The California Attorney General has warned mobile app developers: obey state privacy laws and consumer opt-out requests, or prepare to pay big bucks.
California Attorney General Rob Bonta maintains a running list of enforcement actions taken against companies that violate the California Consumer Privacy Act (CCPA).
In the state’s latest “investigative inquiry,” Bonta sent letters to companies offering mobile apps that would ignore consumer opt-out requests or sell user data, despite the CCPA, which among other things , prohibits this type of sale of personal information.
This year’s sweep, which focuses on retail, travel and restaurant applications, also targets companies that have not handled consumer inquiries submitted by an authorized agent. One such authorized agent is Consumer Report’s Permission Slip mobile app, which allows consumers to submit opt-out and deletion requests for their personal information. The CCPA requires companies that receive one of these requests to delete the sender’s information from their systems and stop collecting it for future retention.
Last year’s sweep netted global retailer Sephora a $1.2 million fine. It also showed that Bonta defines the “sale” of consumer data in broad terms and is willing to aggressively pursue companies that the state believes are not following the rules.
This year, Bonta has another tool at its disposal: the California Privacy Rights Act (CPRA), which is essentially an amendment to the CCPA that requires companies not to “share” people’s personal information with third parties. ACPL became operational in January and will begin to be applied later this year.
“Consumers in California have the right to stop the sale of their personal information, and my office works tirelessly to ensure companies recognize and respond to consumer takedown requests,” Bonta said in a statement, adding that this year’s sweep focuses on mobile apps because of the “wide range of sensitive information these apps can access from our phones and other mobile devices.”
The state has developed its own online tool that allows consumers to directly notify companies that may have violated the CCPA.
“I urge the tech industry to innovate for good, including developing and adopting global user-enabled privacy controls for mobile operating systems that allow consumers to stop apps from selling their data. “, continued Bonta.
Bonta’s office declined to respond The register‘s questions about how many, and which, companies have received letters alleging CCPA violations.
“The app sweep announced last Friday sent notices to apps in the retail, travel and restaurant industries that collect and store consumers’ personal information to investigate their compliance with CCPA selling requirements. “said a spokesperson. “Letters have been sent to those we believe are not complying. Beyond this, to protect their integrity, we cannot comment on ongoing investigations.”
Does the broom have teeth?
Stephanie Liu, analyst at Forrester Research, said The register she doesn’t expect to see “a flood of CCPA-related fines in the near future, as companies will have the opportunity to bring their apps into compliance before being fined.”
But, she added, Bonta’s sweep has bite.
“The CCPA is still a relatively young law, so we can’t predict how enforcement will play out, but I think we have enough evidence of how seriously the California OAG takes the CCPA to know that it’s not not just a publicity stunt,” Liu said. said.
And while the CCPA doesn’t have the national reach that a federal data privacy law would have, Bonta’s enforcement actions are having an impact beyond the Golden State, according to Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC). .
“They’ve set an example both for other states rolling out new privacy regimes and for federal enforcement by the Federal Trade Commission and other agencies,” Butler said. The register.
Additionally, some companies may end up extending CCPA privacy protections to all of their customers, added Hayley Tsukayama, EFF’s senior legislative activist. “Many companies have re-examined the data they retain in light of the CCPA for all customers,” Tsukayama said. The register.
In addition to California, Colorado, Connecticut, Utah, and Virginia have also passed their own privacy laws, and others have similar consumer protection rules on the books.
“One of the biggest challenges with the patchwork of US privacy laws, state to state, is that it creates a huge compliance headache,” Liu said. “Some apps may allow opting out of all users, whether California or not. Others may create a CCPA-specific opt-out based on users’ location, optionally.”
Privacy advocates, including EFF, have pointed to gaps in mobile app data security and privacy, and despite lawsuits and threats from regulators, location data continues to be a cash cow for mobile app developers.
“The reality is that many apps widely share user data, so hopefully OAG’s announcement serves as a boost for app owners,” Lui said. They “must understand who they are sharing data with and give Californians the right to opt out.” ®