Staying CCPA Compliant as Enforcement Actions Continue

Just months after issuing a $1.2 million fine against Sephora for California Consumer Privacy Act (CCPA) violations, the California Attorney General is continuing to go on the offensive to enforce the law. In January 2023, A.G. Rob Bonta announced an investigative sweep, sending letters to businesses with mobile apps that fail to comply with the CCPA.

The sweep specifically targeted apps in the retail, travel, and food service sectors that allegedly fail to comply with consumer opt-out requests or do not offer any method for consumers to stop the sale of their data. Another focus of the sweep was businesses that failed to process consumer requests submitted via an authorized agent, a requirement of the CCPA. Requests submitted by authorized agents include those sent by Permission Slip, a mobile application developed by Consumer Reports that allows consumers to send requests to opt out and delete their personal information.

“In California, consumers have the right to stop the sale of their personal information, and my office is working tirelessly to make sure that businesses recognize and process consumers’ opt-out requests,” said California Attorney General Bonta. “Businesses must honor Californians’ right to opt-out and delete personal information, including when those requests are made through an authorized agent. Today’s sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” 

With more enforcement actions anticipated in the future, here are some best practices your organization can follow to make staying CCPA compliant easier.

Privacy Notices and Disclosures

Use a layered approach toward privacy notices and disclosures. This website is a good example of a layered approach, it provides consumers with a notice that is easy to navigate and allows the consumer to view the categories of disclosures. The approach is also concise and allows the consumer to easily find the information they wish to review. It also gives them in-depth information when they are looking for that level of detail. This method also results in a good UX experience which is usually on the design team’s radar.

The Privacy and Security section of Delta Air Lines' website
The Privacy and Security section of Delta Air Lines’ website


Provide consumers with a choice to opt down and/or out of the sale of their data while also giving them the ability to preserve some of the benefits that are received from certain sharing activities. On this website, you can visit the “Cookie Settings” link to view the choices available as a visitor of the website. This method gives the consumer more power and control over how their data is shared and provides the business with the ability to have a mutually beneficial relationship with the consumer.

The Cookies Settings on the UPS website
The Cookies Settings on the UPS website

At CompliancePoint, we have a team of experienced privacy professionals dedicated to helping organizations of all sizes reach and maintain compliance with the CCPA and other state privacy laws. Contact us and to learn more.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.