CCPA Enforcement Case Examples

The Office of the Attorney General (OAG) is responsible for enforcing the CCPA. The OAG began sending notices of alleged noncompliance to companies on July 1, 2020, the first day CCPA enforcement began. Once a company is notified of alleged noncompliance, it has 30 days to cure that noncompliance. This may require more than just starting to comply with the law. Overall, curative actions have strengthened consumers’ privacy protections.

As a law enforcement agency, the OAG does not generally release information to the public about its investigations. The OAG provides the information below as illustrative examples of situations in which it sent a notice of alleged noncompliance and steps taken by each company in response. Please note that the information below does not include all the facts of each situation and does not constitute legal advice.

Marketing Company Clarified Status as Service Provider
Industry: Online Marketing Services
Issue: Notice to Consumers

An email marketing company collects consumers’ personal information through emails submitted on its customers’ behalf. The company did not provide the required notices to consumers or methods to submit consumer requests. After being notified of alleged noncompliance, the company provided evidence that it acted as a service provider on behalf of its customers when it processed consumers’ personal information. The company confirmed that personal information obtained and processed for one customer was not used to provide services to another customer. The company also updated its terms of service to clarify its obligations as a service provider under the CCPA.
Social Media Network Updated Service Provider Contracts
Industry: Social Media Network
Issue: Non-Compliant Service Provider Contracts

A business that operates a social media network did not contractually prohibit its service providers from retaining, using, or disclosing personal information received for any purpose other than performing the services specified in the contracts. After being notified of alleged noncompliance, the business modified its service provider contracts by adding CCPA-specific addendums.
Online Event Sales Company Updated Privacy Policy and Added Request Methods
Industry: Online Event Sales
Issue: Non-Compliant Privacy Policy; Lack of Request Methods

A business that sells classes and admission to activities directed at children posted a privacy policy that did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, or disclose the request methods established for consumers to exercise their CCPA rights. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, implemented two request methods, listed the personal information it transferred for a business purpose, and affirmatively stated that it did not sell personal information.

Online Dating Platform Added Do Not Sell My Personal Information Link and Sales Disclosures
Industry: Online Dating
Issue: No “Do Not Sell My Personal Information” Link; Non-Compliant Privacy Policy

A business that provides an online dating platform and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage and did not have adequate disclosures about what personal information it sold in its privacy policy. The business also disclosed that a user clicking an “accept sharing” button when creating a new account was sufficient to establish blanket consent to sell personal information. After being notified of alleged noncompliance, the business added a clear and conspicuous “Do Not Sell My Personal Information” link and updated its privacy policy with compliant sales disclosures.
Online AdTech Service Provider/Business Corrected Privacy Policy and CCPA Request Methods
Industry: Online Advertising
Issue: Non-Compliant Privacy Policy; Non-Compliant Service Provider Contracts

A company connects streaming services and various cable channels to advertisers that want to buy targeted ad space on those outlets. The company’s privacy policy was non-compliant with the CCPA because although it was primarily a service provider, it was also a business in some contexts. Moreover, its service provider contracts did not contain the necessary restrictions on the use of processed personal information. After being notified of alleged noncompliance, the company modified its privacy policy including clarifying that it did not sell personal information and providing an accessible means for consumers to submit CCPA requests. The company also refined its CCPA request method instructions and updated its service provider contracts to be compliant with the CCPA.
Online Social Media App Implemented New System to Respond to CCPA Requests in Timely Manner
Industry: Social Media
Issue: Untimely Responses to CCPA Requests

A business that operates a social media app was not timely responding to CCPA requests to know and delete personal information, and users complained that they were not receiving notice that their CCPA requests has been received or effectuated. After being notified of alleged noncompliance, the business responded to the outstanding requests. The business also updated its CCPA response system to ensure that future requests would be acknowledged and responded to in a timely manner.
Children’s Toys Distribution Company Updated Privacy Policy
Industry: Children’s Toys Distribution
Issue: Non-Compliant Privacy Policy; Lack of Request Methods; Charging Fees for CCPA Requests

A business that distributes children’s toys did not provide notice of the required CCPA consumer rights, did not include the methods for consumers to exercise their CCPA rights to request to know and delete, did not list the categories of personal information it disclosed, and did not state whether or not it had sold personal information in the past 12 months. The business also claimed in its privacy policy that it could charge a fee for processing a consumer’s request to know. After being notified of alleged noncompliance, the business updated its privacy policy to address these issues.
Grocery Chain’s Loyalty Program Required Posting A Notice of Financial Incentive
Industry: Grocery Retailer
Issue: No Notice of Financial Incentive

A business that operates a chain of grocery stores required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs. After being notified of alleged noncompliance, the company amended its privacy policy to include a Notice of Financial Incentive.
Online Classified Advertisements Company Updated Privacy Policy
Industry: Online Platform
Issue: Non-Compliant Privacy Policy

A business that operates an online classified advertisement platform did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required notice of CCPA rights, identify the categories of personal information that it transfers to others for a business purpose, and affirmatively stated that it did not sell personal information. However, the updated privacy policy was not easy to read or understandable to the average consumer, e.g., contained unnecessary legal jargon. The business received a second notice that the updated privacy policy did not comply with the CCPA regulations. In response, the business significantly revised their privacy policy to address these concerns.
Media Conglomerate Updated Opt-Out Process and Notices
Industry: Mass Media and Entertainment
Issue: Non-Compliant Opt-Out Process; Notices to Consumers

A mass media and entertainment business did not provide consumers with any methods to opt-out of the business’s sale of their personal information. The business only directed consumers to a third-party trade association’s tool designed to manage online advertising. The business’s privacy policy and notice of right to opt-out also did not include required information about how consumers or their agents could exercise their opt-out rights. The business also did not have a notice at collection and lacked a “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process, privacy policy, and notices to address these issues, and added the “Do Not Sell My Personal Information” link to all of its digital properties.
Data Broker Updated Opt-Out Method
Industry: Location Data
Issue: Non-Compliant Opt-Out Process

A location data broker’s opt-out process directed consumers to their mobile device settings to effectuate their opt-out choices. The business also provided a webform to allow consumers to opt-out of the business’s data collection but it did not state whether the webform would also opt consumers out of the sale of their personal information. After being notified of alleged noncompliance, the business updated its opt-out webpage to more prominently feature the webform and clarified that its webform would allow consumers to fully effectuate their CCPA opt-out rights. The business also clarified that adjusting mobile device settings would limit future tracking, but would not effectuate a CCPA opt-out request.
Automotive Business Implemented In-Person Notice at Collection, Updated Privacy Policy, and Fixed Defective Request Methods
Industry: Automotive
Issue: Notices to Consumers; Non-Compliant Privacy Policy; Lack of Toll-Free Number; Defective Methods to Submit Requests

An automotive company collected information from consumers who test drove vehicles at the business, but it failed to provide a notice at collection. The business’s privacy policy also failed to include a description of CCPA rights or instructions regarding how authorized agents can submit requests. The business also failed to provide a toll-free number for consumers making CCPA requests, and directed consumers to an online method for submitting requests to know and delete that was non-functional. After being notified of alleged noncompliance, the business implemented a notice at collection for personal information received in connection with test drives, whether collected online or in-person. The business also updated its privacy policy to include the required disclosures regarding consumers’ CCPA rights and list a toll-free phone number, and fixed its defective online methods for submitting CCPA requests.
Pet Industry Website Updated its Opt-Out Webform for Consumers to Opt Out of All Sales of Personal Information
Industry: Pet Industry
Issue: >Authorized Agent; Sales of Personal Information

A business that operates an online pet adoption platform required a consumer’s authorized agent to submit a notarized verification when invoking CCPA rights. The business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt-out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business removed the notarization requirement for agents, added a “Do Not Sell My Personal Information Link”, and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.
Grocery Chain Updated Disclosures to Describe How Consumers May Submit Requests by Authorized Agents
Industry: Grocery Retailer
Issues: Authorized Agent; Non-Compliant Privacy Policy

A business that operates a chain of grocery stores did not include information about how authorized agents may submit CCPA requests on behalf of consumers, in addition to other omissions in their privacy policy. After receiving notice of these apparent violations by both members of the public and our office, the business updated its privacy policy to explain how agents can submit CCPA requests on behalf of consumers, as well as the business’s requirements for verifying such requests.
Mobile App Game Stopped Selling Personal Information and Updated Protections for Minors
Industry: Online Gaming
Issue: Sales of Personal Information; Sales of Minors’ Personal Information

A business that operates a mobile app game installed software from a third-party mobile advertising platform that made available the personal information of its players, including minors aged 13 to 15 years old. The business did not provide an opt-out mechanism to adults or obtain an opt-in for minors. After being notified of alleged noncompliance, the business removed the ad software and instituted other privacy protections directed at younger users, including age-gating and parental verification features.
Social Media Company Stopped Selling Personal Information and Updated Privacy Policy
Industry: Social Media Platform
Issue: Notices to Consumers; Sales of Personal Information

A business that launched a social media platform and advertised itself as being pro-privacy failed to inform consumers about their CCPA rights. The business also exchanged personal information about users’ online activities with various third-party analytics providers but did not post the required notices or provide consumers with methods to opt-out of the sale personal information. After being notified of alleged noncompliance, the company updated its privacy policy and removed all third-party trackers from its app and website.
Manufacturer and Retailer Stopped Selling Personal Information
Industry: Consumer Electronics
Issue: Sales of Personal Information

A business that sells electronics maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping. The business neither imposed a service provider contractual relationship on these third parties, nor processed consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.
Media Conglomerate Updated Opt-Out Method and Added DNSMPI Links
Industry: Digital Media
Issue: Non-Compliant Opt-Out Process; Lack of Request Methods

A business that is a media conglomerate required consumers to submit multiple, separate requests to opt-out of the sale of their personal information on each website in its portfolio. The business also did not have the “Do Not Sell My Personal Information” link on several of its digital properties. After being notified of alleged noncompliance, the business updated its opt-out process to streamline opt-out requests and added the “Do Not Sell My Personal Information” link to all of its digital properties.
National Grocery Chain Updated Privacy Policy and Added Request Methods
Industry: Grocery Retailer
Issue: Non-Compliant Privacy Policy

A business that operates a chain of grocery stores failed to disclose information about its collection and use of consumer personal information in a privacy policy, failed to provide notice of consumers’ CCPA rights, including the right to know, delete, and to not be discriminated against, and did not inform consumers of how to submit requests to know, delete, and opt-out of the sale of personal information. After being notified of alleged noncompliance, the business posted a privacy policy that provided the information required by the CCPA, implemented processes by which consumers can submit CCPA requests, and affirmatively stated that it did not sell personal information.
Email Newsletters Platform Updated Privacy Policy and Added Request Methods
Industry: Email Subscription Platform
Issue: Non-Compliant Privacy Policy

Platform for subscription-based email newsletters had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, and did not adequately inform consumers of how to submit requests to know and delete. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, listed the personal information it transferred for a business purpose, specified how to submit CCPA requests, and affirmatively stated that it did not sell personal information.
Online Event Sales Company Updated Privacy Policy and Added Request Methods
Industry: Online Event Sales
Issue: Non-Compliant Privacy Policy; Lack of Request Methods

An online business that sells tickets to events had a non-compliant privacy policy that did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against. The privacy policy also failed to tell consumers how they could exercise their CCPA rights, and the business failed to disclose whether or not it had sold or disclosed personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required information. It also confirmed that it did not sell personal information.
Digital Partner Clarified Its Own Obligations
Industry: Digital Experiences Partnerships
Issue: Non-Compliant Privacy Policy; Notices to Consumers; No “Do Not Sell My Personal Information” Link

A company that partners with major corporations on digital strategies did not satisfy its own obligations under the CCPA. The business’s privacy policy did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold. The business also did not offer a way for a consumers to make requests over the telephone or on the company’s website. After being notified of alleged noncompliance, the business updated and clarified its privacy policy to address CCPA specific rights and notices. The business now also offers a “Do Not Sell My Personal Information” link, email address, and telephone number for consumers to submit relevant requests.
Data Broker Updated DNSMPI Link, Stopped Requiring Verified Opt-Out Requests and Account Creation for Verified Requests
Industry: Data Broker
Issue: No “Do Not Sell My Personal Information” Link; Verification; Account Creation for Verification

A data broker posted a “Do Not Sell My Personal Information” link that did not work. The business also required verification – in the form of copies of government identification and a bill showing the consumer’s address - before honoring requests to opt-out of the sale of personal information. The data broker also required consumers to create an account in order to make a verifiable consumer request. After being notified of alleged noncompliance, the business updated its “Do Not Sell My Personal Information” link, no longer requires that consumers be verified to opt-out of the sale of personal information, and no longer requires customers to create an account in order to make a CCPA request.
Video Game Distribution Company Updated Privacy Policy
Industry: Video Game Distribution
Issue: Non-Compliant Privacy Policy

A video game distribution company had a non-compliant privacy policy that did not provide notice of the required CCPA consumer rights, did not list the categories of personal information it disclosed, and did not state whether or not it had sold personal information in the past 12 months. The privacy policy also gave incorrect instructions for how consumers could exercise their CCPA rights to request to know and delete. After being notified of the alleged noncompliance, the business updated its privacy policy to address these issues.
Education Technology Company Updated Privacy Policy and Added DNSMPI Link
Industry: Education Technology
Issue: Non-Compliant Privacy Policy; Lack of Request Methods; No “Do Not Sell My Personal Information” Link

An education technology company providing online learning platforms for schools, higher education, and businesses, had a non-compliant privacy policy because it did not (1) provide notice of the required CCPA consumer rights including the right to know, delete, and to not be discriminated against for exercising CCPA rights; (2) include the methods for consumers to exercise their CCPA rights to request to know and delete; and (3) list the categories of personal information it disclosed or sold in the past 12 months. The business also did not have the “Do Not Sell My Personal Information” link on its internet homepage. After being notified of alleged noncompliance, the business updated its privacy policy to address these areas and added the “Do Not Sell My Personal Information” link to its homepage.
Clothing Retailer Updated Privacy Policy and Added Request Methods
Industry: Online Clothing Retailer
Issue: Non-Compliant Privacy Policy

Online clothing retailer had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against, and did not inform consumers of how to submit requests to know and delete. The business also did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. After being notified of alleged noncompliance, the business updated its privacy policy to include the required CCPA rights, listed the personal information it transferred for a business purpose, specified how to submit CCPA requests, and affirmatively stated that it did not sell personal information.
Data Broker Added DNSMPI Link
Industry: Database/Directory Sales
Issue: Lack of Request Methods

A consumer advocacy organization published a report finding that a data broker that sells professional contact directories, which included consumer personal information, did not post a “Do Not Sell My Personal Information” link on its homepage. Publication of the report provided notice of CCPA non-compliance to the business, in addition to a notice provided by the Attorney General’s Office. The business responded by adding a “Do Not Sell My Personal Information” link to its homepage.