Navigating the complex landscape of data privacy regulations is critical for businesses. With the introduction of the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), organizations face significant challenges in maintaining compliance. These laws come with real-world implications that can hit companies hard if not followed correctly.
Let us dive into some high-profile examples of CCPA and CPRA violations. We'll explore how a major cosmetics retailer, a mobile telecom company, and various online retailers found themselves in hot water due to non-compliance. By dissecting these real-world cases, we'll highlight the specific provisions of these privacy laws, explain the penalties involved, and provide practical insights to help your business steer clear of similar pitfalls.
Examples of real-world CCPA violations
Here are three real-world examples of CCPA violations and how they were resolved.
1. Cosmetics retailer: Unauthorized sale of personal data
Violation: A major cosmetics retailer was fined for selling personal data without obtaining proper consent from consumers. The ambiguity arose around what constitutes "proper consent" and whether the cosmetics retailer's methods of obtaining consent were compliant with CCPA regulations.
Resolution: The cosmetics retailer agreed to a settlement with the California Attorney General, which included a fine of $1.2 million.
Penalties: The fine was imposed for failing to disclose the sale of personal information and not providing a "Do Not Sell My Personal Information" option for consumers at the time of sign up.
Outcomes: The retailer committed to making operational improvements, including honoring Global Privacy Control (GPC) signals and providing annual reports to the Attorney General for two years.
2. Mobile telecom company: Data breach
Violation: A mobile telecom company experienced a data breach that exposed personal information of millions of customers. The ambiguity was related to the extent of the company's responsibility to protect consumer data and whether they had taken adequate measures to prevent such breaches.
Resolution: The mobile telecom company agreed to a settlement with the Federal Communications Commission (FCC) to resolve multiple data breach investigations.
Penalties: The telecom company paid a civil penalty of $15.75 million and committed to investing an additional $15.75 million in cybersecurity improvements.
Outcomes: The company agreed to implement robust cybersecurity measures, including adopting Zero Trust architecture and multi-factor authentication.
3. Online retailers: Failure to honor GPC
Violation: Multiple online retailers were found to be using web tracking technologies without offering an opt-out mechanism or ensuring third-party compliance with CCPA. The ambiguity here involved the interpretation of the GPC and how retailers should implement and honor these controls.
Resolution: Multiple online retailers faced enforcement actions for failing to honor GPC signals and not providing opt-out mechanisms.
Penalties: Specific penalties varied, but the enforcement actions highlighted the need for compliance with CCPA regulations.
Outcomes: Retailers were required to update their privacy policies, implement GPC signals, and ensure compliance with CCPA regulations.
How the new CPRA resolves the ambiguities that were present in these cases
The CPRA has improved upon the CCPA by introducing some clear guidelines on how consumer data can be handled and shared. These five newer requirements enforce more accountability and ensure consumers have more rights regarding their data, so that the violations discussed earlier do not occur.
1. Clear definition of consent
The CPRA provides more detailed guidelines on what constitutes valid consent, helping businesses understand how to properly obtain and document user consent.
Example: The cosmetics retailer from the earlier example was fined for selling personal data without obtaining proper consent.
Resolution: Under the CPRA, the retailer now has clearer guidelines on what constitutes valid consent. They must ensure that consumers explicitly agree to data collection and sharing practices, making it easier for both businesses and consumers to understand and comply with the regulations.
2. Sensitive personal information
The CPRA introduces a new category called "sensitive personal information (SPI)," which includes data like social security numbers, financial information, and precise geolocation.
Example: The mobile telecom company's data breach exposed SPI such as Social Security numbers and driver's license details.
Resolution: The CPRA introduced the new SPI category, which includes data like social security numbers and financial information. The telecom company must now provide additional protection for this type of data, as well as inform consumers about its collection and use.
3. Right to correction
Consumers now have the right to request corrections to inaccurate personal information held by businesses. This clarifies the process for handling such requests and ensures data accuracy.
Example: Multiple online retailers failed to honor GPC signals and did not provide opt-out mechanisms.
Resolution: The CPRA grants consumers the right to request corrections to inaccurate personal information. Retailers must now implement processes to handle such requests and ensure data accuracy, providing consumers with greater control over their personal information.
4. Right to limit use of sensitive information
Consumers can restrict the use of their sensitive personal information, particularly for purposes like advertising. There are now clearer guidelines on how businesses should handle such requests.
Example: A user discovers that a health app they're subscribed to is sharing their sensitive information with third-party advertisers without their consent.
Resolution: The user exercises their right to limit the use of their sensitive information by opting out through a clear and conspicuous link on the app's homepage titled, "Limit the Use of My Sensitive Personal Information." The app must then stop sharing the user's sensitive data with advertisers and ensure that the data is only used for necessary purposes, such as providing health services.
5. Expanded scope of data sharing
The CPRA expands the definition of data sharing and requires businesses to provide consumers with the option to opt-out of both data sale and data sharing.
Example: A user with an account on a social media platform discovers that their data is being shared with third-party advertisers and data brokers without their knowledge or consent.
Resolution: The social media platform updates its privacy policy to include a clear and conspicuous link titled "Do Not Share My Personal Information." Users can click this link to opt-out of data sharing. The platform must then ensure that the user's data is not shared with any third parties and provide regular updates on how the data is being used.
Common mistakes businesses make that may lead to a CPRA violation
- Failing to maintain a CCPA/CPRA-compliant privacy policy : Businesses must have a clear and compliant privacy policy that informs consumers about their data collection, use, and sharing practices.
- Failing to respond to consumers' requests: Businesses are required to respond to consumers' requests regarding their rights under the CCPA/CPRA, such as requests to access, delete, or opt-out of the sale of personal information.
- Failing to provide adequate notice when collecting personal information: Businesses must provide clear and conspicuous notice to consumers at the point of collection about the categories of personal information being collected and the purposes for which it will be used.
- Selling consumers' personal information without providing an opt-out: Businesses must offer consumers the option to opt-out of the sale of their personal information and honor these requests.
- Discriminating against consumers who exercise their CCPA/CPRA rights: Businesses cannot discriminate against consumers who exercise their rights under the CCPA/CPRA, such as by denying services or charging different prices.
- Data breaches: Failing to implement reasonable security measures to protect personal information can lead to data breaches, which can result in penalties and lawsuits.
Take the lead in data protection best practices with our unified SIEM solution!
