CCPA Enforcement Case Examples

The Office of the Attorney General (OAG) is responsible for enforcing the CCPA. The OAG began sending notices of alleged noncompliance to companies on July 1, 2020, the first day CCPA enforcement began. Once a company is notified of alleged noncompliance, it has 30 days to cure that noncompliance. This may require more than just starting to comply with the law. Overall, curative actions have strengthened consumers’ privacy protections. As of January 1, 2023, the CCPA no longer requires notice of a violation or an opportunity to cure before filing an enforcement action.

As a law enforcement agency, the OAG does not generally release information to the public about its investigations. The OAG provides the information below as illustrative examples of situations in which it sent a notice of alleged noncompliance and steps taken by each company in response. Please note that the information below does not include all the facts of each situation and does not constitute legal advice.

Updated 08/24/2022

Online Retailers Implemented Opt Out Procedures, Including GPC
Industry: Consumer Retail
Issue: Failure to honor consumer opt outs of sales

In an enforcement sweep, multiple online retailers were found to be using web tracking technologies to make consumers’ personal information available to third parties in exchange for services like advertising or analytics, without offering an opt-out mechanism or ensuring the third party was a CCPA-compliant service provider. Specifically, these retailers did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations. After being notified of alleged noncompliance, these businesses reviewed and updated service-provider contracts, implemented technology to communicate a “restricted use” signal to third-party recipients of personal information, and blocked some transfers of personal information upon detection of the Global Privacy Control (GPC).
Loyalty Programs Posted Notices of Financial Incentives That Disclosed Material Terms and Obtained Opt-In Consent
Industry: Retail including clothing, home goods, and household staples; Food and beverage; Hospitality; and Home improvement.
Issue: Noncompliant Notice of Financial Incentive

In an enforcement sweep, multiple businesses were found to be operating loyalty programs that offered financial incentives (including product discounts, service differences and/or reduced prices) for the collection of consumers’ personal information without posting a compliant Notice of Financial Incentive. The businesses were notified. In response, and specific to the alleged violations, businesses respectively:
  • Posted a Notice of Financial Incentive at cash registers where consumers would reasonably encounter the terms before voluntarily joining the loyalty program;
  • Revised online interfaces to clearly direct consumers to the Notice of Financial Incentive via an appropriately titled “deep link”;
  • Redesigned their loyalty programs’ enrollment methods to capture express opt-in consent and to meaningfully provide consumers with the right to withdraw from the program at any time; and/or
  • Revised their Notices of Financial Incentives to provide consumers with the material terms of the financial incentive. Material terms include the business’s use of consumer personal information collected as part of the financial incentive, such as for the purpose of sale, consumer profiling, or to personalize offers and other marketing.
Weblink Shortener Updated Privacy Policy and Added Request Methods
Industry: Technology
Issue: Non-Compliant Privacy Policy and No Request Methods

A business that provides weblink abbreviation tools did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, nor did it disclose the request methods established for consumers to exercise their CCPA rights. The business also did not explicitly state whether or not it had sold personal information and did not provide a clear and conspicuous “Do Not Sell My Personal Information” link. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, implemented two request methods, and added a compliant opt-out link.
Healthcare Services Company Reformed Requests Processes
Industry: Healthcare
Issue: Erroneous Treatment of Requests to Know

A business that matched open appointments with patients seeking COVID-19 vaccinations incorrectly treated some consumer requests to know as requests to delete and permanently deleted consumers’ personal information. Some affected consumers posted on social media. The business implemented training for staff and refined its request response process to accurately and appropriately respond to both right to know and delete requests.
Medical Device Manufacturer Updated Privacy Policy
Industry: Medical Devices
Issue: Non-Compliant Privacy Policy; Required Consumers to Waive/Limit CCPA Rights; Limited Number of Requests to Know; Sale of Personal Information

A medical device manufacturer and seller collects consumers’ personal information on its website. The business limited a consumer’s rights under the CCPA by requiring consumers to accept the business’s privacy policy and terms of service in order to exercise their rights under the CCPA. The business’s privacy policy stated, among other things, that a consumer was limited to one request every 12 months. The business’s disclosures regarding its sale of data were also confusing, and the business did not provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business removed the conditions on consumers’ exercise of their CCPA rights, added a “Do Not Sell My Personal Information” link, and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.
Telehealth Portal Updated Link to Notice at Collection and Updated Privacy Policy
Industry: Telehealth Technology
Issue: Non-Compliant Privacy Policy; Non-Compliant Notice of Collection

A business that provides a platform for virtual healthcare services also had a separate public-facing website that collected personal information and is subject to the CCPA. The business’s link to its notice at collection sent consumers to the beginning of its privacy policy instead of the relevant section. The business’s privacy policy also failed to describe the information a consumer must provide in order to make a verifiable consumer request, list the categories of personal information collected or disclosed in the past twelve months, and list the categories of third parties for each category of personal information disclosed for a business purpose. After being notified of alleged noncompliance, the business made its notice readily available to consumers by “deep-linking” to send consumers to the relevant section of its privacy policy and updated its privacy policy to include the required disclosures.
Fitness Center Chain Updated its Website Opt-Out and Cookie Options
Industry: Fitness Industry
Issue: Non-Compliant Opt-Out Process

A business that operates a fitness center chain posted a “Do Not Sell My Personal Information” link on its website homepage; however, it included choices that were confusing with unclear language and toggle options. For example, when a consumer turned the toggle for “opt-out of sale of personal information” to “on”, the consumer would opt in to third-party cookies and the sale of their personal information; a consumer would need to turn this toggle “off” to opt-out of the sale of their personal information. The business’s privacy policy also directed consumers to a third-party trade association’s tool designed to manage online advertising and cookie preferences. After being notified of alleged noncompliance, the business simplified the language and options to opt-out of sale of personal information, made it easier to understand, avoided the double negative, and removed a confusing drop-down menu in favor of a simple, easy to understand toggle. The business also updated its privacy policy to more clearly explain how it used third-party cookies and allowed consumers to fully opt-out of the sale of personal information, including in connection with targeted advertising.
FinTech for Minors Business Updated Privacy Policy and Added Required Links
Industry: Financial Technology
Issue: Non-Compliant Privacy Policy; Non-Compliant Opt-Out Process; Missing Notice

A business that offers financial services to minors, including those aged 13 to 16 years old, operated a mobile app that failed to notify consumers at or before the point of collection about the categories of personal information the business collected and the purposes used. It also did not explicitly state in its privacy policy whether it sold personal information. After being notified of alleged noncompliance, the business explained that it segregated data for all minors under 18, and did not sell this data. The business also updated its privacy policy to clearly state that it does not sell personal information of minors under 18. For consumers that are over the age of 18, the business stated that it may sell personal information and added a “Do Not Sell My Personal Information” link to its homepage. The business also added a link in the first screen of its mobile app to its notice at collection that included the categories of personal information the business collected and the purposes used.
People Search Company Updated its Opt-Out and Other CCPA Processes
Industry: Data Broker
Issue: Non-Compliant Opt-Out Process and Verification Procedures

A business that operates a people search website had a “Do Not Sell My Personal Information” link that worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests. The business required an onerous process for CCPA requests (including verification), provided only one method to submit CCPA requests, and required consumers to agree to terms of service and the privacy policy in order to submit CCPA requests. It was also unclear if the consumer was required to create an account in order to complete their requests. The business also did not properly disclose CCPA metrics for the previous calendar year.

After being notified of alleged noncompliance, the business updated the website so the “Do Not Sell My Personal Information” link worked on all browsers, updated it’s California Privacy Page to clarify and simplify the process to submit CCPA requests, eliminated the verification process for opt-out and delete requests, provided alternate methods to submit CCPA requests including simplified options that did not require consumers to agree to terms of service and the privacy policy, clarified that consumers are not required to create an account, and updated its disclosures in compliance with Cal. Code Regs., tit. 11 § 7102. The business also agreed to send emails to all consumers who submitted CCPA requests within the prior two years but did not complete verification, and provided information about and a link to its updated, streamlined CCPA procedures.
Clothing Retailer Fixed Its Opt-Out Mechanism
Industry: Clothing Retailer
Issue: Non-Compliant Opt-Out Process

A clothing retailer had a non-compliant opt-out process. Its “Do Not Sell My Personal Information” link led to a pop-up option that only discussed how to manage cookies and similar technologies. It did not provide a mechanism to stop the sale of personal information. After being notified of alleged noncompliance, the business updated its opt-out page by offering all consumers—including non-Californians—a button to opt out of the sale of personal information that was separate from any additional cookie preferences option.
Technology Platform Updated Authorized Agent Procedures and Training
Industry: Technology
Issue: Non-Compliant Opt-Out and Request to Know Process

A technology platform that provides financial products for businesses and consumers did not allow consumers to submit opt out requests or requests to know via authorized agents. The platform also failed to ensure that those handling consumer inquiries were informed of CCPA requirements or how to direct consumers to exercise their CCPA rights. After being notified of the alleged non-compliance, the business implemented changes to allow consumers to submit privacy requests via authorized agents, and updated its privacy policy to reflect those changes. The business also conducted a training with its employees that covered authorized agent requests. Finally, the business initiated a technical solution to block all third-party advertising cookies for anyone visiting their website using a California internet protocol (IP) address.
Wireless Network Provider Updated Request for Information Procedures
Industry: Telecommunications
Issue: Consumer Requests to Know and Delete; Noncompliant Opt-Out Process

On social media, a consumer notified a wireless network provider that its online CCPA portal was not functional and was not accepting consumer requests to know and delete. In addition, the Attorney General sent a notice of alleged noncompliance. In response, the business explained the steps it had taken to ensure that its online CCPA portal was functional. It also implemented its response process for other online CCPA requests, like those via the GPC.
Online Advertising Firm Updated Privacy Disclosures and Fixed Opt-Out of Sale Method
Industry: AdTech
Issue: Non-Compliant Privacy Policy and Opt-Out of Sale Process

A business that provides online advertising tools, technologies, and services had privacy disclosures that were not easy to read or understandable to the average consumer, and did not include the required information. The business’s method to opt-out of the sale of personal information was also confusing and contained dysfunctional links. After being notified of the alleged noncompliance, the business revised its privacy policy to fix the identified violations and hired an UX designer to improve their opt-out of sale method.

Updated 07/19/2021

Marketing Company Clarified Status as Service Provider
Industry: Online Marketing Services
Issue: Notice to Consumers

An email marketing company collects consumers’ personal information through emails submitted on its customers’ behalf. The company did not provide the required notices to consumers or methods to submit consumer requests. After being notified of alleged noncompliance, the company provided evidence that it acted as a service provider on behalf of its customers when it processed consumers’ personal information. The company confirmed that personal information obtained and processed for one customer was not used to provide services to another customer. The company also updated its terms of service to clarify its obligations as a service provider under the CCPA.
Social Media Network Updated Service Provider Contracts
Industry: Social Media Network
Issue: Non-Compliant Service Provider Contracts

A business that operates a social media network did not contractually prohibit its service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts. After being notified of alleged noncompliance, the business modified its service provider contracts by adding CCPA-specific addendums.
Online Event Sales Company Updated Privacy Policy and Added Request Methods
Industry: Online Event Sales
Issue: Non-Compliant Privacy Policy; Lack of Request Methods

A business that sells classes and admission to activities directed at children posted a privacy policy that did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, or disclose the request methods established for consumers to exercise their CCPA rights. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, implemented two request methods, listed the personal information it transferred for a business purpose, and affirmatively stated that it did not sell personal information.

Online Dating Platform Added Do Not Sell My Personal Information Link and Sales Disclosures
Industry: Online Dating
Issue: No “Do Not Sell My Personal Information” Link; Non-Compliant Privacy Policy

A business that provides an online dating platform and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage and did not have adequate disclosures about what personal information it sold in its privacy policy. The business also disclosed that a user clicking an “accept sharing” button when creating a new account was sufficient to establish blanket consent to sell personal information. After being notified of alleged noncompliance, the business added a clear and conspicuous “Do Not Sell My Personal Information” link and updated its privacy policy with compliant sales disclosures.
Online AdTech Service Provider/Business Corrected Privacy Policy and CCPA Request Methods
Industry: Online Advertising
Issue: Non-Compliant Privacy Policy; Non-Compliant Service Provider Contracts

A company connects streaming services and various cable channels to advertisers that want to buy targeted ad space on those outlets. The company’s privacy policy was non-compliant with the CCPA because although it was primarily a service provider, it was also a business in some contexts. Moreover, its service provider contracts did not contain the necessary restrictions on the use of processed personal information. After being notified of alleged noncompliance, the company modified its privacy policy including clarifying that it did not sell personal information and providing an accessible means for consumers to submit CCPA requests. The company also refined its CCPA request method instructions and updated its service provider contracts to be compliant with the CCPA.
Online Social Media App Implemented New System to Respond to CCPA Requests in Timely Manner
Industry: Social Media
Issue: Untimely Responses to CCPA Requests

A business that operates a social media app was not timely responding to CCPA requests to know and delete personal information, and users complained that they were not receiving notice that their CCPA requests has been received or effectuated. After being notified of alleged noncompliance, the business responded to the outstanding requests. The business also updated its CCPA response system to ensure that future requests would be acknowledged and responded to in a timely manner.
Children’s Toys Distribution Company Updated Privacy Policy
Industry: Children’s Toys Distribution
Issue: Non-Compliant Privacy Policy; Lack of Request Methods; Charging Fees for CCPA Requests

A business that distributes children’s toys did not provide notice of the required CCPA consumer rights, did not include the methods for consumers to exercise their CCPA rights to request to know and delete, did not list the categories of personal information it disclosed, and did not state whether or not it had sold personal information in the past 12 months. The business also claimed in its privacy policy that it could charge a fee for processing a consumer’s request to know. After being notified of alleged noncompliance, the business updated its privacy policy to address these issues.
Grocery Chain’s Loyalty Program Required Posting A Notice of Financial Incentive
Industry: Grocery Retailer
Issue: No Notice of Financial Incentive

A business that operates a chain of grocery stores required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs. After being notified of alleged noncompliance, the company amended its privacy policy to include a Notice of Financial Incentive.
Online Classified Advertisements Company Updated Privacy Policy
Industry: Online Platform
Issue: Non-Compliant Privacy Policy

A business that operates an online classified advertisement platform did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required notice of CCPA rights, identify the categories of personal information that it transfers to others for a business purpose, and affirmatively stated that it did not sell personal information. However, the updated privacy policy was not easy to read or understandable to the average consumer, e.g., contained unnecessary legal jargon. The business received a second notice that the updated privacy policy did not comply with the CCPA regulations. In response, the business significantly revised their privacy policy to address these concerns.
Media Conglomerate Updated Opt-Out Process and Notices
Industry: Mass Media and Entertainment
Issue: Non-Compliant Opt-Out Process; Notices to Consumers

A mass media and entertainment business did not provide consumers with any methods to opt-out of the business’s sale of their personal information. The business only directed consumers to a third-party trade association’s tool designed to manage online advertising. The business’s privacy policy and notice of right to opt-out also did not include required information about how consumers or their agents could exercise their opt-out rights. The business also did not have a notice at collection and lacked a “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process, privacy policy, and notices to address these issues, and added the “Do Not Sell My Personal Information” link to all of its digital properties.
Data Broker Updated Opt-Out Method
Industry: Location Data
Issue: Non-Compliant Opt-Out Process

A location data broker’s opt-out process directed consumers to their mobile device settings to effectuate their opt-out choices. The business also provided a webform to allow consumers to opt-out of the business’s data collection but it did not state whether the webform would also opt consumers out of the sale of their personal information. After being notified of alleged noncompliance, the business updated its opt-out webpage to more prominently feature the webform and clarified that its webform would allow consumers to fully effectuate their CCPA opt-out rights. The business also clarified that adjusting mobile device settings would limit future tracking, but would not effectuate a CCPA opt-out request.
Automotive Business Implemented In-Person Notice at Collection, Updated Privacy Policy, and Fixed Defective Request Methods
Industry: Automotive
Issue: Notices to Consumers; Non-Compliant Privacy Policy; Lack of Toll-Free Number; Defective Methods to Submit Requests

An automotive company collected information from consumers who test drove vehicles at the business, but it failed to provide a notice at collection. The business’s privacy policy also failed to include a description of CCPA rights or instructions regarding how authorized agents can submit requests. The business also failed to provide a toll-free number for consumers making CCPA requests, and directed consumers to an online method for submitting requests to know and delete that was non-functional. After being notified of alleged noncompliance, the business implemented a notice at collection for personal information received in connection with test drives, whether collected online or in-person. The business also updated its privacy policy to include the required disclosures regarding consumers’ CCPA rights and list a toll-free phone number, and fixed its defective online methods for submitting CCPA requests.
Pet Industry Website Updated its Opt-Out Webform for Consumers to Opt Out of All Sales of Personal Information
Industry: Pet Industry
Issue: >Authorized Agent; Sales of Personal Information

A business that operates an online pet adoption platform required a consumer’s authorized agent to submit a notarized verification when invoking CCPA rights. The business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business removed the notarization requirement for agents, added a “Do Not Sell My Personal Information Link”, and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.
Grocery Chain Updated Disclosures to Describe How Consumers May Submit Requests by Authorized Agents
Industry: Grocery Retailer
Issues: Authorized Agent; Non-Compliant Privacy Policy

A business that operates a chain of grocery stores did not include information about how authorized agents may submit CCPA requests on behalf of consumers, in addition to other omissions in their privacy policy. After receiving notice of these apparent violations by both members of the public and our office, the business updated its privacy policy to explain how agents can submit CCPA requests on behalf of consumers, as well as the business’s requirements for verifying such requests.
Mobile App Game Stopped Selling Personal Information and Updated Protections for Minors
Industry: Online Gaming
Issue: Sales of Personal Information; Sales of Minors’ Personal Information

A business that operates a mobile app game installed software from a third-party mobile advertising platform that made available the personal information of its players, including minors aged 13 to 15 years old. The business did not provide an opt-out mechanism to adults or obtain an opt-in for minors. After being notified of alleged noncompliance, the business removed the ad software and instituted other privacy protections directed at younger users, including age-gating and parental verification features.
Social Media Company Stopped Selling Personal Information and Updated Privacy Policy
Industry: Social Media Platform
Issue: Notices to Consumers; Sales of Personal Information

A business that launched a social media platform and advertised itself as being pro-privacy failed to inform consumers about their CCPA rights. The business also exchanged personal information about users’ online activities with various third-party analytics providers but did not post the required notices or provide consumers with methods to opt-out of the sale personal information. After being notified of alleged noncompliance, the company updated its privacy policy and removed all third-party trackers from its app and website.
Manufacturer and Retailer Stopped Selling Personal Information
Industry: Consumer Electronics
Issue: Sales of Personal Information

A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.
Media Conglomerate Updated Opt-Out Method and Added DNSMPI Links
Industry: Digital Media
Issue: Non-Compliant Opt-Out Process; Lack of Request Methods

A business that is a media conglomerate required consumers to submit multiple, separate requests to opt-out of the sale of their personal information on each website in its portfolio. The business also did not have the “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process to streamline opt-out requests and added the “Do Not Sell My Personal Information” link to all of its digital properties.
National Grocery Chain Updated Privacy Policy and Added Request Methods
Industry: Grocery Retailer
Issue: Non-Compliant Privacy Policy

A business that operates a chain of grocery stores failed to disclose information about its collection and use of consumer personal information in a privacy policy, failed to provide notice of consumers’ CCPA rights, including the right to know, delete, and to not be discriminated against, and did not inform consumers of how to submit requests to know, delete, and opt-out of the sale of personal information. After being notified of alleged noncompliance, the business posted a privacy policy that provided the information required by the CCPA, implemented processes by which consumers can submit CCPA requests, and affirmatively stated that it did not sell personal information.
Email Newsletters Platform Updated Privacy Policy and Added Request Methods
Industry: Email Subscription Platform
Issue: Non-Compliant Privacy Policy

Platform for subscription-based email newsletters had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, and did not adequately inform consumers of how to submit requests to know and delete. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, listed the personal information it transferred for a business purpose, specified how to submit CCPA requests, and affirmatively stated that it did not sell personal information.
Online Event Sales Company Updated Privacy Policy and Added Request Methods
Industry: Online Event Sales
Issue: Non-Compliant Privacy Policy; Lack of Request Methods

An online business that sells tickets to events had a non-compliant privacy policy that did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against. The privacy policy also failed to tell consumers how they could exercise their CCPA rights, and the business failed to disclose whether or not it had sold or disclosed personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required information. It also confirmed that it did not sell personal information.
Digital Partner Clarified Its Own Obligations
Industry: Digital Experiences Partnerships
Issue: Non-Compliant Privacy Policy; Notices to Consumers; No “Do Not Sell My Personal Information” Link

A company that partners with major corporations on digital strategies did not satisfy its own obligations under the CCPA. The business’s privacy policy did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold. The business also did not offer a way for a consumers to make requests over the telephone or on the company’s website. After being notified of alleged noncompliance, the business updated and clarified its privacy policy to address CCPA specific rights and notices. The business now also offers a “Do Not Sell My Personal Information” link, email address, and telephone number for consumers to submit relevant requests.
Data Broker Updated DNSMPI Link, Stopped Requiring Verified Opt-Out Requests and Account Creation for Verified Requests
Industry: Data Broker
Issue: No “Do Not Sell My Personal Information” Link; Verification; Account Creation for Verification

A data broker posted a “Do Not Sell My Personal Information” link that did not work. The business also required verification – in the form of copies of government identification and a bill showing the consumer’s address - before honoring requests to opt-out of the sale of personal information. The data broker also required consumers to create an account in order to make a verifiable consumer request. After being notified of alleged noncompliance, the business updated its “Do Not Sell My Personal Information” link, no longer requires that consumers be verified to opt-out of the sale of personal information, and no longer requires customers to create an account in order to make a CCPA request.
Video Game Distribution Company Updated Privacy Policy
Industry: Video Game Distribution
Issue: Non-Compliant Privacy Policy

A video game distribution company had a non-compliant privacy policy that did not provide notice of the required CCPA consumer rights, did not list the categories of personal information it disclosed, and did not state whether or not it had sold personal information in the past 12 months. The privacy policy also gave incorrect instructions for how consumers could exercise their CCPA rights to request to know and delete. After being notified of the alleged noncompliance, the business updated its privacy policy to address these issues.
Education Technology Company Updated Privacy Policy and Added DNSMPI Link
Industry: Education Technology
Issue: Non-Compliant Privacy Policy; Lack of Request Methods; No “Do Not Sell My Personal Information” Link

An education technology company providing online learning platforms for schools, higher education, and businesses, had a non-compliant privacy policy because it did not (1) provide notice of the required CCPA consumer rights including the right to know, delete, and to not be discriminated against for exercising CCPA rights; (2) include the methods for consumers to exercise their CCPA rights to request to know and delete; and (3) list the categories of personal information it disclosed or sold in the past 12 months. The business also did not have the “Do Not Sell My Personal Information” link on its internet homepage. After being notified of alleged noncompliance, the business updated its privacy policy to address these areas and added the “Do Not Sell My Personal Information” link to its homepage.
Clothing Retailer Updated Privacy Policy and Added Request Methods
Industry: Online Clothing Retailer
Issue: Non-Compliant Privacy Policy

Online clothing retailer had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, and did not inform consumers of how to submit requests to know and delete. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, listed the personal information it transferred for a business purpose, specified how to submit CCPA requests, and affirmatively stated that it did not sell personal information.
Data Broker Added DNSMPI Link
Industry: Database/Directory Sales
Issue: Lack of Request Methods

A consumer advocacy organization published a report finding that a data broker that sells professional contact directories, which included consumer personal information, did not post a “Do Not Sell My Personal Information” link on its homepage. Publication of the report provided notice of CCPA non-compliance to the business, in addition to a notice provided by the Attorney General’s Office. The business responded by adding a “Do Not Sell My Personal Information” link to its homepage.