The Weekly Breach Breakdown: The Right Tool – CCPA Enforcement Update

• The one-year anniversary of the California Consumer Privacy Act (CCPA) and CCPA enforcement has come. According to the California Attorney General (AG), 75 percent of complaints were resolved within 30 days. The other 25 percent are still within the 30-day grace period or are still under investigation.
• The California AG’s report also includes 27 examples of complaints and what companies did to fix the potential violations.
• California also released a tool that will make it easier for consumers to file complaints about businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage.
• To learn about recent data breaches consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
• For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Right Tool

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23, 2021. Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the California Consumer Privacy Act (CCPA), the state law that gives consumers a way to push back against data breaches, and the one-year anniversary of CCPA enforcement.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA.

News Statistics Released About CCPA Enforcement

California Attorney General (AG) Rob Bonta recently published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. The other 25 percent are still within the 30-day grace period or are still under investigation.

The most interesting part of the AG’s report is the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. Some businesses prompted hundreds of CCPA enforcement complaints, while others generated millions.

Potential violations that have been cured include:

• A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy.
• A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers.
• A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on.
• An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices.

Tool Released to Make It Easier for California Residents to File Complaints

AG Bonta also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA, and the direct consumer complaints can trigger the process that can lead to CCPA enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions, including damages paid directly to consumers for certain data breaches, may be offered in the future.

Contact the ITRC

If you have questions about CCPA enforcement, or how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST).

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.