Some clarity is emerging around the scope of California’s Consumer Privacy Act (CCPA) enforcement, which has been in force since early 2020. It wasn’t immediately clear if the new law would deal only with data breaches or would also cover privacy violations that are “powered” by cookies, and analytics and other trackers.
The answer seems to be that both types of privacy undermining practices used by social networks, tech firms, advertisers and data brokers are not allowed, at least according to enforcement letters signed by California’s Attorney General Rob Bonta, writes the Digiday trade magazine.
Specifically, if a social network collects and shares personal data obtained from online tracking of users via third parties, it will be considered as non-compliant unless users are notified or given the opportunity to opt-out.
In the letters, Bonta explains that tracking done by companies for advertising and analytics falls under the category of data sale that the privacy act prohibits. Put together with examples of CCPA cases published earlier this month by the Attorney General’s Office, legal experts see this as proof that the uncertainty over what type of activity the rules outlaw is starting to diminish.
One of the generic letters provided by the AG said that an unnamed company, after being told that third party trackers, the way they were deployed, were a violation of CCPA, ended up removing them from the app and the site.
However, the complexity of the tracking tech’s many tentacles means that CCPA’s enforcement will not be a straight-forward affair, as multiple factors may be considered, including why and how tracking is used, whether it follows people across the web and offline, and so on.
Regarding the way California is enforcing its privacy rules, companies suspected of non-compliance are given a month to remedy the situation, or face stiff penalties.
A privacy lawyer speaking on condition of anonymity said that companies could be considered in breach of the law every time a Californian interacts with a site jeopardizing their privacy by using cookies. That means a potentially huge number of violations – while fines for each range from $2,500 for unintentional, and $7,500 for unintentional cases.