Three out of four businesses that received warning
letters for failure to comply with California's broad privacy law cured the violations within 30 days, according to a new report by California Attorney General Rob Bonta.
The remaining 25% of
businesses that received warnings are either under investigation, or still have time to remedy the alleged violations before facing the prospect of an enforcement action, Bonta's office stated.
The California Consumer Privacy Act gives state residents
the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
The measure went into effect
in January, but wasn't enforceable until July 1 of last year. The law tasks the attorney general with enforcement, and gives businesses 30 days to cure violations.
Bonta's office also posted
information about notices that were sent to 27 alleged violators. The office refused to disclose how many total warnings it sent, but the
examples posted online likely represent only a small proportion of the total, given that enforcement began one year ago.
To date, the attorney general's office
hasn't named any alleged violators.
One warning recipient, identified by Bonta as a “social media app,” allegedly failed to respond to consumers' requests to learn what personal
information had been collected about them, and to delete that data.
After being notified about the allegations, the business “responded to the outstanding requests,” and also
“updated its CCPA response system to ensure that future requests would be acknowledged and responded to in a timely manner,” according to the attorney general.
Another warning
recipient, an online dating platform, failed to include a “do not sell my personal information” link on its homepage. That company also said on its site that users consented to the sale of
their personal information by clicking an “accept sharing” button.
That company “added a clear and conspicuous 'Do Not Sell My Personal Information' link and
updated its privacy policy with compliant sales disclosures,” Bonta's office stated.
A third warning recipient -- a social media company that “advertised itself as being
pro-privacy” -- failed to tell consumers about their rights, and exchanged “personal information about users’ online activities with various third-party analytics providers,”
without giving consumers a way to opt out of the sale of their data, according to Bonta.
That company “updated its privacy policy and removed all third-party trackers from its app and
website,” the attorney general's office said.
A separate recipient, an electronics seller, allegedly “maintained third-party online trackers on its retail website that shared data
with advertisers about consumers’ online shopping.”
That company failed to process opt-out requests that were submitted through the “Global Privacy Control” -- a
downloadable browser extension signaling that consumers don't want their information sold or transferred by any companies that collect online data.
“After being notified of alleged
noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in
violation of the CCPA,” Bonta's office stated.
Bonta's office also released a tool aimed at helping consumers send notices to
businesses that don't have a “clear and conspicuous” do-not-sell-my-information link on their sites.
The interactive tool poses a series of questions about the company -- such as
whether it does business in the state, and whether it “sells” or transfers people's personal information -- and then provides a draft notice that consumers can send to businesses believed
to be in violation of the law.