California AG Outsources CCPA Enforcement to Consumers

The California AG’s office launched an online tool that expands the enforcement arm of the office tremendously. The online tool is called the “Consumer Privacy Interactive Tool,” where consumers can create a notification that they can then send to a business notifying that business of an alleged violation of the “Do Not Sell My Personal Information” link requirements under the California Consumer Privacy Act (CCPA). Future iterations of this tool will expand the types of violations consumers can send notifications about; however, for now, it is limited to the Do Not Sell requirements.

If a consumer believes that a business is violating the Do Not Sell provision of the CCPA by failing to post an easy-to-find “Do Not Sell My Personal Information” link on their website, they can access the tool and answer a few questions. If the questionnaire determines there is an alleged violation, it will create a notice for the consumer to send. We ran through the questionnaire, and while it uses specific CCPA terminology (which could be confusing to some consumers), we think the type of consumer taking the time to use the tool will be somewhat familiar with the CCPA requirements.

For example, in this question, the terms “sell” and “third party” are common terms and have specific definitions under the CCPA.

If “I don’t know/I don’t understand the question” is selected, the tool spells out the definitions for the consumer, which is a nice feature.

While this may result in some false violation notices, businesses should review any notices of alleged Do Not Sell violations carefully and document the steps it takes to either remediate the issue or determine that no such violation exists.

As a reminder, a sale under the CCPA is broadly defined:

 “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

All personal information sharing activities must be reviewed by the business in order to determine if it is selling personal information, including sharing with other businesses, vendors, or digital advertising platforms.

Under the 30-day right to cure in the CCPA, businesses have 30 days to update their processes and procedures and remedy the alleged violation. The AG outlines that these consumer notices may satisfy the 30-day right to cure notice, which means Do Not Sell violations existing after 30 days could be subject to fines under the CCPA.

If you have any questions about this update to the CCPA or any other data privacy requirements, please reach out to connect@compliancepoint.com.