Cookie Policy

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Key Takeaways

The following are our key takeaways from this settlement. For a description of the allegations and procedural history, see “What Happened?” below.


  • According to the OAG, the existence of online tracking technologies on an operator’s (i.e., a business) online service (e.g., websites and mobile apps) that collect personal information by a technology provider or other third party are “sales” of personal information by the operator of the online service, because the operator of the online service makes the opportunity to collect and use the data available to the third party, unless those third parties have agreed to contractual restrictions on their use of personal information such that they qualify as “service providers” under the CCPA. If not, you must enable “Do Not Sell” (DNS) to disable the tech or have the third party contractually agree to be a service provider. Keep in mind:

  • Enabling DNS means both an affirmative opt-out mechanism and recognizing and acting on user-enabled “global privacy controls” (GPCs). See GPC.

  • If you rely on signals or settings to restrict tracking technology to service provider processing, the operator of the online service is responsible for ensuring they work and are honored.

  • Cookie banners and preference centers are only sufficient if configured consistent with the OAG’s position on DNS and GPC. Many, if not most, are not.

  • What a service provider can do with personal data collected on behalf of a business is incredibly narrow and getting more narrow under the California Privacy Rights Act (CPRA).

  • Review the use of online tracking technology to see if it meets the CPRA’s definition of “share” in preparation for the CPRA’s amendments to the CCPA, and remember the opt-out of “sharing” goes beyond “selling” and includes cross-contextual behavioral advertising services that might have qualified under the CCPA as a service provider activity (e.g., social media platform matched audience ads).

  • The CCPA’s notice and cure provision will expire on January 1, 2023 (when the CPRA comes into full force and effect). If you receive a noncompliance letter from the OAG in the meantime, respond and swiftly comply or prepare to challenge and risk a potentially hefty penalty. The OAG is on record that it will no longer exercise discretion to allow extended cure opportunities.

  • For purposes of calculating an enforcement penalty, the OAG may consider that each “sale” is a violation, and not necessarily calculate penalties on a per-consumer, per-visit, per-day, or other less colossal measure. Thus, the OAG may seek penalties for millions of violations per day. The potential of crippling penalties raises the stakes of challenging the government’s aggressive interpretations of the CCPA and CPRA. The $1.2 million penalty appears calculated to make a point to industry, but at the same time avoid litigation of the issues.

  • Ensure privacy policies and notices are complete and accurate or risk deception and unfairness claims in addition to CCPA claims.