California AG Rob Bonta has been enforcing the California Consumer Privacy Act for over a year now and we are learning what he doesn’t like.
One bit of good news that we learned is that notices of violations that he sends out triggers a 30 day cure period and that seems to be working.
He said that 75% of the businesses that received a notice fixed the violation. Some of the rest are still in that 30 day period. The remaining, well, they are in trouble.
He published a list of 27 case examples of non-compliance and why. The examples are anonymous. It appears that he is trying not to turn non-compliant businesses into villains – as long as they clean up their acts. This is a good thing for businesses.
There is some argument about opt out, however, and hopefully that will get cleared up. Soon. The AG says that businesses have to comply with global opt out flags that some browsers can send.
Businesses don’t like that. They want to make it as hard as possible, if not impossible, for consumers to screw up their business model. In fact, a number of the examples that the AG talked about were related to that specifically – that companies were making it hard to opt out.
The conflict with the global opt out flag is that the CPRA (think of that as CCPA revision 2) allows businesses to choose between honoring global opt out OR via a DO NOT SELL link.
Obviously businesses figure if people have to opt out a hundred times a day and try to remember where they opted out and where they didn’t they will get tired of that and let businesses continue to sell their data. This is versus setting a one time flag and not having to worry about it ever again. This does not appear to be a technical issue, but rather a desire not to have their apple cart turned over if a lot of people say don’t sell my data.
The AG, however, has created an online privacy tool. Using this tool, a California resident can answer a few questions and if the business fails, the tool collects information to identify who is complaining, what the business is and creates a draft notice for the consumer to send to the business.. Note that filling out this form does not mean the business is a scofflaw, but it does put the business on the AG’s radar.
It is important to understand that this 30 day cure period goes away when CPRA goes into effect on January 1, 2023, so consider this a gift and not a way of avoiding the problem.
Credit: Ballard Spahr