Recent Enforcement Actions Under the California Consumer Data Privacy Statutes featured image

Recent Enforcement Actions Under the California Consumer Data Privacy Statutes

by John DiGiacomo

Partner

Internet Law

In 2018, California became the first State in the United States to enact a consumer data privacy statute. The statute became effective on June 1, 2020. The California statute has been amended and expanded a couple of times since being passed and is deemed one of the strongest and most protective consumer data privacy statutes. As of mid-2024, another seventeen (17) States have passed their own versions of consumer data privacy statutes using the California version as a model and template.

In all such statutes, enforcement powers are granted to the various Attorneys General Offices. That is, none of the consumer data protection statutes provide a private right to action where consumers can sue businesses directly for violating their consumer data privacy rights. Consumer privacy advocates lament this, of course, but they have been unable to convince lawmakers to allow a private right of action.

Since California was the first State to enact a consumer data privacy statute, it is useful to look at some recent enforcement actions undertaken by the California Attorney General. Based on announcements, the California Attorney General has only settled two large enforcement actions since June 1, 2020. The most recent was a settlement with DoorDash in February 2024. In that action, DoorDash was confirmed to have joined a “marketing cooperative” that exchanged consumer personal data allowing the businesses to advertise to each others’ customers. The exchanged data included information like names and home addresses. The California Attorney General specifically held that this “exchange” of personal data “counted” as a “sale” of personal data. As such, under California’s consumer data protection statutes, DoorDash and the other participants were obligated to provide notices to consumers and obtain various consents for the sharing of their data. DoorDash clearly did not do this. According to the announced settlement, DoorDash will pay a $375,000 civil penalty and be subject to injunctions requiring it to conform explicitly with the requirements of the California consumer data privacy statutes, review and modify contracts with marketing and analytics vendors, use technology to evaluate if it is selling or sharing consumer personal information in violation of the laws and provide annual reports to the California Attorney General.

The other enforcement action that was settled involved Sephora, Inc., an online retailer. This enforcement action was settled in August 2022 In that enforcement action, Sephora was shown to have failed to disclose to consumers that it was selling their personal information, failed to process opt-out requests made via user-enabled “global privacy controls” and failed to cure its violations. Under California data privacy laws, consumers can exercise their opt-out choices through various types of “global privacy controls” like browser and app settings. Sephora did now acknowledge those choices and for that, and other reasons, was held to be violating California’s consumer data privacy statutes. Sephora agreed to pay $1.2 million to settle the action and also agreed to comply with various injunctive mandates.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Can I Trademark a Non-English Word or Phrase in the U.S.?

Can I Trademark a Non-English Word or Phrase in the U.S.?

Trademark

Yes, as long as the proposed trademark meets the other requirements for registration. U.S. trademark laws do not require that only the English language can be used for trademarks. However, whatever the language, trademarks must meet the legal requirements, including functionality, distinctiveness, uniqueness, etc. For example, every trademark must function as a trademark in that […]

Read more about Can I Trademark a Non-English Word or Phrase in the U.S.?

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Internet Law

In a new ruling, a California federal judge has declared the entirety of California’s Age-Appropriate Design Code Act (“CAADCA”) to be unconstitutional. Cal. Civ. Code §§ 1798.99.28 et seq. See media report here and the Opinion here. The case is Netchoice, LLC. v. Bonta, Case No. 22-cv-08861-BLF (US N.Dist. Cal, March 13, 2025). The CAADCA […]

Read more about California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Put Revision Legal on your side