News broke ahead of Data Privacy Day in late January 2023 that California Attorney General Rob Bonta is conducting a deep, investigative sweep that focuses on the mobile apps of organizations that fail to comply with consumer opt-outs or do not offer a protection mechanism for consumers who want to exercise the right to prevent the sale of their data. The California Consumer Privacy Act (CCPA) defines the sale of data as the “selling, renting, releasing, disclosing…a consumer’s personal information by the business to a third party for monetary or other valuable consideration.” This means that the organization could be “selling” personal information under CCPA even when sharing data with a third party without providing consumers monetary compensation. The Attorney General’s investigation includes popular mobile apps that allegedly:
- Fail to comply with consumer opt-out requests, and/or
- Fail to process consumer requests through an authorized agent.
With fines and penalties under the CCPA on the rise, including a recent widely-publicized settlement for failing to disclose the sale of data to consumers, organizations must work to mature their privacy programs to keep up with the ever-changing data privacy landscape.
What about the penalties?
The CCPA secures the consumer right to request that an organization stops collection, sale and sharing of personal information with third parties. The law also prescribes specific penalties for noncompliance with its requirements.
According to CCPA, if the Attorney General initiates a civil action against an organization, there is an administrative fine of up to $2500 per individual violation if the organization fails to resolve the issue within 30 days after being notified, and up to $7500 if the violation is intentional. The private right of action may incur damages between $100 and $750 per incident.
With the additional amendments to CCPA which is expected to become fully enforceable in the summer of 2023, tighter restrictions on information sharing with third parties are resulting in stricter measures as well. A 30-day cure period is removed and a $7,500 civil penalty for a violation involving minors’ personal information is automatically applied.
The number of penalties for non-compliance with CCPA can significantly increase based on the volume of individual records collected by the business. For example, in the recent settlement mentioned above, the company had to pay $1.2 million just in penalties.
Why is it important?
When it comes to data privacy compliance, organizations’ mobile applications are often overlooked. Research shows that nearly 80% of mobile applications collect personal information (PI), such as phone numbers and email addresses, as well as store names and information on user cookies, all PI subject to CCPA requirements.
Although having access to the user’s account information is important for managing application security, businesses should have necessary processes in place to meet regulatory obligations. Without appropriate privacy controls, such as disclosures, “do not sell” and “opt-out” options, cookies and consent management, as well as reasonable data protection mechanisms, organizations open themselves to a higher level of regulatory risks and potential financial fines.
What to do now
There are a few steps organizations can take to start preparing their privacy programs to gain the trust of consumers, comply with privacy regulations and avoid hefty fines:
- Understand what consumer/user data is accessed and collected by the organization via its mobile application(s). Understanding and managing data from intake through bi-annual or annual data mapping and disposition activities can help an organization better understand its data ecosystem and data footprint while becoming a good data steward in the long run.
- Adopt a privacy management technology solution to honor Do Not Sell/Share and Limit My Sensitive Information requests on mobile apps.
- Think about Global Privacy Control (GPC) signals and how to uphold the user’s specific preferences. GPC is a technical capability that sends users’ universal opt-out of the sale and sharing requests from browsers to websites. Implementing and testing codes and tools will be necessary to ensure that GPC-accessible browsers and extensions are supported.
- Implement technical solutions to receive and fulfill consumer privacy rights requests (i.e., delete, access, opt-out/do not sell/share, etc.).
- Create privacy training material for employees handling consumer/employee/b2b contact personal information and privacy rights requests.
- Review contracts for alignment with CPRA with respect to obligations of service providers and third parties.
- Assess activities related to records to ensure data is retained no longer than necessary.
Organizations that are subject to CCPA and other privacy regulations have a large responsibility to the consumer to protect their personal information and privacy rights while being transparent about the organization’s data privacy practices. As mobile applications continue to expand the types of personal information collected, organizations need to create clear messages around data processing activities that take place in the application and provide mechanisms for enacting user preferences. Organizations must make it a priority to frequently review and update certain areas of their privacy programs to stay up to date with regulation changes, new privacy software and tools, and updated processes to create a multitude of efficiencies for the future program landscape. If a letter from the enforcement body (e.g., California Attorney General) is received, review the claims, remediate any issues and respond within the 30-day notice-to-cure period.