This is the time of year for thought pieces reflecting on the past year or so to speculate on the hot topics for next year. I began to wonder about California Consumer Privacy Act (CCPA) enforcement actions over the past year as this was something that we speculated about not that long ago. The California Attorney General’s office has been busy and has even posted a list on its website of 27 examples of recent California Consumer Privacy Act enforcement actions.

The most common violation on the list is that a company’s privacy policy was non-compliant with CCPA requirements. Of the 27 cases cited, at least 16 had some form of privacy policy violation. Some of the privacy policies failed to provide consumers with the required CCPA rights, failed to state whether the company sold personal information, or failed to provide a method for consumers to submit requests about their data. Other violations included failure to provide notice to consumers of opt-out processes and the failure to include a “Do Not Sell My Personal Information” link. One company even tried to charge consumers for making CCPA requests.

All the cases cited appear to have begun with consumer complaints that resulted in a notice of alleged non-compliance. That notice provided the companies the opportunity to correct their deficiencies. In one privacy policy violation, the company updated its privacy policy in response to a complaint that it failed to provide notice of the required CCPA consumer rights and also failed to state whether it had sold personal information within the past 12 months. The company updated its privacy policy, however it was “not easy to read or understandable to the average consumer, e.g. contained unnecessary legal jargon.” The company received a second notice of non-compliance and then revised its privacy policy accordingly.

Enforcement actions will no doubt continue in 2022, but the lesson learned from 2021 is that for companies that must comply with CCPA, having a CCPA-compliant privacy policy will be a great way to start the new year.

Photo of Deborah George Deborah George

Deborah George is a member of Robinson+Cole’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team. Ms. George advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She…

Deborah George is a member of Robinson+Cole’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team. Ms. George advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters. She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as drafting and reviewing contracts, business associate agreements, and data use agreements. Read her full rc.com bio here.