Privacy & Identity Theft

Coordinated state effort signals nationwide, robust enforcement of important privacy right 

OAKLAND — California Attorney General Rob Bonta, alongside the California Privacy Protection Agency and the attorneys general of Colorado and Connecticut, today announced an investigative sweep involving potential noncompliance with the Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties. As part of the sweep announced today, the coalition sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requested that those businesses come into immediate compliance. This sweep reinforces the three states’ 2025 Data Privacy Day educational efforts on the GPC and California’s prior $1.2 million settlement  with Sephora regarding GPC compliance.

“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” said Attorney General Rob Bonta. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”

“In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable,” said Attorney General William Tong. 

“Collaboration with our partners in other states is essential to the CPPA’s work. We are proud to join this effort to ensure that consumers’ opt-out rights are honored, and we will continue working across jurisdictions to protect Californians’ privacy,” said Tom Kemp, the CPPA’s Executive Director.  

Data comes from nearly everywhere online, even when people think they’re not revealing anything. It has been estimated that the average person produces 1.7 MB of data per second or 6,120 MB of data per hour. Websites can track and amass personal information and behavioral data like pages visited, time spent on pages, clicks, and detailed purchase information to create and share profiles and inferences about consumers. Apps and other software can collect and transmit personal information as well, including sensitive personal information like a user’s precise geolocation. Preventing third parties from receiving this information is a key step to protecting private information and stopping the proliferation of consumer data in the online ecosystem.

YOUR RIGHT TO OPT-OUT IN CALIFORNIA

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.  

Consumers interacting with a business online have two options to opt out of the sale of their data:

OPTION 1: Enabling Global Privacy Control 

The GPC is a signal that allows users to automatically indicate to the websites they visit that they would like to opt-out of the “sale” and “sharing” of their personal information. The GPC signal is an easy way to opt-out because a consumer does not have to make individualized requests to opt-out on each website they visit. GPC can be downloaded via a browser extension; some browsers offer a GPC setting. Installing GPC is simple and ensures your personal is protected. 

Click here for a video to show you how to install GPC.

OPTION 2: Opt-Out One Business at a Time 

Businesses that sell personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to process your opt-out, but may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business.

If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy. If a business’s "Do Not Sell My Personal Information" link is not working or difficult to find, you may report the business to our office by visiting oag.ca.gov/report. 

For more information on the CCPA and opting out, please see here. For a tutorial on installing GPC, please see here.

OAKLAND — California Attorney General Rob Bonta today alerted consumers of ongoing text-based scam activity targeting California taxpayers. Tax fraud scams are a part of a larger universe of government imposter scams, which occur when a person claims to be a government employee in order to obtain a victim’s personal information or for financial gain. These fraudulent texts claim to come from the State of California Franchise Tax Board (FTB) and ask consumers to provide personal information in order to receive their so-called tax refund. In today’s alert, Attorney General Bonta provides Californians with tips to avoid falling victim to tax fraud scams like this one and other government imposter scams. Taxpayers should be especially cautious with their tax, bank account, credit card, and other personal information. 

“Californians: Be on alert for texts from seemingly official government agencies that seem fishy — they might indeed be phishing scams designed to trick you out of your hard-earned money,” said Attorney General Rob Bonta. “Bad actors are getting more sophisticated and show little signs of slowing. I urge Californians to not click on links in texts asking consumers for personal information, visit only official websites, and talk to friends and family who may be unaware of these dangers."

“Sadly, FTB and other California agencies constantly battle bad actors attempting to steal your money. These scammers may impersonate tax agency representatives to steal your personal information," said State Controller and FTB Chair Malia M. Cohen. "If you ever have doubts about the authenticity of a text, email, or phone call claiming to be from FTB, IRS, or any other government agency, contact the agency directly to verify whether there’s an issue that requires your attention.” 

FTB advises Californians not to reply to suspicious text messages, download attachments, or click on links in texts or emails if they are unsure of their authenticity. Verify any suspicious messages by contacting the agency identified directly and visiting official pages only. View FTB’s text messaging page to verify when FTB texts and what information they send. For more information, please see here.

Text-Based Scams 

If you receive a suspicious or unsolicited text message claiming to be from FTB, do not respond or click on any links, as the text may be a phishing scam. Text messaging is particularly dangerous because consumers might hurriedly click on a link and begin entering a password, not realizing that the link is phony and their password is being recorded. These texts may ask for:

• Usernames
• Passwords
• Payment
• Credit and debit card numbers
• Banking information
• PINs
• Social security number  

Other Tax Fraud Scams

Tax-related scams take on various forms and show up every year, especially around tax season. The most common tax-related scams include: 

• Fake phone calls demanding money: Scammers will call you claiming that they are from the Internal Revenue Service (IRS) or the FTB and say that you owe them money. The scammer will harass you and use high-pressure tactics claiming that you will be arrested, deported, or will lose your driver’s license if you don’t pay right now. Sometimes the scammer will even know your Social Security number or fake the caller ID so that it looks like they are calling from the IRS or FTB. Scammers may offer to provide “documentation” or “evidence,” or use the name of a real government official. If a government agency calls you and asks for financial or personal information, hang up and go to the agency’s official website (which should be a .gov website) and call them directly. Government officials will not threaten you with arrest or legal action in exchange for immediate payment. They will not promise to increase your benefits or resolve an issue in exchange for a fee or transfer of funds to a protected account.
• Fake emails: Scammers will send out "phishing" emails that look like they are from the IRS or FTB and claim that you either owe money or are due a refund. They will include links to official-looking websites and ask for either money outright or personal information that will allow them to steal your identity.
• Stolen refunds: Identity thieves will use stolen personal information to file false tax returns in your name and steal your refunds. Scammers will usually file early in the tax season, before you get to it. You won’t learn about the theft until you try to file your taxes.  

Protect Yourself from Tax Fraud Scams

• Protect your personal information: Never provide personal information, such as your Social Security number or bank account information, to someone you do not know.
• Be wary of unsolicited communication: As a rule of thumb, real government officials will never ask for payment in the form of gift cards, prepaid debit cards, wire transfers, Internet currency, or by mailing cash.
• Hang up the phone! While in some cases the IRS or FTB may call a person who owes taxes, the agencies only do so after they have tried to contact you by mail. If you suspect a scam call, immediately hang up or do not respond. The longer you stay on the line, the more likely you are to fall victim to a scam.
• Use a strong password: When preparing your tax return for electronic filing, be sure to use a unique strong password for your online filing accounts. A strong password is eight or more characters, including letters, numbers, and symbols. Use a unique password for each of your tax filing accounts.
• Never sign a blank return: Do not use a tax preparer who asks you to sign a blank tax form.
• Talk to friends and family: Always seek a second opinion from your friends and family.

If you suspect you have been a victim of a tax-related scam, report the scam and any losses to the Internal Revenue Service and/or the California Franchise Tax Board. For more information and resources on tax fraud and other government imposter scams, visit our website at oag.ca.gov/consumers/general/taxes.

Action represents fourth settlement, continued enforcement priority under the California Consumer Privacy Act

OAKLAND — California Attorney General Rob Bonta today announced a settlement with website publisher Healthline Media LLC (Healthline), resolving allegations that its use of online tracking technology on its health information website, Healthline.com, violated the California Consumer Privacy Act (CCPA). An investigation by the California Department of Justice (DOJ) found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition. The settlement includes $1.55 million in civil penalties and strong injunctive terms, including a novel term that prohibits Healthline from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition — banning the company from engaging in these types of data transmissions.

“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance — including by website publishers. Healthline shared data with third parties that could have revealed consumers’ private medical diagnoses, and while doing so, disregarded consumer’s rights to opt-out of the sale and sharing of this data,” said Attorney General Bonta. “California continues to lead the nation in enforcing our robust privacy protection law, and businesses that collect consumer data must honor consumers’ privacy rights. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy.” 

Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world. Healthline generates revenue by showing ads — some of which are personally targeted at the reader. To maximize ad revenue, Healthline allows online trackers, like cookies and pixels, to communicate data about readers to advertisers and other third parties. Healthline shared data that could uniquely identify the consumer, in addition to the title of the article they were reading. Some titles indicated that the reader may have already been diagnosed with a serious illness, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” And because these online trackers run invisibly in the background in the first milliseconds when a webpage loads, consumers often have no idea how many online trackers might be running. In Healthline’s case, dozens of trackers were sharing consumer data with numerous third parties.

The complaint filed today alleges Healthline violated the CCPA and the Unfair Competition Law by:

• Failing to opt consumers out of the sharing of their personal information for targeted advertising. The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information for certain targeted advertising. Businesses and website publishers must honor these requests, including requests submitted through the Global Privacy Control. Healthline continued to share data with some third parties involved in advertising, even for consumer who exercised their right to opt -out.  

• Violating the Purpose Limitation Principle. Under the CCPA, a business’s use of personal information is limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose. Healthline violated this principle by sharing article titles suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.   

• Failing to maintain CCPA-required contracts. Healthline had not ensured its advertising contracts contain privacy protections for readers’ data required by the CCPA. Instead, Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework. 

• Deceiving consumers about privacy practices. The Unfair Competition Law prohibits deceptive business practices. Healthline.com featured a “consent banner” that did not disable tracking cookies, despite purporting to do so if a consumer unchecked a box.   

Under the settlement today, Healthline is required to ensure that its opt-out mechanisms work correctly; must stop disclosing information that can link a specific consumer to a specific article title that suggests that consumers have been diagnosed with a disease; must maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms; and maintain accurate online disclosures and privacy policy. 

Today's settlement represents Attorney General Bonta's fourth enforcement action under the CCPA, and his continued priority to enforce California’s robust privacy laws:  

In June 2024, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”  In February 2024, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA, by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale.  In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

This March, as part of ongoing efforts to enforce the CCPA, Attorney General Bonta announced an investigative sweep into the location data industry, sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA. The risk posed by the widespread collection and sale of location data has become immediately and particularly relevant given federal threats to California's immigrant communities, and to reproductive and gender-affirming healthcare. Attorney General Bonta has previously conducted investigative sweeps related to streaming apps and devices and employee information.

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

A copy of the complaint is available here, a copy of the settlement is available here. 

Ban would leave Americans unprotected from current AI-related harms

OAKLAND — California Attorney General Rob Bonta, as part of the Consortium of Privacy Regulators (Consortium), today sent a letter to U.S. Senate leaders urging lawmakers to remove a provision in the federal budget reconciliation bill that establishes a 10-year ban on states from enforcing any state law or regulation addressing artificial intelligence (AI) and automated decision-making systems. In the letter, the Consortium explains that the rapidly evolving nature of AI technology demands the flexibility and responsiveness that states can provide and asks lawmakers to remove the provision and ensure that states retain their essential role in protecting their residents from privacy harms. Last month, Attorney General Bonta joined a bipartisan coalition of 40 attorneys general in sending a similar letter voicing nationwide concern and opposition over the ban. 

“Leaders nationwide — across both sides of the aisle — are sounding the alarm: a ban on state AI regulation could rob millions of Americans of rights they already enjoy and end states’ ability to swiftly respond to emerging and evolving privacy challenges spurred by AI technology,” said Attorney General Bonta. “States are often on the front lines of developing strong privacy and technology protections for their residents — I urge lawmakers to remove the 10-year AI regulation ban provision on states and allow this important work to continue.”

AI systems affect nearly all aspects of everyday life. The promise of AI raises exciting and important possibilities. But, like any emerging technology, there are risks to adoption without responsible, appropriate, and thoughtful oversight. States have played a leading role in developing strong privacy and technology protections to address a wide range of harms associated with AI and automated decision-making. State privacy authorities are often the first to receive consumer complaints and identify problematic practices and have the proximity and agility to identify emerging threats and implement innovative solutions. In the letter, the Consortium explains that state privacy laws already address substantial privacy harms posed by AI, and provide consumers with transparency about how their personal information is used. The ban threatens these important protections, creating legal uncertainty, undermining years of regulatory development, and creating a regulatory vacuum that threatens the privacy rights of Americans nationwide. 

In April, Attorney General Bonta announced an agreement of formal collaboration between seven states and the California Privacy Protection Agency (CPPA) to promote collaboration and information sharing in the bipartisan effort to safeguard the privacy rights of consumers. Known as the Consortium of Privacy Regulators, the group regularly discusses developments in privacy law, shared priorities, and coordinates enforcement, as appropriate, based on the members’ common interest. 

In sending today’s letter, Attorney General Bonta joins the CCPA and the attorneys general of Connecticut, Delaware, New Jersey, Oregon, and Vermont. 

A copy of the letter can be found here.

Continues commitment to protecting Californians' privacy rights 

OAKLAND — California Attorney General Rob Bonta today announced an agreement of formal collaboration between seven states and the California Privacy Protection Agency (CPPA) to promote collaboration and information sharing in the bipartisan effort to safeguard the privacy rights of consumers. Known as the Consortium of Privacy Regulators, the group regularly discusses developments in privacy law, shared priorities, and coordinates enforcement, as appropriate, based on the members’ common interest. In forming the Consortium of Privacy Regulators, Attorney General Bonta joins the CPPA and the attorneys general of Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.

“Data knows no borders — state and nationwide coordination is vital for protecting consumers’ rights, especially in our data-driven world,” said Attorney General Bonta. “Collaborating with partners across the country provides another tool in the toolbox for my office to tackle enforcement priorities and continue safeguarding the privacy rights of Californians.”

Privacy matters because when information or data falls into the wrong hands, it can harm people, businesses, and organizations, often financially. The risk of harm continues to grow as more consumers conduct essential tasks online, like banking, shopping, or managing medical care. Businesses that collect this personal information also create the risk of data breaches when they fail to safeguard it. Lapses in upholding privacy laws can threaten to disclose information like our financial condition, health status, and sensitive aspects of our personal lives. Anyone can become vulnerable.  

California’s Landmark Privacy Law: The CCPA

The California Consumer Privacy Act (CCPA) secures increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. Businesses that are subject to the CCPA have specific responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. Under the CCPA’s right to opt-out, businesses that sell personal data or share personal information for targeted advertising must permit consumers the right to opt-out. Exercising this right should be easy and involve minimal steps.

Our Recent Work to Protect Californians' Privacy 

Attorney General Bonta is committed to educating California consumers about their right to privacy and enforcing the nation’s toughest data privacy law.  

Last month, Attorney General Bonta issued a consumer alert to customers of 23andMe, reminding Californians of their right to direct the deletion of their genetic data under the Genetic Information Privacy Act (GIPA) and the CCPA. Also last month, Attorney General Bonta announced an ongoing investigative sweep into the location data industry, which collect and share detailed data on consumers’ location. The risk posed by the widespread collection and sale of location data has become particularly relevant given federal threats to California's immigrant communities, and to reproductive and gender-affirming healthcare. In January, Attorney General Bonta reminded Californians of their right to stop or "opt-out" of the sale and sharing of their personal information under the CCPA.

Attorney General Bonta has filed three enforcement actions involving alleged violations of the CCPA: 

• In 2022, he announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA.
• In 2023, he secured a settlement with DoorDash after it sold the personal information of its customers without providing notice or the opportunity to opt-out.
• In 2024, he worked with local partners to secure a settlement with video game developer Tilting Point Media for violating state and federal privacy laws by illegally collecting and sharing children's data.   

For more information about the CCPA, visit www.oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at www.oag.ca.gov/report.

SAN FRANCISCO — California Attorney General Rob Bonta today delivered remarks on California Department of Justice’s preparations to protect California’s values, people, and natural resources ahead of a second Trump Administration. To view a recording of the press conference, please visit here. 

Attorney General Bonta's Remarks as Prepared for Delivery:

As the reality of a second Trump Administration takes hold, I know there is a great deal of fear, sadness, anxiety, and panic. 

I understand. 

I’m here today to reassure you that in California, progress will prevail. 

No matter who is in the White House, no matter who holds control of Congress, in California we will keep moving forward. 

In California, we will choose calm over chaos. 

Fact over fiction.

Belonging over blame.

Unity over division. 

“Us and we” over “I and me.” 

It’s why we’re the 5th largest economy in the world. Not in spite of our commitment to workers, consumers, and the environment, because of it. 

Because we’re the largest and most diverse state in the nation.

Because we believe in the power of inclusivity.

Because we believe in truth over lies. Hope over hate. Light over dark.

Because  we believe in looking forward.

It’s who we are in the Golden State. It’s in our DNA. Nothing and no one can change that. 

As Attorney General, I’ll continue to use the full force of the law and authority of this office to address injustice. 

To stand up for all people, especially those who have long been overlooked and undervalued.

To safeguard reproductive rights. 

And advocate for more housing — especially more affordable housing for lower and middle-income families just trying to get by.

I’ll continue to take on greedy corporate giants and fight for more affordable gas, groceries, and everything in between.  

I’ll continue to defend our world-renowned natural resources and protect them for generations to come. 

Continue to fight for clean water to drink and clean air to breathe.

Continue to crack down on illicit guns on our streets and get fentanyl out of our neighborhoods. 

Continue to fight for workers.

I’ll continue to protect, defend, and serve every single Californian. No matter your politics. 

I’m here to ensure every person — no matter how they look, how much money they make, where they’re from, who they love, how they identify, or how they pray — can pursue their version of the California Dream. 

A fair wage and good benefits.  

A safe and affordable place to live.  

Affordable and accessible health care. 

Good schools to send our kids to. 

Safe neighborhoods to raise our families. 

That’s my promise to you, no matter who is in the White House.  

We’ve been here before.

We lived through Trump 1.0. 

We know what he’s capable of. 

We know what plans he has in store. 

The silver lining is just that: we know. 

We know to take Trump at his word when he says he’ll roll back environmental protections, go after our immigrant and LGBTQ+ communities, attack our civil rights, and restrict access to essential reproductive care.

Which means, we won’t be flat-footed come January.

You can be sure that as California Attorney General, if Trump attacks your rights: I’ll be there. 

If Trump comes after your freedoms: I’ll be there. 

If Trump jeopardizes your safety and well-being: I’ll be there.

California DOJ did it before and we’ll do it again.  

During the last Trump Administration, California DOJ fought to stop illegal rollbacks and proposals that would’ve harmed the well-being, health, safety, and civil rights of our people and of people across the country. 

That would have caused irrevocable damage to our environment.

No matter who is in charge of the federal government…

No matter what the incoming Administration has in store… California will remain the steadfast beacon of progress it has long been.  

A constant, unwavering, immoveable force to be reckoned with.  

We’ll continue to be a check on overreach and push back on abuse of power. 

Be the antidote to dangerous, extremist, hateful vitriol.

Be the blueprint of progress for the nation to look to.

Remember: in moments of chaos in D.C., you can always look to California for calm resolve. 

California leaders across the state are ready to stand arm-in-arm. 

Governor Newsom and every single Constitutional Officer;  

Senator Padilla and Senator-elect Schiff;  

Democratic members of Congress; 

Pro Tem McGuire, Speaker Rivas, and the California Legislature; 

Mayors, supervisors, and city councilmembers from San Francisco to San Diego are ready to fight for our California values. 

For our people. For our environment.

For progress and justice.

And as necessary, we’re ready to take on the challenges of a second Trump Administration — together.

While a great deal of change is on the horizon…

California’s path to progress remains full steam ahead.

It may not always be linear. Progress so rarely is. 

It zigs and zags. Takes frustrating detours. Inches forward and backward and forward again. 

The detours and setbacks don’t define our progress.

Our commitment to forward momentum defines our progress. Defines us. 

It’s what we do next that will define us. 

If you’re feeling despondent today, remember that you’re not alone. 

In California, we’re not looking back. We’re not moving back. 

We’re California! We’ll meet any challenges head on and rise to the occasion.

As is so often said, as California goes, so goes the nation.

In the days and months and years to come, all eyes will look west. 

In California, they’ll see: we’re still moving forward.

Thank you. 

Another important action to protect kids’ online data

OAKLAND — California Attorney General Rob Bonta, along with Los Angeles City Attorney Hydee Feldstein Soto, announced a $500,000 settlement with Tilting Point Media LLC (Tilting Point) resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the federal Children’s Online Privacy Protection Act (COPPA) by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.” In addition to $500,000 in civil penalties, Tilting Point must comply with injunctive terms ensuring legal data collection and disclosure, including obtaining parental consent and diligence in configuring third-party software in their mobile games.

“Businesses have a legal obligation to protect kids’ data and to comply with important state and federal privacy laws designed to protect children online. Failing to do this puts our kids at risk, leaving them vulnerable to having their personal data collected, tracked, and sold,” said Attorney General Bonta. “As children spend an increasing amount of time online, both on websites and using mobile apps, we will use every enforcement tool to ensure compliance with the law and that companies exercise diligence with privacy law requirements. I thank the Los Angeles City Attorney’s Office for their work on this issue and look forward to continuing to work collaboratively with local, state, and federal partners to protect children’s privacy.”

“The “SpongeBob: Krusty Cook-Off” game is based on some of the most beloved and recognizable characters in children’s entertainment. Tilting Point Media is alleged to have collected and shared its young players' personal data, violating consumer privacy laws and industry guidelines,” said Hydee Feldstein Soto, Los Angeles City Attorney. “Protecting our children has been a top priority for my administration. I am proud to partner with Attorney General Bonta to protect children throughout our State and am grateful to the lawyers in the Public Rights Branch in my office for initiating this action to stop data harvesting of minors.” 

“SpongeBob: Krusty Cook-Off” (SpongeBob) is a popular cooking simulation game that includes both targeted advertising and in-app purchases and is directed to children under the age of 13 as well as targeted to older teens and adults. The app was first investigated by the Children’s Advertising Review Unit (CARU), a division of the Better Business Bureau National Programs that investigates potential deceptive or inappropriate data collection from children online. CARU found that the privacy and advertising practices of the SpongeBob app failed to comply with COPPA and CARU’s industry guidelines. Although Tilting Point took some corrective action, a joint investigation by the California Department of Justice and Los Angeles City Attorney’s Office found that Tilting Point was in violation of the CCPA and COPPA in connection with how the mobile app handled children’s data. Tilting Point’s age screen did not ask age in a neutral manner, meaning children were not encouraged to enter their age correctly to be directed to a child-version of the game. Additionally, Tilting Point inadvertently misconfigured third-party software development kits (SDKs), resulting in the collection and sale of kids’ data without parental consent.

In addition to paying $500,000 in civil penalties, Tilting Point media must comply with strong injunctive terms. Tilting Point must:

• Comply with the CCPA and COPPA related to children’s data in the SpongeBob game and all of its games directed to children.
• Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent.
• In instances where Tilting Point sells or shares the personal information of children, provide a just-in-time notice explaining what information is collected, the purpose, if the information will be sold or shared, and link to the privacy policy explaining the parental or opt-in consent required.
• Use only neutral age screens that encourage children to enter their age accurately.
• Appropriately configure third-party SDKs to comply with legal requirements related to children’s data.
• Implement and maintain a SDK governance framework to review the use and configuration of SDKs within its apps.
• Comply with laws and best practices related to advertising to minors, and minimize data collection and use from children.
• Implement and maintain a program to assess and monitor its compliance with the judgment, including annual reports to the California Department of Justice and Los Angeles City Attorney’s Office.

COPPA AND CCPA

COPPA is a federal law that requires operators of websites and online services that are either directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to provide notice to parents and obtain parental consent before collecting, using, or disclosing personal information from children. The CCPA is a landmark state law that secures increased privacy rights for California consumers, including the right to know how businesses collect, share, and disclose their personal information and the right to opt-out of the sale or sharing of their personal information. The CCPA imposes on businesses specific responsibilities related to children’s data, including requiring parental consent before selling or sharing personal information from children under 13 years old, and obtaining the consumer’s affirmative opt-in consent for users at least 13 and under 16 years old.  

Attorney General Bonta is committed to enforcing both COPPA and the CCPA to improve children's online safety. Today's settlement represents Attorney General Bonta's third enforcement action under the CCPA, and his continued priority to protect children online:

• In March, Attorney General Bonta joined a bipartisan multistate letter to the Federal Trade Commission proposing updates to regulations implementing COPPA and advocating for further clarity and specification for proposed rules. 
• In February, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA, by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale. 
• In January, Attorney General Bonta, Assemblymember Buffy Wicks, and Senator Nancy Skinner introduced the California Children’s Data Privacy Act (AB 1949), and the Protecting Our Kids from Social Media Addiction Act (SB 976), landmark legislation seeking to protect youth online. These two bills would, respectively, limit the harms associated with social media addiction and provide more robust protections for kids’ data privacy.
• In October 2023, Attorney General Bonta co-led a bipartisan coalition of 33 attorneys general in filing a federal lawsuit against Meta Platforms, alleging among other things, that Meta designed and deployed harmful features on Instagram and Facebook that addict children and teens to their mental and physical detriment. The lawsuit alleges that Meta violated federal and state laws, including COPPA, California's False Advertising Law, and California’s Unfair Competition Law.
• In 2022, Attorney General Bonta announced a settlement with Sephora, resolving allegations that the company violated the CCPA by failing to disclose to consumers that it was selling their personal information, and failing to process user requests to opt out of these sales. 

A copy of the complaint and the final judgment can be found here and here.

Rapidly changing technology requires responsive, flexible state privacy policy

OAKLAND — California Attorney General Rob Bonta today led a multistate coalition of 15 attorneys general urging congressional leaders to remove preemption language in the current draft of the American Privacy Rights Act (APRA), a proposed federal data privacy bill. The preemption clause currently in the APRA would result in California’s landmark privacy law being replaced with weaker protections and would hamper the ability of California to adequately protect the privacy of its citizens in the future. In today’s letter, Attorney General Bonta and colleagues from across the country call on Congress to set a floor and not a ceiling with any federal privacy law, and to respect additional protections states provide or would provide in future state-level legislation.

“Federal action to protect Americans' privacy is essential, but not at the expense of the robust protections already in place in California and in states across the country. California is at the forefront of privacy protections and must retain the ability to respond to privacy concerns as tech rapidly innovates,” said Attorney General Bonta. “We urge Congress not to undercut the important protections that states have established; states must be able to protect their residents from evolving privacy threats.”

With the first comprehensive privacy law in the country, California has the strongest protections in the nation. Californians currently have robust protections and rights to manage and control the use of their data through the California Consumer Privacy Act and other state laws. Since California passed the first comprehensive privacy law in 2018, numerous states have followed suit. States play a critical role in flexibly adapting to real-world circumstances and have set minimum data privacy standards that have driven innovation, including in the adoption of the global privacy control, and have not impeded business or technology. 

In the letter, the attorneys general highlight the importance of current and future state privacy protections, and ask that any federal privacy framework leave room for states to legislate responsively to changes in technology and data collection practices, as states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight. As Congress considers adopting APRA, the coalition urges changes to the proposed law — the APRA in its current form would impair some existing state protections and hamper state efforts to keep up with and adapt laws to changing technology.

In sending today's letter, Attorney General Bonta was joined by the attorneys general of Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, Vermont, and the District of Columbia.   

Attorney General Bonta is committed to protecting the privacy rights of Californians:  

• Last month, Attorney General Bonta and California Governor Gavin Newsom sent a letter to Congress urging congressional leaders to not include preemption language in the APRA.
• Last year, Governor Gavin Newsom, Attorney General Bonta, and the California Privacy Protection Agency (CPPA) sent a joint letter to Congress opposing preemption language in similar proposed legislation.
• In March, Attorney General Bonta joined a bipartisan multistate letter to the Federal Trade Commission expressing support for updates to the Children’s Online Privacy Protection Act and advocating for further clarity for proposed rules.
• In February Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and the California Online Privacy Protection Act (CalOPPA) by selling its California customers’ personal information without providing notice or an opportunity to opt out of that sale.
• In January, Attorney General Bonta, Assemblymember Buffy Wicks, and Senator Nancy Skinner introduced the California Children’s Data Privacy Act (AB 1949 Wicks), and the Protecting Our Kids from Social Media Addiction Act (SB 976 Skinner), landmark legislation seeking to protect youth online. These two bills would, respectively, limit the harms associated with social media addiction and provide more robust protections for kids’ data privacy.
• Earlier this year, as part of ongoing efforts to enforce the CCPA, Attorney General Bonta announced an investigative sweep, and sent letters to businesses with popular streaming apps and devices, alleging that they fail to comply with the CCPA. The sweep focused on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data.  
• In September 2023, Attorney General Bonta announced a $93 million settlement with Google resolving allegations that its location-privacy practices violated California consumer protection laws.

A copy of the letter can be found here. 

OAKLAND — California Attorney General Rob Bonta today issued a consumer alert with tips on filing and preparing taxes safely. As Tax Day approaches, many Californians may seek out assistance with filing their state and federal tax returns. To avoid falling victim to a tax-related scam, Attorney General Bonta advises Californians to file early, take actions to protect themselves online, and learn about free or low-cost tax filing opportunities. Through the IRS Direct File pilot program, eligible California taxpayers can file their 2023 federal taxes directly with the IRS for free.

“For working families, tax season serves as a long-awaited opportunity to get ahead on bills, make needed home repairs, or finally start planning a vacation,” said Attorney General Bonta. “This Tax Season, we want to make sure Californians don’t fall victim to tax-related fraud or scams. I encourage Californians to review our website for tools, tips, and resources to make filing taxes easier and safer at oag.ca.gov/consumers. And if you believe you are the victim of a tax-related scam, report it at oag.ca.gov/report.”

How to Protect Yourself from Tax Scams:

• File early — You are less vulnerable to scammers if you file early and have your refund in hand. Avoid putting yourself at risk of being the next victim and file your taxes as early as possible. 

• Hang up the phone! — IRS and FTB will only call a person who owes taxes if they have tried to contact you by mail. Legitimate IRS and FTB agents will not threaten jail time or seek payment over the phone or through a wire transfer. Consumers should not make any payments and should contact the agency directly by looking up government contact information online. Calls impersonating the IRS should be reported to the Treasury Inspector General for Tax Administration (TIGTA). Those impersonating the FTB should be reported here.  

• Do NOT open the email — Never open an email or text message that says it is from the IRS or the FTB. The IRS and FTB do not use email, text message, or social media to request personal or financial information or to send notice regarding audits or refunds. Replying to the email, opening attachments, or clicking on links may enable scammers to collect your personal information or infect your computer with viruses or other malware.

• Think beyond the password — For greater security, get an Identity Protection PIN (IP PIN) for your e-filing account with the IRS. A new PIN is provided each year by the IRS. 

• Use two-step authentication — Check on the availability of two-step authentication to protect your tax filing accounts (and other online accounts containing sensitive information, such as your email and social media accounts). Two-step authentication adds a second factor, such as a one-time use code that is sent to you by email, phone, or text. You enter that code, along with your username and password, to get access to your account.

Tax Preparation Resources:

You may qualify for free help! Many consumers turn to third-party tax preparation services for help filing their tax returns. Attorney General Bonta encourages consumers to find out if they qualify for free tax help.

• IRS Direct File pilot program — Using the first-of-its-kind pilot program, eligible California taxpayers can file their 2023 federal taxes directly with the IRS for free. To see if you qualify for this program, check here.

• FTB CalFile — The FTB’s CalFile program allows qualified individuals to quickly e-file their state tax return directly to the FTB, free of charge. To see if you qualify, check here.  

• VITA/TCE — The IRS Volunteer Income Tax Assistance program provides free tax help to people who make $64,000 or less annually, persons with disabilities, and people who do not understand English well. The Tax Counseling for the Elderly program offers free tax help for all taxpayers, particularly those over 60, specializing in questions about pensions and retirement-related issues. More information on these programs is available here.

Quick Tip! You may qualify for cash back or a reduction of the tax you owe under the Earned Income Tax Credit and the California Earned Income Tax Credit programs. Check to see if you qualify for one or both!

Need more time to prepare? You can also use IRS Free File to electronically request an automatic tax-filing extension, regardless of your income. You will then have until October 15 to file a return. More information on how to request an extension can be found on the IRS website.

Find a reputable tax preparer. Make sure your tax preparer is reputable and qualified to provide tax services. In California, only an attorney, certified public accountant (CPA), IRS-enrolled agent, or registered-tax preparer can prepare tax returns for a fee. To confirm whether a tax preparer is registered with the IRS, check here. 

If you believe you have been the victim of a tax-related scam or other misconduct, you can file a complaint with our office at oag.ca.gov/report or with the IRS. 

To learn about how to protect yourself and your loved ones against fraud, visit our website at oag.ca.gov/consumers.

Updates to COPPA need to go further to protect children’s online data 

OAKLAND — California Attorney General Rob Bonta today, in response to the Federal Trade Comission's (FTC) notice of proposed rulemaking, joined a bipartisan multistate letter to the FTC proposing updates to regulations implementing the Children’s Online Privacy Protection Act (COPPA). In the letter, the attorneys general express support for updates to COPPA and advocate for further clarity and specification for proposed rules.

“The Federal Trade Commission’s proposed rule would strengthen our ability to enforce restrictions on companies selling children’s data and protect consumers who seek to manage what information websites can collect from kids,” said Attorney General Bonta. “Together with a broad bipartisan coalition from across the country, I support this effort and look forward to working collaboratively with the FTC to keep protecting children’s privacy.”

COPPA requires operators of websites and online services that are either directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13, to provide notice to parents and obtain parental consent before collecting, using, or disclosing personal information from children. 

The proposed rule would update COPPA by:

• Requiring separate “opt-in” consent for targeted advertising: The proposed new rule would require separate notice and parental consent before an operator can disclose children’s information to third parties, including third-party advertisers.
• Clarifying the “mixed audience” category:  There currently is ambiguity about when child-directed websites must provide COPPA protections to all users and when they may screen users for age and only provide COPPA protections to users who self-identify as under 13 years old. The FTC proposes to clarify this distinction by providing a new definition of “mixed audience."
• Adding “biometric identifiers” to the definition of “personal information”: The FTC proposes to expand the definition of “personal information” under COPPA to include biometric identifiers, like fingerprints or handprints, retina and iris patterns, genetic data, or data derived from voice, gait, or facial data.
• Limits on the “support for the internal operations” exception: Operators may currently collect persistent identifiers without first obtaining parental consent under an exception that permits “support for the internal operations of the website or online service.” The FTC proposes adding new requirements and disclosures for operators who rely on this exception.
• New limits on nudging kids to stay online: The FTC proposes adding new limitations on operators’ use of personal information to prompt or encourage children to use their service more.
• COPPA and schools: The FTC seeks to permit schools and school districts to provide consent for the collection, use, and disclosure of children’s personal information, but limit that consent to use for educational rather than commercial purposes.
• Data security, retention, and deletion: The FTC proposes strengthening data security, retention, and deletion requirements. For example, the FTC proposes requiring disclosure of data retention policies, and prohibiting operators from using retained information for any secondary purpose.

In the letter, the attorneys general support proposed updates to the COPPA Rule and respond to certain issues raised by the FTC, including how to define “personal information” as it relates to children and how to obtain parental consent to use children’s personal information in connection with advertising. The letter also advocates for limiting potential exemptions being considered by the FTC and addresses proposals regarding limitations on the use of personal information in ways that could be harmful to children, such as nudging kids to stay online longer.

Attorney General Bonta is committed to protecting children online. In October 2023, Attorney General Bonta co-led a bipartisan coalition of 33 attorneys general in filing a federal lawsuit against Meta Platforms, alleging that Meta, among other things, designed and deployed harmful features on Instagram and Facebook that addict children and teens to their mental and physical detriment. In November 2023, Attorney General Bonta announced the public release of a largely unredacted copy of the federal complaint against Meta. The removal of the redactions provides additional context for the misconduct that the attorneys general allege.

In March 2023, Attorney General Bonta as part of a bipartisan multistate coalition, filed an amicus brief supporting efforts to compel TikTok to produce subpoenaed materials and evidence as part of ongoing nationwide investigations into the company’s role in the growing youth mental health crisis. In December 2023, Attorney General Bonta joined a multistate amicus brief in Murthy v. Missouri supporting the right of the federal government to communicate with social media companies about matters of public concern. In January 2024, Attorney General Rob Bonta, Senator Nancy Skinner, and Assemblymember Buffy Wicks introduced the Protecting Youth from Social Media Addiction Act (SB 976), and the California Children’s Data Privacy Act (AB 1949), landmark legislation seeking to protect youth online.

In submitting today’s letter, Attorney General Bonta is joined by the attorneys general of Oregon, Illinois, Mississippi, Tennessee, Colorado, Connecticut, Massachusetts, New Jersey, North Carolina, Alabama, Alaska, Arizona, Arkansas, Delaware, District of Columbia, Florida, Georgia, Hawaii, Indiana, Kentucky, Maine, Maryland, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, South Dakota, Utah, Vermont, U.S. Virgin Islands, Virginia, Washington, and Wisconsin.

A copy of the multistate letter is available here.