California AG CCPA enforcement trends and takeaways
The California Attorney General has enacted two major California Consumer Privacy Act (CCPA) enforcement actions so far, respectively against Sephora and DoorDash. A few takeaways can be made by comparing the two cases.
Broad interpretation of “sale” of personal information
The actions of these organizations were considered sales of personal information by the AG, about which the consumer was not sufficiently informed or permitted to opt out.
Sephora allowed unspecified third parties to track information on consumers such as shopping cart items and precise location through Sephora’s website to create a profile on consumers.
DoorDash participated in a marketing cooperative where each organization provides their consumers’ personal information to the group, and they all have access to the consumers’ personal information from all group participants.
The opinion of the AG was that neither of these were service provider relationships where the organization received a service in return for information, but instead a sale where the organization received monetary or other valuable consideration. There is obviously ambiguity about what is “other valuable consideration,” evidenced by the fact that this was extrapolated to include both analytics and marketing opportunities.
It’s safe to say that consumers need to be informed via the external privacy notice and allowed the opportunity to opt out of activities similar to these.
Either enter a contract or provide the right to opt out
The major issue identified in the Sephora case was a lack of service provider contract in place for the third parties to which it exchanged personal information for analytics services.
In DoorDash’s response to the California AG’s enforcement action, they said that one of their vendors shared consumers’ personal information “against their request.” This action would have been explicitly prohibited in a service provider contract, and the assumption to be made therefore is that this contract did not exist.
Data transferred to a service provider is exempt from the CCPA definition of a sale. The relationship involving an exchange of personal information will either be subject to opt outs and considered a sale, or it will be subject to CCPA requirements and exempt from the definition of sale. Effectively, per the AG’s decisions, these organizations were trying to fall into a secret third category where neither applies. Whether they received poor legal guidance or failed to understand the law, these companies took a risk and suffered the consequences.
While there may be downsides to entering a service provider contract, including that the service provider becomes subject to CCPA, the upside is the ability to share the personal information for the established activities without having to allow the consumer a chance to opt out.
Most marketers associate the opt out opportunity with lost revenue from consumers who opt out. However, it may cost more than the potential lost revenue for the other organization to comply with CCPA, and it certainly costs a lot more to pay a comparable civil penalty. DoorDash is paying $375,000, and Sephora was charged $1.2 million.
For help with service provider contracts, privacy notices, opt-outs, or anything else CCPA-related, reach out to info@privacyref.com.