On July 1st, 2020 enforcement of The California Consumer Privacy Act (CCPA) officially came into effect. Similar to the European Union’s General Data Protection Regulation (GDPR), CCPA is California’s answer to personal data protection – regulating how businesses across the globe are allowed to handle the personal information (PI) of California residents.
This means that California residents have the right to opt out of having their data sold to third parties, request disclosure of data already collected, and request deletion of data collected. As a part of this, corporations are required to respond promptly to consumer requests for information regarding their data.
Though they share overarching objectives, there are a number of differences between CCPA and GDPA, with a significant difference being in the way fines are decided on. CCPA fines for a breach can include a civil penalty of up to $7,500, and fines of anywhere from $100 to $700 per consumer.
Though these numbers may appear small in comparison with GDPR fines, companies managing high volumes of personal data (i.e. a larger company with thousands of consumers) are vulnerable to seeing these numbers multiplied significantly. CCPA also allows the individual consumer to file civil claims, giving individuals the ability to exercise their rights to privacy.
While some of the details of CCPA enforcement are still being ironed out, this article provides a summary of 9 key breaches so far and what we can learn from them.
1: Zoom – An $85 million settlement for ‘Zoombombing’
In August 2021, Zoom Video Communications reached an $85 million settlement after a number of user privacy issues including those related to ‘Zoombombing’. Zoombombing involves outsiders hijacking Zoom meetings and posting disturbing content such as pornography, or using racist language. The lawsuit claimed that Zoom had violated users’ privacy rights by sharing personal data with Facebook, Google, and LinkedIn, and letting hackers ‘Zoombomb’ meetings.
As well as paying the sum, Zoom agreed to improve its security practices to comply with the CCPA, releasing a statement saying “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.”.
2: A data broker – A broken link, opt-out barriers, and mandatory account creation
To comply with CCPA, an unnamed data broker added a “Do Not Sell My Personal Information” (DNSMPI) link to its homepage – but the link didn’t work.
The business also made users jump through a series of hoops (including providing government ID and proof of address) before being allowed to opt-out of the sale of personal information. Thirdly, customers were required to create an account in order to make a verifiable consumer request – including a CCPA request.
After being informed of these issues, the business updated its link, removed the barriers to opt out, and no longer requires the creation of an account to make a CCPA request.
3: A digital strategy partner — A privacy policy with missing parts
In another case of DNSMPI wrongdoings, a company that partners with major corporations on digital strategies did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold.
This is all information that should be included in a company’s privacy policy. The company also did not offer a way to make requests over the telephone or on the company’s website.
To fix this, the privacy policy was updated, and the business now also offers a DNSMPI link, email address, and telephone number for consumers.
4: T-Mobile — The (alleged) negligence that led to a data breach
In August 2021, T-Mobile USA Inc. was hit with two class-action lawsuits accusing the telecommunications company of violating the CCPA. It was alleged that ‘T-Mobile violated the CCPA and acted negligently by failing to protect consumer data from a recent data breach that exposed millions of customers’ records’.
The allegations came after T-Mobile had suffered a data breach that compromised the personal data, including names and phone numbers, of millions of customers.
It is thought that T-Mobile violated the CCPA by failing to prevent consumers’ non encrypted personally identifiable information from unauthorized access and exfiltration, theft, or disclosure. This is alleged to have stemmed from a failure to maintain reasonable security procedures to protect such information.
The company offered two years of free McAfee ID theft protection to all people who believe they may have been affected by the breach, but investigations are ongoing.
5: An electronics retailer — Selling more than just electronics
A business that sells electronics was accused of selling a bit more than just that. The company had third-party trackers on its website that shared data with advertisers about visitors’ online shopping habits. There was no service provider contractual relationship in place and consumers’ requests to opt out were not being processed.
To solve these issues the company worked with its privacy vendor to honor consumer opt-out requests and avoid selling personal information to third parties in violation of the CCPA.
6: An online classified ad platform — Death by jargon
Alongside other CCPA breaches, a business that operates an online classified advertisement platform did not display the required CCPA consumer rights or explicitly state whether or not it had sold personal information in the past year.
After being informed of this, the company updated its privacy policy to include the required notice of CCPA rights and clearly stated that it did not sell personal information.
However, a second notice was prompted after the updated privacy policy was not consumer-friendly – containing unnecessary legal jargon and being difficult to read for the average person. Significant revisions to their privacy policy updates finally address these concerns.
7: A social media app — Speed matters
A social media app business was not responding to CCPA requests by consumers fast enough. The requests included consumers wanting to know and delete personal information – which users have a right to under the CCPA. Unfortunately, consumers were left unaware of whether their requests had been effectuated, or even received.
After notification by The Office of the Attorney General (OAG), the organization responded to the outstanding requests and updated its CCPA response system to improve its timeliness.
8: An ad-tech organization — Business or service provider?
Service providers and businesses have different obligations when it comes to complying with CCPA, with privacy policy requirements differing depending on this status.
This made it difficult for an online ad-tech organization, which, though primarily a service provider, is a business in some contexts. The company’s service provider contracts also lacked the necessary restrictions on the use of processed personal information.
To align with the rules, the company modified its privacy policy (clearly stating that it did not sell personal information), provided a way for consumers to submit CCPA requests, and updated their service provider contracts.
9: A grocery chain — Customers seeking clarity
A business that operates a chain of grocery stores recently came under fire not just by OAG, but by members of the public too. The chain was accused of leaving essential information out of its privacy policy, which lacked guidance on how authorized agents may submit CCPA requests on behalf of consumers, among other things.
In response to a notice of these violations, the business updated its privacy policy accordingly – explaining how agents can submit CCPA requests on behalf of consumers, as well as the business’s requirements for verifying such requests.
If there is one thing to learn from these breaches it is that doing the right thing is not enough. You need to tell your consumers what you are doing – transparently and in language that they understand.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn