On January 27, 2023, the California Attorney General (California AG) Rob Bonta announced an “investigative sweep” of mobile apps in retail, travel, and food service industries for failing to provide a mechanism for—or honor—consumers’ opt-out requests to stop selling their data under the California Consumer Privacy Act (CCPA). According to the California AG’s tweet, the mobile apps have already received letters of the alleged noncompliance. This announcement is significant for the reasons below.
The California AG expands the area of focus of enforcement to mobile apps. In 2021 and 2022, the California AG conducted similar investigative sweeps of online retailers that failed to honor or provide a mechanism for opt-out requests, despite using third-party online trackers without proper service provider contracts in place. This time, the California AG signaled that mobile apps are his focus “particularly given the wide array of sensitive information that these apps can access from our phone and other mobile devices.”
The 30-day cure period has sunsetted. The aforementioned investigative sweeps of online retailers resulted in only one settlement—that with Sephora—as other retailers who received the letter of alleged violation complied with opt-out rights within the 30-day cure period. This time, however, the sweep could result in more enforcement actions as the right to cure expired on January 1, 2023, when the California Privacy Rights Act’s amendments to the CCPA took effect.
The investigative sweep includes failing to “honor” requests from consumers’ authorized agents. The CCPA allows consumers to submit verifiable requests through authorized agents, ie, natural persons or business entities registered to do business in California. Permission Slip, an app developed by Consumer Reports, aims to streamline the process for consumers to submit privacy rights requests, particularly under the CCPA, by acting as an authorized agent. The January 27th announcement of the investigative sweep emphasizes that failing to honor opt-out and deletion requests from Permission Slip and similar tools violates the CCPA, indicating that the California AG will continue to endorse self-serve tools.
The California AG urges the tech industry to develop and adopt user-enabled global privacy controls for mobile devices. In the announcement, the California AG also encouraged the tech industry to develop user-enabled global privacy controls for mobile operating systems. To date, however, neither the California AG nor the California Privacy Protection Agency (CPPA) has clarified what such a control should look like in the mobile environment. For example, despite public comments asking the CPPA to provide greater clarity on the technical specifications for processing opt-out preference signals, CPPA staff took the position in the CPPA October Board Meeting that no other technical specifications are needed in the regulations. Although the Colorado AG will publish and update a list of recognized Universal Opt-Out Mechanisms, the California enforcement agencies are yet to make such commitments.
The California AG’s announcement should provide motivation for covered businesses to re-evaluate and update their CCPA compliance programs with respect to opt-out and deletion requests. In particular, we recommend businesses closely monitor industry standards and updates of self-serve tools, such as Permission Slip, and global opt-out mechanisms, such as Global Privacy Control, as evidenced by the California AG’s continued support for honoring and developing such tools.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor attorney general guidance, enforcement, and litigation pursuant to the CCPA in order to assist clients with compliance. For more information or advice regarding your CCPA compliance efforts, please contact Tracy Shapiro, Eddie Holman, Yeji Kim, or any member of the firm privacy and cybersecurity practice.