Let’s face it: CCPA compliance is not easy. And a recent study provides additional evidence for the commonsense conjecture that companies trying to just “follow the law” often do more or less than is required. In this alert, we use that study to explore CCPA-compliance issues and provide some practical suggestions for ensuring a reasoned approach to privacy compliance.
In the study, the authors analyzed 500,000 popular websites to understand whether companies are complying with the CCPA. They measured compliance by looking at whether the sites had an opt-out link. The authors believe the presence of an opt-out link is a useful proxy for assessing general CCPA compliance because it is arguably the easiest component to implement—though that position doesn’t necessarily reflect the practical implementation difficulties a particular company may face—and a company without a link is less likely to be taking the other required measures. A company could need to comply with the CCPA without needing an opt-out link because they don’t sell data; the authors accounted for this by counting a site as subject to the CCPA only if it had third-party advertising domains on its site (which the authors took as suggesting a “sale” of data). With that as their starting point, the authors (1) identified whether each site had an opt-out link and (2) determined whether the CCPA applied to each site by reviewing visitor data (did the company meet the 50k threshold?) and looking for third-party analytic tools (did the company “sell” data?).
The authors presented three general findings about the state of compliance that are relevant to in-house counsel:
- Misunderstanding Compliance Triggers. Companies often provided a CCPA opt-out link when they did not need to do so, and even more companies failed to provide the link when they likely needed to. Indeed, 75% of the sites that the authors concluded were not subject to the CCPA included an opt-out link, while 80% of the sites that the authors believed were subject to the CCPA did not include such a link.
- Displaying an Inadequate Link. A significant percentage of companies were likely not complying with the requirement that opt-out links be “clear and conspicuous.” Indeed, the authors determined that nearly 40% of sites presented their links with a contrast ratio that qualified as “not accessible” according to WCAG 2.1 guidelines (i.e., guidance issued by the primary standards body for accessibility standards on the internet).
- Missing Legal Developments. Many companies failed to change their practices in response to new legal developments. The authors assessed that nearly 80% of websites in the study that were using the phrase “Do Not Sell My Info” for their opt-out link, which the California DOJ initially permitted, failed to change the wording months after the DOJ issued new guidance requiring different wording. This suggests companies may be adopting a “set it and forget it” approach that does not account for changes in the law.
Privacy professionals are often asked to provide guidance on whether the CCPA applies and how to comply with the law. Neither is easy, especially with the constant changes we are seeing in the field. To help you in that endeavor, we have outlined a few practical tips for assessing your obligations and adopting (and maintaining) the necessary measures.
Determine CCPA’s Application. Decide whether you need to comply with the CCPA (and, if you don't have to comply, whether you will comply voluntarily). Remember, compliance is required only if you are a business that (1) has annual gross revenue over $25 million or (2) buys, sells, shares or receives the personal information of more than 50,000 Californians annually or (3) derives more than 50% of your revenue from selling Californians’ personal information. (The study authors focused on only one of the potential thresholds under the CCPA because of the availability of data.) But remember: the threshold in the second option is increasing to more than 100,000 in 2023.
Review Link Appearance. Ensure your opt-out link is “clear and conspicuous.” Some best practices include using a font that has an adequate contrast level (at least 4.5:1) and is not materially smaller than other information on the page.
Update Terminology. Review your opt-out link to ensure it contains the appropriate phrasing (and be aware that the California phrasing is changing yet again on January 1, 2023).
Consider Dynamic Links. Assess how you will word the opt-out link in an environment where one phrasing may not work for all states. One option to consider would be using dynamic links where the version that appears depends on the user’s location.
Monitor Changes. Identify resources—e.g., blogs, newsletters, outside counsel—for tracking privacy developments. This is increasingly important as many states are proposing new privacy laws this session and others have proposed amending their existing laws.
Reassess Regularly. Establish a regular review of your compliance measures to see if they need to be updated based on new guidance or legal requirements. Part of this review should be determining whether your company continues to meet (or not meet) the relevant criteria that trigger the application of the various privacy laws.
And remember, the California Privacy Rights Act is barreling down on us with some big changes to the CCPA. Although those changes do not take effect until 2023, they will apply to data collected in 2022. So now is a good time to review how you are processing personal information, with an eye toward complying with consumer requests concerning data collected this year.
Privacy law is a complex field and it can be hard to stay up to date with all the changes (there are already at least 40 new bills this year!). But Shook’s team of privacy attorneys, which was just recognized as a Law360 Practice Group of the Year, is here to assist.