The California attorney general announced his office notified an unspecified number of businesses with mobile apps they are failing to comply with the California Consumer Privacy Act (CCPA).
Attorney General Rob Bonta said Friday in a press release his office issued letters to companies with mobile apps in the “retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data.” Some apps violated the CCPA’s provision to process consumer requests from authorized agents to delete or opt out on the processing of their data, as required by the law, Bonta said.
The CCPA gives California residents the right to know how a company collects their personal data and how it is used or shared, the right to request a business delete their personal data, and the right to opt out of the sale of their personal information. On Jan. 1, the California Privacy Rights Act (CPRA) took effect, which amended the CCPA to add more consumer privacy rights, including correction of inaccurate personal information and the right to limit the use of personal information.
Businesses subject to the CCPA have responsibilities, Bonta said, including “responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices.”
“Today’s sweep … focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices,” he said. “I urge the tech industry to innovate for good—including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.”
The CCPA allows companies to remediate uncovered violations within 30 days without penalty. Bonta’s office previously delivered notices to businesses in industries including technology, healthcare, retail, fitness, and telecommunications, informing them their opt-out systems were deficient.
In August, Bonta’s office issued its first CCPA enforcement action: a $1.2 million penalty against cosmetics retailer Sephora for allegedly selling consumers’ personal data after they had requested their information not be sold. Sephora failed to remediate the alleged violation within the 30-day window.
The CPRA also established the California Privacy Protection Agency, which is authorized with rulemaking and enforcement of the state’s privacy laws. Previous exemptions under the CCPA regarding data for employees and business-to-business transactions expired Jan. 1 and are now covered as part of the legislation.