Understanding CCPA And Its Implications For Businesses

$632,500 for making consumer privacy rights too difficult to exercise. That’s the fine Honda received from the California Privacy Protection Agency (CPPA). It’s a wake-up call for companies still treating privacy rights as a checkbox exercise. It’s also something I’ve seen repeatedly in privacy assessments - companies making it unreasonably difficult for consumers to exercise their privacy rights. Here are some areas regulators flagged: ❗ Requiring up to 8 fields of information just to opt out (excessive!) ❗ Creating a convoluted submission process for privacy rights requests ❗ Consumers had to directly confirm they authorized an agent to submit a request to opt out of sale/sharing or request to limit (illegal under CCPA) ❗ Failing to train employees handling privacy requests ❗ Ignoring Global Privacy Control (GPC) signals ❗ Creating multiple steps to opt out while enabling one-click opt ins ❗ Sharing data with vendors without proper documentation The lesson? Privacy rights must be PRACTICALLY accessible, not just technically available. Is your company vulnerable to similar issues? Ask: ✅ Can consumers opt out in 2 steps or fewer? ✅ Does your site recognize GPC signals? ✅ Do you have contracts with all vendors covering CCPA obligations? ✅ Is your team trained to process all types of privacy requests? ✅ Is opting out just as simple as opting in? I'm seeing regulators across states increasingly focus on the how, not just the what of privacy compliance. The days of hiding opt-out buttons or creating friction-filled privacy request processes are over. Make it easier for people to exercise their privacy rights. What's been your experience with consumer privacy rights implementations? Have you seen examples of companies doing this particularly well (or poorly)? Read more about the critical compliance areas companies should review in my latest article for the IAPP: https://lnkd.in/e4aH7Qna

A court recently let a California CCPA class action lawsuit proceed against a company for its website's use of Google Analytics. Here's what to know and do ⬇️ A federal district court in California allowed a CCPA #ClassAction to survive a motion to dismiss. The defendant offers a website-based service for connecting people to mental health therapists, and allegedly allowed #GoogleAnalytics to collect information like mental health conditions entered into its website. Google offered an IP address anonymization feature that defendant allegedly didn't use.    The court ruled that the CCPA claim under its limited private right of action (Cal Civ Code § 1798.150) could proceed even though there was no data breach. It reasoned that a data breach isn't required--a claim could proceed if personal information is subject to unauthorized disclosure as a result of the business's failure to maintain reasonable security procedures (presumably the use of the Google IP address anonymization feature). While this isn't a ruling on the merits, the fact that the CCPA allows statutory damages of $100-$750 per consumer/incident (or actual damages if greater) could lead to claims against other companies on this theory for using cookies, pixels, and other tracking technologies for common business practices like #TargetedAdvertising and #website #analytics.   What should your company do? Here's four steps to consider: 1️⃣ Don't panic. This case isn't a ruling on the merits, and it's not clear this theory will ultimately prevail. 2️⃣ Assessments. Validate that your privacy or tracking technology assessment processes: 🔹Identify what data is passed by each tracking technology; 🔹Determine whether all data need to be passed & remove any that don't; and 🔹Use privacy-protective tracking technology provider tools and settings (Know what team at your company identifies what options are available, and determine whether they have the privacy knowledge to know what to look for and use. Reviews of providers’ documentation and settings are often needed.). 3️⃣ Governance. Establish or validate an approach to governing the use of tracking technologies on your company's website and mobile #apps, including: 🔹Keeping an up to date understanding of the technologies used and business purposes they serve; 🔹Knowing what specific data types are passed; 🔹Triggering reviews or re-assessments when there are changes to data passed or business purposes the technologies are used for; and 🔹Getting buy-in and alignment on roles and responsibilities with stakeholders that can place, use, or configure the technologies. 4️⃣ Consider Consent. Especially when website/app events or other data types passed could reveal something sensitive, obtain opt-in consent before allowing the data to be transmitted. This is viewed as required by the FTC, and is required under some of the state comprehensive #privacy laws.

You’re the new Privacy Analyst at a U.S. retail company. Your manager just asked you to ensure the company is compliant with the California Consumer Privacy Act (CCPA), but you quickly realize there’s no data inventory or record of what personal data is being collected, where it’s stored, or who it’s shared with. How would you even begin? First, you’d start by building a data inventory — that means identifying what personal data the company collects (names, emails, browsing history, etc.), how it’s collected (forms, cookies, third-party platforms), and where it lives (CRM, marketing tools, cloud storage, etc.). You’d likely send out a questionnaire or meet with key teams (marketing, IT, sales) to gather this info. Then, you’d map the data flows — what systems touch this data, who has access, and whether it gets sent to vendors or service providers. This is essential for understanding risk and creating compliant privacy notices. Finally, you’d document it all and check it against the CCPA requirements — can users request access to their data? Can they delete it? Is there a way to opt out of data selling? This is GRC work in action.. breaking down compliance into trackable steps and helping the business stay accountable.