compliant sales disclosures,” Bonta's office stated. 

A third warning recipient -- a social media company that “advertised itself as being pro-privacy” -- failed to tell consumers about their rights, and exchanged “personal information about users’ online activities with various third-party analytics providers,” without giving consumers a way to opt out of the sale of their data, according to Bonta.

That company “updated its privacy policy and removed all third-party trackers from its app and website,” the attorney general's office said.

A separate recipient, an electronics seller, allegedly “maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping.”

That company failed to process opt-out requests that were submitted through the “Global Privacy Control” -- a downloadable browser extension signaling that consumers don't want their information sold or transferred by any companies that collect online data.

“After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA,” Bonta's office stated.

Bonta's office also released a tool aimed at helping consumers send notices to businesses that don't have a “clear and conspicuous” do-not-sell-my-information link on their sites.

The interactive tool poses a series of questions about the company -- such as whether it does business in the state, and whether it “sells” or transfers people's personal information -- and then provides a draft notice that consumers can send to businesses believed to be in violation of the law.