California Privacy Agency Fines PlayOn Sports and Ford for CCPA Opt-Out Violations

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The California Privacy Protection Agency (CalPrivacy) has levied fines against two major companies, PlayOn Sports and Ford Motor Company, for failing to comply with CCPA opt-out requirements, signaling continued aggressive enforcement of consumer privacy rights. In the same week, CalPrivacy launched preliminary rulemaking activities seeking public comment on reducing friction in privacy rights requests and improving opt-out preference signal standards.

Keep reading to learn more and discover my takeaways.

CalPrivacy Fines PlayOn Sports Over Opt-Out Failures

PlayOn Sports will pay $1.1 million based on allegations that the high school ticketing and events platform forced users to agree to tracking technologies used for targeted advertising without recognizing opt-out preference signals or providing a sufficient way to opt out. PlayOn Sports’ website included a banner asking users to click “Agree” to accept the use of tracking technologies and the website’s terms before proceeding. However, it offered no option other than agreement.

The website also included a “Your Privacy Choices” link that directed users to a toll-free number and email address to opt out of the sale or sharing of personal information, however, these methods did not opt users out of the sale of information via third-party tracking technologies. For such activities, the platform separately directed users to the Network Advertising Initiative and Digital Advertising Alliance to opt out of targeted advertising. However, CalPrivacy held these methods insufficient to comply with the CCPA’s specific opt-out requirements. 

TAKEAWAY

Although affirmative opt-in consent is not required under California CCPA in most circumstances, many websites increasingly include a banner asking users to passively or actively consent to the use of tracking technologies, often to mitigate risks outside the CCPA, such as litigation under the California Invasion of Privacy Act (CIPA). However, as CalPrivacy has made clear in this and other enforcement actions, having a consent banner isn’t a valid replacement for meeting the CCPA’s specific requirements. 

These requirements include recognizing opt-out preference signals and providing users with an option, available through a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, to exhaustively opt out of all sales or sharing of personal information, whether occurring via tracking technologies or otherwise. 

CalPrivacy has also emphasized in previous enforcement actions (e.g., Honda) and previous guidance that the regulations require businesses to design methods for submitting CCPA requests and obtaining consumer consent that incorporate the principle of “symmetry of choice.” This means the process for opting out shouldn’t take more steps than the process to opt back in. Furthermore, if a website seeks a consumer’s opt-in consent to use or sell their personal information, consumers must be given an equal and symmetrical choice to opt out. Therefore, when implementing a consent banner in the U.S. to mitigate litigation risk or for other purposes, businesses should be careful not to inadvertently create additional risk under the CCPA. 

Ford Motor Company fined $375,703 for opt-out violations

Ford Motor Company will pay $375,703 for allegedly requiring users to verify their email address before opting out of the sale or sharing of their personal information collected through Ford’s digital properties and connected vehicle services. 

Specifically, after users completed an interactive form to opt out of the sale or sharing of personal information, consumers had to check their email and click “confirm” before Ford would process their request. CalPrivacy found this practice created unnecessary friction for consumers exercising their opt-out rights.

TAKEAWAY

This enforcement highlights an important distinction between opt-out rights and other rights (such as the right to delete, correct, or know their personal information) under the CCPA: although a business may require a consumer to verify their information to exercise the latter rights, businesses may not require verification to exercise the right to opt out. For opt-out requests, a business may ask for information necessary to identify the consumer but must not require extra steps or information to verify the consumer’s identity. Companies might overlook this distinction when implementing consistent processes for consumer rights requests, but as this enforcement has made clear, it’s important to give opt-out rights the more immediate treatment required under the CCPA. 

CalPrivacy Begins Preliminary Rulemaking Activities to Address Opt-Out Preference Signals and Privacy Rights.

Aligning with CalPrivacy’s recent enforcement actions (see above), CalPrivacy solicited comments regarding further rulemaking on two topics: “Reducing Friction in the Exercise of Privacy Rights” and “Opt Out Preference Signals”.  

Specifically, for rights requests, CalPrivacy asks what challenges consumers and businesses face when exercising and providing privacy rights, whether current regulations sufficiently address those challenges, and what CalPrivacy should prioritize or consider to reduce friction. Regarding opt-out preference signals, CalPrivacy asks about the consumer experience when using these signals, the challenges businesses face when processing them, and whether additional regulatory clarity or guidance is needed. Comments will be accepted through April 6. 

TAKEAWAY

Although a request for comments doesn’t necessarily mean further rulemaking is forthcoming, it provides insight into CalPrivacy’s potential recognition of patterns of business and consumer obstacles that go beyond isolated non-compliance. 

It also shows their potential openness to understanding and better addressing external root causes that may contribute to such patterns. For example, CalPrivacy references a lack of uniformity in how businesses handle consumer rights requests as a potential challenge. It also cites the distinction between “known” and pseudonymous profiles, and differences across browsers, devices and identifiers, as potential challenges businesses face when processing opt-out preference signals. This indicates CalPrivacy’s desire to better understand and address the complexities of compliance with these requirements.   

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Oregon Bill Sent to Governor Restricting Public Bodies’ Sale of PII to Data Brokers
• Virginia Legislature Passes Bills Prohibiting Sale of Geolocation Data and Providing GLBA Exemption to Reproductive Health Information Prohibition 
• IAB Announces Amended Multi-State Privacy Agreement
• France’s Highest Court Upholds 40 million Euro Fine Against Criteo Under GDPR
• UK privacy laws: The ultimate guide
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.