By: Linda L. Goodman
In a recent Agency board meeting, state officials disclosed over 2,176 complaints received over potential California Consumer Privacy Act (“CCPA”) violations and broadly set out the Agency’s most recent enforcement priorities.
Enforcement Priorities:
Moving forward, the Agency will focus enforcement on:
- Dark Patterns Emerge as Newest Priority
- The CCPA defines a “dark pattern” by what it is not. If your posted consumer request process and consent mechanisms do not embody the following principles, you may have a dark pattern.
- Use language that is easy to understand – avoid legalese or hyper-technical language.
- Symmetry in choice. If you provide a “yes” or “accept” option, you need to provide a “no” or “reject” option. It cannot be harder or more time-consuming to exercise a choice that is more privacy-protective.
- Avoid language or interactive elements that are confusing.
- Avoid choice architecture that impairs a consumer’s ability to make a choice. Requiring a consumer to click through multiple screens or bundling options may be considered interference.
- Easy to execute. Avoid circular or broken links or links that do not clearly lead to what a consumer is seeking to do.
- The CCPA defines a “dark pattern” by what it is not. If your posted consumer request process and consent mechanisms do not embody the following principles, you may have a dark pattern.
- Unnecessary or Improper Verification Requirements.
- Improperly requiring consumers to verify their identity to opt-out of the selling or sharing of consumer data or to limit the use of sensitive personal data.
- Businesses are not permitted to verify an identity on such requests. (If you have a good faith, reasonable, and documented belief that such a request is fraudulent, you may deny the request.) Remember the burden is always on the business to explain why it believes the requestor is not who they say they are rather than on the requestor to prove their identity.
- Incomplete or Inaccurate Privacy Disclosures.
- Failing to provide notice to consumers about the sale or sharing of personal data. Remember that in the context of the CCPA, “sale” means disclosure of data to a third-party including service providers if there has been no Service Provider Agreement restricting the use of the data. Close attention is being paid to “sharing” data for purposes of cross-context behavioral advertising (i.e., targeted ads).
- Protection of Children’s Data. Violating the CCPA in a manner that targets or affects vulnerable groups (such as minors under 16).
Compliance Steps to Take Now:
- Review Your Website for “Dark Patterns”. Take a close look at your website for choices, symmetry in choice, clarity, and simplicity. Be sure your links work. Test the website, including all links and be sure they are working. Make a CCPA request and time the response. Watch for any complaints coming to you.
- Review Your Consumer Response Practices. First, are you asking for verification when it is not needed? Second, are your responses to a consumer request timely? Third, are the responses to the consumer clear and is the action promised undertaken by the company?
- Ensure Your Privacy Policies are Complete and Accurate. Have your company’s data collection practices changed and is that reflected in the Privacy Policy? Notices and privacy policies should accurately describe your data collection practices, including the categories of personal information you collect, who you disclose it to, and how you use it. The CCPA requires privacy policies to be updated at least once annually. If your privacy policy is more than one year old, you must update it.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments and it is not intended to be and should not be relied on as legal advice for any particular matter. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2024 TGLF, A.P.C.