California’s landmark data privacy regulation, the California Consumer Privacy Act (CCPA), has been in effect for four years, but the developments that have taken place over that time have made CCPA compliance in 2024 more challenging than ever. DoorDash found that out a few weeks ago, as the company was fined $375,000 for CCPA violations and will now have to submit to a supervised three-year compliance program.

This becomes just the second ever CCPA settlement, following a seven-figure fine Sephora had to pay back in 2022. An investigation led by Attorney General Rob Bonta found DoorDash had sold customer data to third parties as part of marketing cooperatives without notifying or offering opt-outs to individuals.  

Bonta proclaimed, “As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale … I hope today’s settlement serves as a wakeup call to businesses.”

It was only a matter of time until enforcement began ramping up in California, with news of compliance sweeps across industries spreading over the past few months. This focus was amplified by a recent Appellate Court decision within the state that ruled in favor of the California Privacy Protection Agency (CPPA) that moved up enforcement on the full scope of the CCPA amendment, the California Privacy Rights Act (CPRA). 

CCPA/CPRA Enforcement Takes Center Stage

This ended some slight drama with the CPRA, as a 15-point addendum to the regulation missed its initial finalization deadline of July 2022 due to unsettled debate on how exactly various topics, such as automated decision-making technology, should be covered. When the bulk of that regulation was finalized on March 29, 2023, the California Chamber of Commerce argued the proposed July 1, 2023 enforcement date was unfair, as it did not give businesses enough time to prepare.

The initial ruling sided with the business community, stating the CPPA had to give a 12-month notice before the CPRA regulations could fully enter into force, but the appeal led to that decision being reversed several weeks ago, rendering the CPRA amendments immediately enforceable.

Although businesses should have already been preparing for new CCPA compliance measures in 2024, the court case underlines the no-nonsense approach to privacy the state has taken. All of this translates to privacy programs that will need not only to adequately track all the personal and sensitive data within their own systems, but how, in turn, third parties that they share data with go about handling data. 

CCPA to CPRA Compliance Challenges

The CCPA–the first comprehensive data privacy law passed in the U.S.–and its amendment, the CPRA, have numerous differences. 

Among them, the CPRA set out and defined categories of “sensitive data,” expanded data rights provided to individuals to include the right to correction, portability, and opt-out of automated decision-making, and created the CPPA to enforce the law.

But perhaps the most consequential difference between CCPA and CPRA is the latter’s expansion of several rights and clauses to include not only data sales, but data sharing. 

CCPA’s definition of a data sale was broad to begin with, and the CPRA clarified that by defining data sharing as, “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party.”

This reverberated throughout the amendment in several ways:

• An individual’s right to know now includes not only which data is collected and sold, but with which third parties a business has shared their data
• Individuals can opt out of both data sales and data sharing (with sharing considered an exchange even without money or anything of financial value involved)
• The right to delete now requires businesses to pass the request along to third parties with whom they have shared the individual’s data

These changes aimed to crack down on cross-context behavioral advertising and loopholes in service provider contracts, striking at the heart of an adtech industry that had acted without restraint for far too long.

DoorDash and CCPA Data Selling/Sharing

In fact, DoorDash’s violation was effectively a double whammy, as the company violated the do not share principle. Luckily for them, this occurred back in 2020 before California voted to pass CPRA, meaning the root of the company’s violation was the fact that the third parties receiving the data were then selling that data to other entities all without consumer consent. 

The CCPA 30-day cure period is discretionary in 2024, so that means it would behoove companies to have full oversight of every nook and cranny the data you collect from consumers is going into, whether internally or across third party vendors. 

AG Bonta made DoorDash aware of this and the company stopped the violation, but it failed to undue the privacy harms imposed upon the individuals, which is why Bonta and the CPPA eventually fined them. Thus, curing a violation is not simply ceasing to enact noncompliant behavior, but making consumers whole–an extraordinarily difficult task.

Given that fact (if a business is lucky enough to even receive a chance to cure) and that as of January 1, 2023, the CCPA no longer requires either a notice of violation or a cure before taking enforcement action, CCPA compliance in 2024 is more stringent than ever. 

CPRA Do Not Sell/Share Requirements Breakdown

CCPA still relies on opt-outs rather than opt-ins, but companies must clearly notify consumers of those rights and their data processing choices.

Another wrinkle to add to CCPA compliance is the fact that the 2023 CPRA Draft Regulations altered what compliance with do not sell/share requirements looks like compared to the initial version of CPRA.

Initial versions of CPRA-compliant privacy policies had to include:

• A notice to consumers about their right to opt-out
• Two conspicuous opt-out links reading “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information”
• Additional language noting universal opt-out measures as valid 

However, after the Draft Regulations a few things are clear:

• A company can display a single opt-out link reading “Your Privacy Choices” or “Your California Privacy Choices” on their website that accomplishes the purpose of both of the aforementioned links
• It is not an either/or situation and a company must respect universal opt-out measures such as Global Privacy Control regardless of providing the relevant links within their privacy policy

In accordance with privacy principles that fight discrimination against individuals exercising their data rights, the CPRA Draft Regulations introduced the concept of “Frictionless” opt-out as well.

“Frictionless” opt-out means business cannot:

• Charge consumers for using an opt-out signal
• Change the user experience for consumers who use opt-out signals
• Display any dark pattern-like content (such as a pop-up asking “Are you sure?”) in response to the opt-out preference signal
  

Frictionless opt-out seems to take preeminence, as businesses do not need to have opt-out links as described above IF:

• They process opt-out signals in a frictionless way
• Their privacy policy communicates a) the right to opt-out, b) frictionless opt-out signal recognition, and c) how an individual can otherwise opt-out of data sales/sharing
• The business can apply the opt-out to both online and offline personal data processing
  

*Regarding dark patterns, businesses can confirm with the consumer that their opt-out signal has been honored for transparency, which partially mirrors a requirement of universal opt-out mechanisms themselves that they clearly inform consumers that the mechanism will opt them out of the sale/sharing of personal data.*

CCPA/CPRA Compliance: How MineOS Helps

Disclaimer: This is not legal advice

The ever-evolving nature of the CCPA alone makes compliance with the regulation more challenging than most other American data privacy regulations, but the expansive nature of the do not sell/share rules make them both highly visible and unlike other state-level requirements. 

To cover your bases, companies should include the “Do Not Sell or Share My Personal Information” link in either the header or footer of the site AND ensure recognition of universal opt-out signals as noted in the Draft Regulations.

The key to a compliant “Do Not Sell or Share My Personal Information” link lies in an enforceable and customizable Consent Management solution, such as MineOS’s. 

From there, even if creating a data map for CCPA is not explicitly mentioned in the legislation, a proper data mapping exercise has become the backbone of CCPA compliance due to the regulation’s demanding nature. 

Creating a comprehensive and continuous data map will tell you what data your organization has, who has access to that data, and where that data resides, but only a select few tools on the market can actively do this at scale, quickly, and without significant input from an IT department.

MineOS’s unique data discovery and classification sets organizations of any size up for success, enabling full data visibility and governance follow-through with automated assessments and auditable reports so companies can fully comply with the CCPA and its do not sell/share requirements in 2024 and beyond.

Trying to up your privacy program to comply with CCPA? Try MineOS for free.