In 2018, California became the first State in the United States to enact a consumer data privacy statute. The statute became effective on June 1, 2020. The California statute has been amended and expanded a couple of times since being passed and is deemed one of the strongest and most protective consumer data privacy statutes. As of mid-2024, another seventeen (17) States have passed their own versions of consumer data privacy statutes using the California version as a model and template.

In all such statutes, enforcement powers are granted to the various Attorneys General Offices. That is, none of the consumer data protection statutes provide a private right to action where consumers can sue businesses directly for violating their consumer data privacy rights. Consumer privacy advocates lament this, of course, but they have been unable to convince lawmakers to allow a private right of action.

Since California was the first State to enact a consumer data privacy statute, it is useful to look at some recent enforcement actions undertaken by the California Attorney General. Based on announcements, the California Attorney General has only settled two large enforcement actions since June 1, 2020. The most recent was a settlement with DoorDash in February 2024. In that action, DoorDash was confirmed to have joined a “marketing cooperative” that exchanged consumer personal data allowing the businesses to advertise to each others’ customers. The exchanged data included information like names and home addresses. The California Attorney General specifically held that this “exchange” of personal data “counted” as a “sale” of personal data. As such, under California’s consumer data protection statutes, DoorDash and the other participants were obligated to provide notices to consumers and obtain various consents for the sharing of their data. DoorDash clearly did not do this. According to the announced settlement, DoorDash will pay a $375,000 civil penalty and be subject to injunctions requiring it to conform explicitly with the requirements of the California consumer data privacy statutes, review and modify contracts with marketing and analytics vendors, use technology to evaluate if it is selling or sharing consumer personal information in violation of the laws and provide annual reports to the California Attorney General.

The other enforcement action that was settled involved Sephora, Inc., an online retailer. This enforcement action was settled in August 2022 In that enforcement action, Sephora was shown to have failed to disclose to consumers that it was selling their personal information, failed to process opt-out requests made via user-enabled “global privacy controls” and failed to cure its violations. Under California data privacy laws, consumers can exercise their opt-out choices through various types of “global privacy controls” like browser and app settings. Sephora did now acknowledge those choices and for that, and other reasons, was held to be violating California’s consumer data privacy statutes. Sephora agreed to pay $1.2 million to settle the action and also agreed to comply with various injunctive mandates.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.