Privacy & Identity Theft

Attorney General Bonta, L.A. City Attorney Feldstein Soto, Announce $500,000 Settlement with Tilting Point Media for Illegally Collecting and Sharing Children’s Data

June 18, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Another important action to protect kids’ online data

OAKLAND — California Attorney General Rob Bonta, along with Los Angeles City Attorney Hydee Feldstein Soto, announced a $500,000 settlement with Tilting Point Media LLC (Tilting Point) resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the federal Children’s Online Privacy Protection Act (COPPA) by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.” In addition to $500,000 in civil penalties, Tilting Point must comply with injunctive terms ensuring legal data collection and disclosure, including obtaining parental consent and diligence in configuring third-party software in their mobile games.

“Businesses have a legal obligation to protect kids’ data and to comply with important state and federal privacy laws designed to protect children online. Failing to do this puts our kids at risk, leaving them vulnerable to having their personal data collected, tracked, and sold,” said Attorney General Bonta. “As children spend an increasing amount of time online, both on websites and using mobile apps, we will use every enforcement tool to ensure compliance with the law and that companies exercise diligence with privacy law requirements. I thank the Los Angeles City Attorney’s Office for their work on this issue and look forward to continuing to work collaboratively with local, state, and federal partners to protect children’s privacy.”

“The “SpongeBob: Krusty Cook-Off” game is based on some of the most beloved and recognizable characters in children’s entertainment. Tilting Point Media is alleged to have collected and shared its young players' personal data, violating consumer privacy laws and industry guidelines,” said Hydee Feldstein Soto, Los Angeles City Attorney. “Protecting our children has been a top priority for my administration. I am proud to partner with Attorney General Bonta to protect children throughout our State and am grateful to the lawyers in the Public Rights Branch in my office for initiating this action to stop data harvesting of minors.” 

“SpongeBob: Krusty Cook-Off” (SpongeBob) is a popular cooking simulation game that includes both targeted advertising and in-app purchases and is directed to children under the age of 13 as well as targeted to older teens and adults. The app was first investigated by the Children’s Advertising Review Unit (CARU), a division of the Better Business Bureau National Programs that investigates potential deceptive or inappropriate data collection from children online. CARU found that the privacy and advertising practices of the SpongeBob app failed to comply with COPPA and CARU’s industry guidelines. Although Tilting Point took some corrective action, a joint investigation by the California Department of Justice and Los Angeles City Attorney’s Office found that Tilting Point was in violation of the CCPA and COPPA in connection with how the mobile app handled children’s data. Tilting Point’s age screen did not ask age in a neutral manner, meaning children were not encouraged to enter their age correctly to be directed to a child-version of the game. Additionally, Tilting Point inadvertently misconfigured third-party software development kits (SDKs), resulting in the collection and sale of kids’ data without parental consent.

In addition to paying $500,000 in civil penalties, Tilting Point media must comply with strong injunctive terms. Tilting Point must:

  • Comply with the CCPA and COPPA related to children’s data in the SpongeBob game and all of its games directed to children.
  • Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent.
  • In instances where Tilting Point sells or shares the personal information of children, provide a just-in-time notice explaining what information is collected, the purpose, if the information will be sold or shared, and link to the privacy policy explaining the parental or opt-in consent required.
  • Use only neutral age screens that encourage children to enter their age accurately.
  • Appropriately configure third-party SDKs to comply with legal requirements related to children’s data.
  • Implement and maintain a SDK governance framework to review the use and configuration of SDKs within its apps.
  • Comply with laws and best practices related to advertising to minors, and minimize data collection and use from children.
  • Implement and maintain a program to assess and monitor its compliance with the judgment, including annual reports to the California Department of Justice and Los Angeles City Attorney’s Office.

COPPA AND CCPA

COPPA is a federal law that requires operators of websites and online services that are either directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to provide notice to parents and obtain parental consent before collecting, using, or disclosing personal information from children. The CCPA is a landmark state law that secures increased privacy rights for California consumers, including the right to know how businesses collect, share, and disclose their personal information and the right to opt-out of the sale or sharing of their personal information. The CCPA imposes on businesses specific responsibilities related to children’s data, including requiring parental consent before selling or sharing personal information from children under 13 years old, and obtaining the consumer’s affirmative opt-in consent for users at least 13 and under 16 years old.  

Attorney General Bonta is committed to enforcing both COPPA and the CCPA to improve children's online safety. Today's settlement represents Attorney General Bonta's third enforcement action under the CCPA, and his continued priority to protect children online:

  • In March, Attorney General Bonta joined a bipartisan multistate letter to the Federal Trade Commission proposing updates to regulations implementing COPPA and advocating for further clarity and specification for proposed rules. 
  • In February, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA, by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale. 
  • In January, Attorney General Bonta, Assemblymember Buffy Wicks, and Senator Nancy Skinner introduced the California Children’s Data Privacy Act (AB 1949), and the Protecting Our Kids from Social Media Addiction Act (SB 976), landmark legislation seeking to protect youth online. These two bills would, respectively, limit the harms associated with social media addiction and provide more robust protections for kids’ data privacy.
  • In October 2023, Attorney General Bonta co-led a bipartisan coalition of 33 attorneys general in filing a federal lawsuit against Meta Platforms, alleging among other things, that Meta designed and deployed harmful features on Instagram and Facebook that addict children and teens to their mental and physical detriment. The lawsuit alleges that Meta violated federal and state laws, including COPPA, California's False Advertising Law, and California’s Unfair Competition Law.
  • In 2022, Attorney General Bonta announced a settlement with Sephora, resolving allegations that the company violated the CCPA by failing to disclose to consumers that it was selling their personal information, and failing to process user requests to opt out of these sales. 

A copy of the complaint and stipulated judgment, subject to court approval, can be found here and here.

Attorney General Bonta to Congressional Leaders: Federal Data Privacy Law Should Set a Floor, Not a Ceiling

May 8, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Rapidly changing technology requires responsive, flexible state privacy policy

OAKLAND — California Attorney General Rob Bonta today led a multistate coalition of 15 attorneys general urging congressional leaders to remove preemption language in the current draft of the American Privacy Rights Act (APRA), a proposed federal data privacy bill. The preemption clause currently in the APRA would result in California’s landmark privacy law being replaced with weaker protections and would hamper the ability of California to adequately protect the privacy of its citizens in the future. In today’s letter, Attorney General Bonta and colleagues from across the country call on Congress to set a floor and not a ceiling with any federal privacy law, and to respect additional protections states provide or would provide in future state-level legislation.

“Federal action to protect Americans' privacy is essential, but not at the expense of the robust protections already in place in California and in states across the country. California is at the forefront of privacy protections and must retain the ability to respond to privacy concerns as tech rapidly innovates,” said Attorney General Bonta. “We urge Congress not to undercut the important protections that states have established; states must be able to protect their residents from evolving privacy threats.”

With the first comprehensive privacy law in the country, California has the strongest protections in the nation. Californians currently have robust protections and rights to manage and control the use of their data through the California Consumer Privacy Act and other state laws. Since California passed the first comprehensive privacy law in 2018, numerous states have followed suit. States play a critical role in flexibly adapting to real-world circumstances and have set minimum data privacy standards that have driven innovation, including in the adoption of the global privacy control, and have not impeded business or technology. 

In the letter, the attorneys general highlight the importance of current and future state privacy protections, and ask that any federal privacy framework leave room for states to legislate responsively to changes in technology and data collection practices, as states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight. As Congress considers adopting APRA, the coalition urges changes to the proposed law — the APRA in its current form would impair some existing state protections and hamper state efforts to keep up with and adapt laws to changing technology.

In sending today's letter, Attorney General Bonta was joined by the attorneys general of Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, Vermont, and the District of Columbia.   

Attorney General Bonta is committed to protecting the privacy rights of Californians:  

  • Last month, Attorney General Bonta and California Governor Gavin Newsom sent a letter to Congress urging congressional leaders to not include preemption language in the APRA.
  • Last year, Governor Gavin Newsom, Attorney General Bonta, and the California Privacy Protection Agency (CPPA) sent a joint letter to Congress opposing preemption language in similar proposed legislation.
  • In March, Attorney General Bonta joined a bipartisan multistate letter to the Federal Trade Commission expressing support for updates to the Children’s Online Privacy Protection Act and advocating for further clarity for proposed rules.
  • In February Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and the California Online Privacy Protection Act (CalOPPA) by selling its California customers’ personal information without providing notice or an opportunity to opt out of that sale.
  • In January, Attorney General Bonta, Assemblymember Buffy Wicks, and Senator Nancy Skinner introduced the California Children’s Data Privacy Act (AB 1949 Wicks), and the Protecting Our Kids from Social Media Addiction Act (SB 976 Skinner), landmark legislation seeking to protect youth online. These two bills would, respectively, limit the harms associated with social media addiction and provide more robust protections for kids’ data privacy.
  • Earlier this year, as part of ongoing efforts to enforce the CCPA, Attorney General Bonta announced an investigative sweep, and sent letters to businesses with popular streaming apps and devices, alleging that they fail to comply with the CCPA. The sweep focused on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data.  
  • In September 2023, Attorney General Bonta announced a $93 million settlement with Google resolving allegations that its location-privacy practices violated California consumer protection laws.

A copy of the letter can be found here

This Tax Season, Attorney General Bonta Issues Consumer Alert, Offers Californians Tips to Safely File Taxes

March 25, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

OAKLAND — California Attorney General Rob Bonta today issued a consumer alert with tips on filing and preparing taxes safely. As Tax Day approaches, many Californians may seek out assistance with filing their state and federal tax returns. To avoid falling victim to a tax-related scam, Attorney General Bonta advises Californians to file early, take actions to protect themselves online, and learn about free or low-cost tax filing opportunities. Through the IRS Direct File pilot program, eligible California taxpayers can file their 2023 federal taxes directly with the IRS for free.

“For working families, tax season serves as a long-awaited opportunity to get ahead on bills, make needed home repairs, or finally start planning a vacation,” said Attorney General Bonta. “This Tax Season, we want to make sure Californians don’t fall victim to tax-related fraud or scams. I encourage Californians to review our website for tools, tips, and resources to make filing taxes easier and safer at oag.ca.gov/consumers. And if you believe you are the victim of a tax-related scam, report it at oag.ca.gov/report.”

How to Protect Yourself from Tax Scams:

  • File early — You are less vulnerable to scammers if you file early and have your refund in hand. Avoid putting yourself at risk of being the next victim and file your taxes as early as possible. 
  • Hang up the phone! — IRS and FTB will only call a person who owes taxes if they have tried to contact you by mail. Legitimate IRS and FTB agents will not threaten jail time or seek payment over the phone or through a wire transfer. Consumers should not make any payments and should contact the agency directly by looking up government contact information online. Calls impersonating the IRS should be reported to the Treasury Inspector General for Tax Administration (TIGTA). Those impersonating the FTB should be reported here.  
  • Do NOT open the email — Never open an email or text message that says it is from the IRS or the FTB. The IRS and FTB do not use email, text message, or social media to request personal or financial information or to send notice regarding audits or refunds. Replying to the email, opening attachments, or clicking on links may enable scammers to collect your personal information or infect your computer with viruses or other malware.
  • Think beyond the password  For greater security, get an Identity Protection PIN (IP PIN) for your e-filing account with the IRS. A new PIN is provided each year by the IRS. 
  • Use two-step authentication — Check on the availability of two-step authentication to protect your tax filing accounts (and other online accounts containing sensitive information, such as your email and social media accounts). Two-step authentication adds a second factor, such as a one-time use code that is sent to you by email, phone, or text. You enter that code, along with your username and password, to get access to your account.

Tax Preparation Resources:

You may qualify for free help! Many consumers turn to third-party tax preparation services for help filing their tax returns. Attorney General Bonta encourages consumers to find out if they qualify for free tax help.

  • IRS Direct File pilot program — Using the first-of-its-kind pilot program, eligible California taxpayers can file their 2023 federal taxes directly with the IRS for free. To see if you qualify for this program, check here.
  • FTB CalFile — The FTB’s CalFile program allows qualified individuals to quickly e-file their state tax return directly to the FTB, free of charge. To see if you qualify, check here.  
  • VITA/TCE — The IRS Volunteer Income Tax Assistance program provides free tax help to people who make $64,000 or less annually, persons with disabilities, and people who do not understand English well. The Tax Counseling for the Elderly program offers free tax help for all taxpayers, particularly those over 60, specializing in questions about pensions and retirement-related issues. More information on these programs is available here.

Quick Tip! You may qualify for cash back or a reduction of the tax you owe under the Earned Income Tax Credit and the California Earned Income Tax Credit programs. Check to see if you qualify for one or both!

Need more time to prepare? You can also use IRS Free File to electronically request an automatic tax-filing extension, regardless of your income. You will then have until October 15 to file a return. More information on how to request an extension can be found on the IRS website.

Find a reputable tax preparer. Make sure your tax preparer is reputable and qualified to provide tax services. In California, only an attorney, certified public accountant (CPA), IRS-enrolled agent, or registered-tax preparer can prepare tax returns for a fee. To confirm whether a tax preparer is registered with the IRS, check here. 

If you believe you have been the victim of a tax-related scam or other misconduct, you can file a complaint with our office at oag.ca.gov/report or with the IRS

To learn about how to protect yourself and your loved ones against fraud, visit our website at oag.ca.gov/consumers.

 

 

Attorney General Bonta Proposes COPPA Update: Children’s Private Online Information Must Be Protected

March 11, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Updates to COPPA need to go further to protect children’s online data 

OAKLAND — California Attorney General Rob Bonta today, in response to the Federal Trade Comission's (FTC) notice of proposed rulemaking, joined a bipartisan multistate letter to the FTC proposing updates to regulations implementing the Children’s Online Privacy Protection Act (COPPA). In the letter, the attorneys general express support for updates to COPPA and advocate for further clarity and specification for proposed rules.

“The Federal Trade Commission’s proposed rule would strengthen our ability to enforce restrictions on companies selling children’s data and protect consumers who seek to manage what information websites can collect from kids,” said Attorney General Bonta. “Together with a broad bipartisan coalition from across the country, I support this effort and look forward to working collaboratively with the FTC to keep protecting children’s privacy.”

COPPA requires operators of websites and online services that are either directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to provide notice to parents and obtain parental consent before collecting, using, or disclosing personal information from children. 

The proposed rule would update COPPA by:

  • Requiring separate “opt-in” consent for targeted advertising: The proposed new rule would require separate notice and parental consent before an operator can disclose children’s information to third parties, including third-party advertisers.
  • Clarifying the “mixed audience” category:  There currently is ambiguity about when child-directed websites must provide COPPA protections to all users and when they may screen users for age and only provide COPPA protections to users who self-identify as under 13 years old. The FTC proposes to clarify this distinction by providing a new definition of “mixed audience."
  • Adding “biometric identifiers” to the definition of “personal information”: The FTC proposes to expand the definition of “personal information” under COPPA to include biometric identifiers, like fingerprints or handprints, retina and iris patterns, genetic data, or data derived from voice, gait, or facial data.
  • Limits on the “support for the internal operations” exception: Operators may currently collect persistent identifiers without first obtaining parental consent under an exception that permits “support for the internal operations of the website or online service.” The FTC proposes adding new requirements and disclosures for operators who rely on this exception.
  • New limits on nudging kids to stay online: The FTC proposes adding new limitations on operators’ use of personal information to prompt or encourage children to use their service more.
  • COPPA and schools: The FTC seeks to permit schools and school districts to provide consent for the collection, use, and disclosure of children’s personal information, but limit that consent to use for educational rather than commercial purposes.
  • Data security, retention, and deletion: The FTC proposes strengthening data security, retention, and deletion requirements. For example, the FTC proposes requiring disclosure of data retention policies, and prohibiting operators from using retained information for any secondary purpose.

In the letter, the attorneys general support proposed updates to the COPPA Rule and respond to certain issues raised by the FTC, including how to define “personal information” as it relates to children and how to obtain parental consent to use children’s personal information in connection with advertising. The letter also advocates for limiting potential exemptions being considered by the FTC and addresses proposals regarding limitations on the use of personal information in ways that could be harmful to children, such as nudging kids to stay online longer.

Attorney General Bonta is committed to protecting children online. In October 2023, Attorney General Bonta co-led a bipartisan coalition of 33 attorneys general in filing a federal lawsuit against Meta Platforms, alleging that Meta, among other things, designed and deployed harmful features on Instagram and Facebook that addict children and teens to their mental and physical detriment. In November 2023, Attorney General Bonta announced the public release of a largely unredacted copy of the federal complaint against Meta. The removal of the redactions provides additional context for the misconduct that the attorneys general allege.

In March 2023, Attorney General Bonta as part of a bipartisan multistate coalition, filed an amicus brief supporting efforts to compel TikTok to produce subpoenaed materials and evidence as part of ongoing nationwide investigations into the company’s role in the growing youth mental health crisis. In December 2023, Attorney General Bonta joined a multistate amicus brief in Murthy v. Missouri supporting the right of the federal government to communicate with social media companies about matters of public concern. In January 2024, Attorney General Rob Bonta, Senator Nancy Skinner, and Assemblymember Buffy Wicks introduced the Protecting Youth from Social Media Addiction Act (SB 976), and the California Children’s Data Privacy Act (AB 1949), landmark legislation seeking to protect youth online.

In submitting today’s letter, Attorney General Bonta is joined by the attorneys general of Oregon, Illinois, Mississippi, Tennessee, Colorado, Connecticut, Massachusetts, New Jersey, North Carolina, Alabama, Alaska, Arizona, Arkansas, Delaware, District of Columbia, Florida, Georgia, Hawaii, Indiana, Kentucky, Maine, Maryland, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, South Dakota, Utah, Vermont, U.S. Virgin Islands, Virginia, Washington, and Wisconsin.

A copy of the multistate letter is available here.

In Recognition of National Consumer Protection Week, Attorney General Bonta Highlights Recent DOJ Consumer Protection Action, Urges Consumers to Know Their Rights

March 6, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

OAKLAND – In recognition of National Consumer Protection Week, California Attorney General Rob Bonta today highlighted ongoing efforts to protect California consumers and urged Californians to report misconduct or violations of state consumer protection laws to the California Department of Justice (DOJ) at oag.ca.gov/report. Complaints submitted by the public provide DOJ with important information about potential misconduct to help determine whether to investigate a business or individual.

“In California, we have strong consumer protection laws and a tremendous team working around the clock to protect Californians online, in their financial lives, in their efforts to find and keep housing and education, and across the marketplace. And we need your help,” said Attorney General Bonta. “This National Consumer Protection week I urge Californians to stand up with me and know their rights as consumers, and to let us know if they see misconduct in the market. Whether protecting data privacy, tenant protections, or stopping egregious bank fees, as the People’s Attorney, I am committed to enforcing consumer protections in the state of California and speaking out for consumer protections nationwide.”

STANDING UP FOR CONSUMER FINANCIAL PROTECTION:

In February, Attorney General Bonta issued letters to banks and credit unions not subject to the Consumer Financial Protection Bureau’s supervision warning that overdraft and returned deposited item fees may violate California’s Unfair Competition Law (UCL) and the federal Consumer Financial Protection Act (CFPA). Some financial institutions charge up to $36 or more for each overdraft. California consumers paid an estimated $200 million in overdraft fees in 2022, with the financial burden disproportionately falling on low-income consumers and consumers of color.

In December 2023, Attorney General Bonta joined a bipartisan multistate coalition of attorneys general in submitting an amicus brief to the U.S. Supreme Court defending states’ rights to enforce state consumer financial protection in Cantero v. Bank of America.

In May 2023, Attorney General Bonta, and a coalition of 24 attorneys general, filed an amicus brief in the U.S. Supreme Court supporting the Consumer Financial Protection Bureau’s (CFPB) contention that the agency’s funding structure is constitutional and arguing that the court should not invalidate the CFPB’s past and ongoing regulatory and enforcement actions. Those regulatory and enforcement actions cover all aspects of consumer financial markets; if allowed to stand, the Fifth Circuit’s decision threatens to upend over a decade of enforcement and regulatory work by the CFPB and would be detrimental to consumers across the country.

HIGHER EDUCATION: 

There is a $1.7 trillion student loan debt crisis in the United States. DOJ is committed to supporting the efforts of the U.S. Department of Education to ease the burden of federal student loans and is committed to protecting California student loan borrowers and those seeking higher education from predatory colleges and lending.  

In February, Attorney General Bonta celebrated the decision by the California Court of Appeal affirming a lower court’s decision which found in the state’s favor in its lawsuit against Ashford University, an online, for-profit college, for violating California’s unfair competition and false advertising laws. In 2017, DOJ filed a lawsuit alleging that Ashford University and Zovio provided false and misleading information to students about career outcomes, cost and financial aid, pace of degree programs, and transfer credits, in order to persuade them to enroll to persuade them to enroll in the school and then used illegal debt collection practices when students struggled to pay their bills. As part of the decision, the court ordered Ashford University and Zovio to pay more than $21 million in penalties.

If you believe you have been the victim of a predatory loan, deceived by a for-profit college, or otherwise taken advantage of, you can file a complaint at oag.ca.gov/report

HOUSING: 

California is facing a housing shortage and affordability crisis of epic proportions. Almost 17 million Californians – 44% of all state residents – live in homes that are rented and over half of California renter households are housing cost-burdened, placing them at increased risk of housing instability and homelessness. Co-authored by Attorney General Bonta during his time as a state assemblymember, the Tenant Protection Act (TPA) limits rent increases and prohibits landlords from evicting tenants without just cause.

In February, Attorney General Bonta announced a settlement with two separate Bakersfield landlords and their property management company, Clemmer & Company, for multiple violations of the TPA and, in the case of the management company and one landlord, for violation of the Fair Employment and Housing Act.

Also in February, Attorney General Bonta issued five housing consumer alerts advising California tenants of their rights and protections under state law, and alerting property managers and landlords of their obligations to tenants. One of the alerts, a Know Your Rights alert that notifies tenants of the TPA’s statewide rent increase cap, is available in 24 languages. The remaining four consumer alerts are available in English, Spanish, Chinese (Simplified), Korean, Tagalog, and Vietnamese. All of the alerts are available here, near the bottom of the page.

In January, Attorney General Bonta announced a settlement with Invitation Homes to resolve allegations that the company violated the TPA and California’s price-gouging law by unlawfully increasing rents on approximately 1,900 households.

In June 2023, Attorney General Bonta announced a settlement against Green Valley Corporation, a San Jose-based housing developer and property manager to resolve allegations that the company violated the TPA by issuing unlawful rent increases to nearly 20 of its employee tenants and serving unlawful eviction notices to six of those employee tenants.

In addition to statewide protections, some cities and counties have additional rental protections, including stricter limits on rent increases than the TPA and additional just cause requirements. Californians should check what protections are in place where they live. For more information and resources, visit the Resources for Tenants tab here.

PROTECTING CHILDREN ONLINE:  

In January, Attorney General Bonta, Assemblymember Buffy Wicks, and Senator Nancy Skinner introduced the California Children’s Data Privacy Act (AB 1949 (Wicks)), and the Protecting Our Kids from Social Media Addiction Act (SB 976 (Skinner)), landmark legislation seeking to protect youth online. These two bills would, respectively, limit the harms associated with social media addiction and provide more robust protections for kids’ data privacy.

In October 2023, Attorney General Bonta co-led a bipartisan coalition of 33 attorneys general in filing a federal lawsuit against Meta Platforms, Inc. and affiliates (Meta), alleging that Meta designed and deployed harmful features that addict children and teens to their mental and physical detriment. Unredacted documents from this lawsuit demonstrate Meta is aware and purposefully utilizing algorithmic content delivery to target and addict children to social media — actions that they know is causing harm. 

DATA PRIVACY:

The California Consumer Privacy Act (CCPA) provides consumers with groundbreaking rights over their personal information, including:

  • Right to Know – Consumers may request that a business tell them what specific personal information they have collected, shared, or sold about them, and why it was collected, shared, or sold.
  • Right to Delete — Consumers may request that a business delete personal information that the business collected from the consumer, subject to some exceptions.
  • Right to Opt-Out — If a business sells their personal information, consumers may request that it stop doing so.
  • Rights for Minors — A business cannot sell the personal information of minors under the age of 16 without their permission and, for children under 13, without parental consent.
  • Right to Non-Discrimination — A business may not discriminate against consumers who exercise their rights under the CCPA.

Earlier this year, as part of ongoing efforts to enforce the CCPA, Attorney General Bonta announced an investigative sweep, and sent letters to businesses with popular streaming apps and devices, alleging that they fail to comply with the CCPA. The sweep focused on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data.  

In February Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and the California Online Privacy Protection Act (CalOPPA) by selling its California customers’ personal information without providing notice or an opportunity to opt out of that sale.

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, submit a complaint at oag.ca.gov/report.

TELEMARKETING:

Telephone scams, like robocalls and robotexts, can result in people losing millions through phishing texts, imposter scams, and links containing ransomware. In 2023 alone, consumers reported losing more than $10 billion to fraud, this marks a 14% increase over reported losses in 2022. 

In February, Attorney General Bonta joined a coalition of 51 bipartisan attorneys general in issuing a warning letter to Life Corporation, a company that allegedly sent New Hampshire residents scam election robocalls during the New Hampshire primary election. The calls allegedly used artificial intelligence to impersonate the president and discourage voters from participating in the primary. 

In January, Attorney General Bonta joined a coalition of 26 attorneys general in filing a comment letter responding to the Federal Communications Commission’s (FCC) notice of inquiry related to the potential impact of emerging artificial intelligence (AI) technology on efforts to protect consumers from illegal robocalls or robotexts. 

For more tips and information on consumer protection, please visit https://oag.ca.gov/consumers.

 

Attorney General Bonta Announces Settlement with DoorDash, Investigation Finds Company Violated Multiple Consumer Privacy Laws

February 21, 2024
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

OAKLAND — California Attorney General Rob Bonta today announced a settlement with DoorDash, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The investigation by the California Department of Justice found that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of that sale in violation of both the CCPA and CalOPPA. The sale occurred in connection with DoorDash’s participation in a marketing cooperative, where businesses contribute the personal information of their customers in exchange for the opportunity to advertise their products to each other’s customers. 

“DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale,” said Attorney General Bonta. “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. In order to reach new customers, DoorDash participated in marketing cooperatives and disclosed consumer personal information as part of its membership in the cooperatives. In January 2020, the first month that the CCPA was in effect, DoorDash traded personal information – including names, addresses, and transaction histories – of California consumers to a marketing cooperative in a single transfer so that it could market its services to the customers of the other participating businesses. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Today’s enforcement action alleges that this was a sale of personal information under the CCPA, that DoorDash violated the CCPA’s requirements for businesses that sell personal data, and that it failed to cure these violations. The complaint also alleges that DoorDash violated CalOPPA by failing to state in its posted privacy policy that it disclosed personally identifiable information, like a consumer’s home address, to the marketing cooperatives. Marketing cooperatives enable businesses to trade personal information, which can lead to the widespread dissemination of private consumer data, including to data brokers and other companies that are not members of the marketing cooperative.

As part of the settlement, DoorDash will pay a $375,000 civil penalty and comply with strong injunctive terms. Specifically, DoorDash must:

•  Comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information.

•  Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.

•  Provide annual reports to the Attorney General that monitors any potential sale or sharing of consumer personal information.

Today’s settlement with DoorDash marks Attorney General Bonta’s second CCPA enforcement settlement. This enforcement action underscores that sharing of customers’ personal information with a marketing cooperative is a sale within the meaning of the CCPA and that businesses can be exposed to liability under multiple California privacy laws for the same conduct. 

As part of ongoing efforts to enforce the CCPA, Attorney General Bonta last month announced an investigative sweep, and sent letters to businesses with popular streaming apps and devices alleging that they fail to comply with the CCPA. The sweep focused on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data. Attorney General Bonta has previously conducted investigative sweeps related to employee information and children’s privacy. In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

For more information about the CCPA, visit www.oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at www.oag.ca.gov/report.

A copy of the complaint and proposed stipulated judgment, which details the aforementioned settlement terms and remains subject to court approval, can be found here and here.

Attorney General Bonta Files Brief to Protect the Safety of Children Online, Maintain California Law Protecting the Privacy of Minors

April 24, 2023
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

OAKLAND — California Attorney General Rob Bonta filed a brief in defense of California’s law requiring companies to prioritize the online privacy, safety, and well-being of children over commercial interests. The brief seeks to block an effort by an online trade association representing companies such as Google, Meta, Amazon, Twitter, and TikTok challenging the California Age-Appropriate Design Code Act, a first-in-the-nation law aimed at safeguarding children online. The act requires that businesses that trade in consumers’ personal information and offer products, services, and features likely to be accessed by children proactively protect their young users’ information, and prohibits certain actions that involve the collection and use of that information.

“Businesses do not have a right to children’s data,” said Attorney General Bonta. “This is not about free speech: the companies challenging this law are doing so because they want to continue to make money from our kids’ online activity. In California, it is no longer business as usual when it comes to designing online services, products, and features that are accessed by kids – it’s time to elevate and protect children’s privacy and safety. The bottom line is: our children’s childhood experience should not be for sale, and we are defending the state stepping up to protect our children.”

The California Age-Appropriate Design Code Act was signed into law in 2022 and is modeled after the United Kingdom’s Age Appropriate Design Code, which similarly requires that websites likely to be accessed by children provide privacy protections by default. The Legislature unanimously passed the law, finding that more needs to be done to create a safer online space for children to learn, explore, and play. Despite businesses’ awareness that children use their services, businesses currently design their online services to include features that may be harmful to children, including manipulative techniques to prod them to spend hours on end online or provide personal information beyond what is expected or necessary. 

Attorney General Bonta's brief argues that the court should reject the companies’ efforts to block enforcement of the California Age-Appropriate Design Code Act, because:

  • The law does not violate these companies’ first amendment rights, since the act does not regulate content, mandate government approval before businesses can act, or restrict what content businesses make accessible to consumers;
  • The law is not preempted by federal law because it does not conflict with existing federal law; and 
  • An injunction would inflict irreparable harm upon California by preventing enforcement of a statute enacted by representatives of the people, and in the public interest to advance the safety and protection of minors.

A copy of the brief filed today can be found here

 

Attorney General Kamala D. Harris Launches New Tool to Help Consumers Report Violations of California Online Privacy Protection Act (CalOPPA)

October 14, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Part of Multi-Pronged Effort to Improve Online Privacy and Increase Compliance with CalOPPA 

SAN FRANCISCO -- Today, Attorney General Kamala D. Harris announced the release of an online form to help consumers report websites, mobile applications, and other online services that are in violation of the California Online Privacy Protection Act (CalOPPA). A website or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies. This new form is one of several initiatives Attorney General Harris is undertaking to protect Californians’ privacy, especially in light of technological advances and the growth of the “internet of things.”  The form is available at https://oag.ca.gov/reportprivacy.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

In 2011, the Future of Privacy Forum (FPF) conducted a study which found that many mobile apps were missing privacy policies, prompting the Attorney General to secure a first-of-its-kind agreement with the leading mobile application platforms, including Apple, Google Play and Amazon, to improve compliance; this agreement was later expanded to include Facebook. As a part of her continued commitment to privacy, Attorney General Harris directed her office to conduct a five-year review on mobile app compliance with CalOPPA and commissioned the FPF to conduct a new study of the top 100 mobile apps.  In addition, the Attorney General’s office is collaborating with computer scientists at Carnegie Mellon University to review apps in the Google Play store for compliance with the law and consulting with privacy experts, designers, and researchers to assess the effectiveness of CalOPPA and the “Do Not Track” legislation, which was sponsored by Attorney General Harris.  

A new FPF study, released in August 2016, found that the number of apps with privacy policies has risen substantially since the 2012 Mobile App Agreement—up from 30% to 80%; but the study also highlighted a notable and persistent gap, particularly in health and fitness apps, which often collect sensitive personal information but are less likely than other apps to have a privacy policy. The CMU research revealed that some mobile apps employ data practices that are not properly disclosed in their privacy policies, especially as they pertain to information sharing with third parties. This research indicates that while much progress has been made, more needs to be done to ensure companies are protecting consumers’ privacy and employing transparent practices. 

In response to the analysis of CalOPPA compliance, Attorney General Harris is today launching an online tool allows consumers to “crowdsource” privacy policy violations, exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.  To use the tool, consumers who have identified an operator that may not be in compliance can simply visit https://oag.ca.gov/reportprivacy to report the finding.    

The CalOPPA form is part of a multi-pronged approach to improve online privacy. The Attorney General’s office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA. The tool is designed to look for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).  This tool will help proactively identify and focus attention on policies that may require enforcement.

With the passage of CalOPPA in 2003, California became the first state in the nation to require commercial websites and online services to post privacy policies and the initiatives Attorney General Harris is leading will help strengthen California’s online privacy laws. Any operator in the world that collects personally identifiable information such as name, address, email address, phone number, or Social Security number from California consumers is required to comply. The privacy policy must include the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the private policy. Assembly Bill 370, which Attorney General Harris sponsored, expanded this law in 2013 requiring privacy policies to include information on how the operator responds to ‘Do Not Track’ signals or similar mechanisms, as well as requiring privacy policies to state whether third parties can collect personally identifiable information about the site’s users. 

Attorney General Harris has a long track record of encouraging innovative and growth while protecting consumers’ privacy online. Earlier this week, she announced a new initiative—the California Cyber Crime Center—to help law enforcement fight crime in the digital era.  The center includes the California Department of Justice’s Privacy Enforcement and Protection Unit, which Attorney General Harris created in 2012. The Unit is responsible for enforcing state and federal privacy laws, providing Californians with information and strategies on how to protect their privacy, and encouraging businesses to follow best protection practices. Throughout her administration, the Attorney General has prosecuted and reached settlements with major corporations including Anthem Blue Cross, Citibank, Kaiser, Comcast, Houzz and Wells Fargo Bank for violating California’s privacy protection standards.  Attorney General Harris has also released numerous consumer alerts to help Californians, including alerts on how to adjust the location settings on your mobile phone and protect against identity theft, as well as consumer information sheets on a broad range of privacy issues.

Attorney General Harris is also strongly committed to data security, safeguarding consumers’ sensitive online information. In February, Attorney General Harris released a data breach report detailing the nature of reported breaches in the last four years, accompanied by recommendations for business and lawmakers including pointing to standards regarding “reasonable security” for protecting personally identifiable information. The office recently conducted a set of workshops for small businesses in conjunction with security experts from the Center for Internet Security.

Attorney General Kamala D. Harris Announces Settlement With Privatized Military Housing Contractors Over Allegations of Illegally Evicting Military Servicemembers

August 10, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

SAN DIEGO - Attorney General Kamala D. Harris today announced that California has reached a $252,000 settlement with two privatized military housing contractors over the companies’ unlawful evictions of 18 military servicemembers and their families from private military housing complexes in San Diego and Orange Counties. 

Attorney General Harris argued that these evictions violated the California Military and Veterans Code, the Servicemembers Civil Relief Act, and other state debt collection laws which protect servicemembers who are sued while serving on active military duty and are therefore unable to appear and defend themselves in court.  These laws prevent the entry of a default judgment unless a lawyer has been appointed to represent the interests of the absent servicemember, and they prohibit the use of false statements to collect a debt.  In addition, the contractors allegedly violated California privacy laws by filing court documents that included unredacted Social Security numbers, birth dates, or other personal information of nearly 100 servicemembers and military family members.

The defendants, Lincoln Military Property Management LP and San Diego Family Housing LLC and their eviction law firm, Kimball, Tirey & St. John LLP, are required to pay $200,000 in civil penalties, as well as provide $52,000 in debt relief for the servicemembers harmed by their conduct and assist victims with restoring and repairing credit history.  The settlement also requires the defendants to provide privacy protections to victims, including identity theft repair and mitigation services for one year following notification.  In addition, any default judgment evicting a servicemember and his or her family that was unlawfully obtained will be dismissed.

“It is unconscionable that companies would prey upon and illegally evict servicemembers and their families from their homes,” said Attorney General Harris. “This agreement holds these contractors accountable for their unlawful conduct – including illegal evictions and privacy violations – and ensures that veterans’ rights under the law are protected.  I want to thank the Navy Region Legal Service Office (RLSO) Southwest of San Diego for helping us secure justice for the servicemembers harmed by these companies.”

The complaint, filed today in San Diego Superior Court, alleges that Lincoln routinely evicted tenants from its private military housing complexes while failing to file affidavits that accurately reflected the military status of the servicemembers.  The defendants also violated California privacy laws by disclosing the personal information of servicemembers, exposing at least 100 victims to a risk of identity theft.  

The United States Department of Justice is filing a parallel complaint in the U.S. District Court for the Southern District of California alleging violations of federal law.

This is Attorney General Harris’s second action against a company that violated the Servicemembers Civil Relief Act.  The first was against JP Morgan Chase, which violated the Act in obtaining default judgments against servicemembers on credit card debt.  The Attorney General also obtained a $1.1 billion judgment against Corinthian Colleges, which illegally used the official seals of the military services in advertisements to entice servicemembers and veterans to enroll in its programs. 

The Attorney General’s office has provided training and technical support to JAG legal assistance attorneys at military installations throughout California.  The Attorney General has also issued multiple consumer alerts to help members of the military protect themselves from fraud and scams.  Her most recent alert for servicemembers and veterans, issued in honor of Memorial Day, provides tips on how to avoid common scams including rental scams, pension scams, predatory auto sales and financing, and education rip-offs.

A copy of the complaint is attached to the online version of this news release at www.oag.ca.gov/news.

Attorney General Kamala D. Harris, AARP CA to Hold ‘Shred Fest 2016’ to Help Protect Consumers from Identity Theft

April 27, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

LOS ANGELES – On Saturday, April 30, Attorney General Kamala D. Harris, AARP CA, and the District Office of Councilman Curren Price will hold Shred Fest 2016, a Los Angeles event where consumers can learn about how to prevent identity theft by shredding personal documents and other sensitive records for free. 

Saturday’s event is part of an ongoing partnership between AARP and Attorney General Harris’s office to protect consumers from identity theft and fraud and is one of several Shred Fest 2016 events scheduled for communities nationwide.  Shred Fest is also part of Money Smart Week®, supported by AARP’s Fraud Watch Network and the AARP Foundation.

“We must be vigilant in prosecuting those who take advantage of seniors and work to educate all Californians on how to avoid the increasing risks of identity theft, fraud and scams,” said Attorney General Harris. “‘Shred Fest 2016’ will help seniors safely dispose of sensitive documents and learn key strategies to protect themselves against identity theft.”

Information about Los Angeles Shred Fest 2016:

Saturday, April 30, 2016
4301 S. Central Avenue, Los Angeles, CA  90011
Shredding service begins at 10 a.m. and will continue until 2 p.m.

“Financial fraud causes millions of dollars in losses each year,” said Councilman Curren Price. “With the tax-filing season behind us, we’re encouraging taxpayers to do a spring cleaning of their old financial documents and other records.” 

“Identity thieves routinely search through dumpsters and trash cans, looking to find confidential information.  Our Shred Fest 2016 event will allow consumers to discard this paperwork in a safe and secure manner,” said Nancy McPherson, AARP CA State Director.

To avoid having your sensitive information compromised, security experts recommend shredding of the following types of materials:

  • Old documents: Papers that carry your Social Security number, birth date, signature, account numbers, passwords or PIN numbers.
  • Banking: Canceled or unused checks.  Shred deposit slips and ATM and credit card receipts, once you receive your monthly statements.
  • Credit Cards: Preapproved credit card applications and incentive/gift checks from credit card companies.
  • Medical: unneeded medical bills.
  • Investments: Investment account statements.
  • Obsolete ID cards: Expired driver’s licenses, medical insurance cards and passports.

Last year, Attorney General Harris partnered with AARP to protect seniors from fraud and abuse in a collaboration that includes tele-town halls and webinars to educate seniors, their families and the general public about legal protections designed for people age 50 and over. Together with the AARP Fraud Watch Network, Attorney General Harris’s office has created and disseminated consumer and educational resources to protect seniors against scams and schemes.

More resources to protect against identity theft are available on the Attorney General’s website at: http://oag.ca.gov/idtheft.