Friday 08 26, 2022

Novel CCPA/CPRA Enforcement Treats Targeted Ads as Data "Sales"

Portrait Liana Chen
By Liana Chen

Partner

In a novel case, the California Attorney General (AG) has treated targeted ads using third parties, such as through routine marketing and analytics cookies, as data "sales."

What did the AG case address?

In a first-of-its kind action, the AG has settled with Sephora for alleged violations of the California Consumer Privacy Act (CCPA) for $1.2 million. Highlighting the lack of a “Do Not Sell My Personal Information” disclosure and opt-out form, the AG took the position that a “sale” of personal information includes commonly-used targeted advertising using third parties. In particular, taking a broad view of the term “sale,” the AG’s stipulated order defines “Sale using online tracking technology” as a “sale” where personal information is made available to third parties through “online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies . . .” including for analytics or free/discounted products.

The AG also raised an unfair business claim for Sephora’s purported failure to contractually extend its privacy obligations to its vendors (i.e., have appropriate vendor and service provider contract terms) and to recognize opt-outs signaled via the Global Privacy Control (GPC) (i.e., companies should take note as this is an emerging issue). As part of the injunctive relief, Sephora will need to process GPC optouts and undertake privacy assessments and reporting for 2 years.

In a public statement, AG Rob Bonta cautioned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.”

This follows other proposed and passed privacy legislation, including the California Privacy Rights Act (CPRA), which becomes fully effective on January 1, 2023. Notably, the CPRA created a new California Privacy Protection Agency (CPPA) to replace the California AG as the designated regulator; and the 30-day “cure” period for privacy violations will expire. The CPRA further added requirements for “sharing” of personal information, which expands on the “do not sell” provisions.

What does this mean for companies with online marketing?

Businesses should take the time to review their privacy practices, policies, and contracts and, if an investigation or action arises, seek experienced counsel to assist. Kronenberger Rosenfeld regularly advices clients on privacy and general advertising compliance and litigation matters.

This entry was posted on Friday, August 26, 2022 and is filed under Resources & Self-Education, Internet Law News.



Related articles

Privacy & Cybersecurity

4 Ways to Protect Your Crypto

If you own any cryptocurrency, it's important to take steps to protect it from hackers and other bad actors. Here are four ways to do so. Use Two-Factor Authentication for...

Read Article

Privacy & Cybersecurity

How to Keep Up With New Privacy Laws

There has been a wave of emerging privacy laws from the California Privacy Rights Act ("CPRA"), which updates the California Consumer Privacy Act ("CCPA"), to the General Data Protection Regulation...

Read Article

Privacy & Cybersecurity

Firm Files Lawsuit Against Uphold HQ Inc Over

On February 25, 2022, Kronenberger Rosenfeld attorneys Karl Kronenberger and Kate Hollist filed a putative class action lawsuit against Uphold HQ, Inc., the company that runs the Uphold.com cryptocurrency exchange...

Read Article

Privacy & Cybersecurity

CCPA Opt-out Buttons as Options for CCPA Compliance

The proverbial dust from the implementation of the California Consumer Protection Act (“CCPA”) has settled. And at this point, most businesses are aware that under the CCPA, California residents have...

Read Article