As companies prepare for the provisions of the California Privacy Rights Act (“CPRA”) to come into effect in January 2023, California Office of Attorney General (“OAG”) has signaled that companies should not wait to start complying with the Global Privacy Control (“GPC”). A recent lawsuit and subsequent $1.2 million settlement by the OAG against French e-commerce company Sephora, Inc. that targeted compliance with the GPC. In announcing the settlement, the OAG also made it known that it had “also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC” because, “[u]nder the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the ‘Do Not Sell My Personal Information’ link.” In other words, the OAG is taking the position that the California Consumer Privacy Act (“CCPA”) already requires implementation of the GPC.
In August, the OAG alleged violations of the CCPA and California Unfair Competition Law against Sephora for selling user data without their consent. Notably, in its complaint, the OAG alleged that Sephora had violated the CCPA, in part, for “failing to treat the GPC as a consumer’s opt-out of the sale of their personal information and continuing to sell personal information to third parties despite receiving a GPC signal.” The August settlement agreement between the parties includes injunctive relief, requiring Sephora to: (i) process consumers request to opt out signaled via the GPC; and (ii) provide reports to the OAG regarding its efforts to comply with processing user requests to opt out through GPC.
The requirement for a website to detect and process user-enabled global privacy controls is distinct from the original CCPA requirement to allow users to opt out of individual website’s data-selling by clicking easy-to-access “Do Not Track” or “Do Not Sell My Personal Information” links (although Sephora was found to have run afoul of this provision as well). Third-party user-enabled global privacy control technologies like GPC allow consumers to opt out of all online data-selling across all the websites they visit, without having to click on a specific website’s “Do Not Sell” link. Websites for California businesses must now be configured to detect and process global privacy control signals, or risk running afoul of the CCPA.
The OAG’s stance in this enforcement action shows that the OAG currently interprets the CCPA to require implementation of the GPC—and that businesses run the risk of noncompliance if they wait until 2023 to update their policies.