Recent Enforcement Actions Under the California Consumer Data Privacy Statutes featured image

Recent Enforcement Actions Under the California Consumer Data Privacy Statutes

by John DiGiacomo

Partner

Internet Law

In 2018, California became the first State in the United States to enact a consumer data privacy statute. The statute became effective on June 1, 2020. The California statute has been amended and expanded a couple of times since being passed and is deemed one of the strongest and most protective consumer data privacy statutes. As of mid-2024, another seventeen (17) States have passed their own versions of consumer data privacy statutes using the California version as a model and template.

In all such statutes, enforcement powers are granted to the various Attorneys General Offices. That is, none of the consumer data protection statutes provide a private right to action where consumers can sue businesses directly for violating their consumer data privacy rights. Consumer privacy advocates lament this, of course, but they have been unable to convince lawmakers to allow a private right of action.

Since California was the first State to enact a consumer data privacy statute, it is useful to look at some recent enforcement actions undertaken by the California Attorney General. Based on announcements, the California Attorney General has only settled two large enforcement actions since June 1, 2020. The most recent was a settlement with DoorDash in February 2024. In that action, DoorDash was confirmed to have joined a “marketing cooperative” that exchanged consumer personal data allowing the businesses to advertise to each others’ customers. The exchanged data included information like names and home addresses. The California Attorney General specifically held that this “exchange” of personal data “counted” as a “sale” of personal data. As such, under California’s consumer data protection statutes, DoorDash and the other participants were obligated to provide notices to consumers and obtain various consents for the sharing of their data. DoorDash clearly did not do this. According to the announced settlement, DoorDash will pay a $375,000 civil penalty and be subject to injunctions requiring it to conform explicitly with the requirements of the California consumer data privacy statutes, review and modify contracts with marketing and analytics vendors, use technology to evaluate if it is selling or sharing consumer personal information in violation of the laws and provide annual reports to the California Attorney General.

The other enforcement action that was settled involved Sephora, Inc., an online retailer. This enforcement action was settled in August 2022 In that enforcement action, Sephora was shown to have failed to disclose to consumers that it was selling their personal information, failed to process opt-out requests made via user-enabled “global privacy controls” and failed to cure its violations. Under California data privacy laws, consumers can exercise their opt-out choices through various types of “global privacy controls” like browser and app settings. Sephora did now acknowledge those choices and for that, and other reasons, was held to be violating California’s consumer data privacy statutes. Sephora agreed to pay $1.2 million to settle the action and also agreed to comply with various injunctive mandates.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side