We're not playing horseshoes here, folks. It's time to review your consumer privacy rights forms and mechanisms.
Key Takeaways
- The fields relating to requests to opt-out of sale/sharing and requests to limit should only solicit the information strictly necessary to complete the request, which is likely less than the other more substantive requests (like access and delete). This applies to authorized agent opt-out requests as well.
- For the more substantive requests (like access and delete), re-evaluate how much information is actually necessary for you to fulfill the consumer's request. Ensure your form is not asking for anything extraneous.
- Review your cookie consent toggles to ensure that the exact number of steps are involved in opting-out of certain cookies as they are for opting-in.
- Ensure you have CCPA-compliant contracts with your advertising technology providers saved in your files.
Summary
On March 7, 2025, the California Privacy Protection Agency (the Agency) adopted a Stipulated Final Order ordering a $632,500 fine and changing key business practices in response to its alleged violations of the California Consumer Privacy Act (CCPA).
The Agency alleged that the following practices can violate the privacy rights of California consumers:
- Requiring data subjects and their authorized agents to undergo excessive identity verification to exercise their privacy rights.
- Failing to offer data subjects "symmetrical" mechanisms to manage cookie collection on web domains.
- Sharing personal information with advertising technology companies without being able to produce CCPA-compliant contracts governing this exchange.
While the Stipulation does not represent a seismic change in current CCPA interpretation, it is a surprising revelation regarding how nuanced and detailed the Agency expects covered businesses to be in their implementation of the CCPA's obligations surrounding consumer request mechanisms, especially considering the relatively high fine amount for what most businesses likely consider to be only minor gaps or de minimis non-compliance.
Here are the broad strokes of the Stipulation:
Excessive Verification. The consumer privacy rights mechanism at issue required data subjects to provide their full name, address, preferred contact method, email, and phone number for all types of requests, including requests to opt-out of certain data practices like sale, disclosure for cross-context behavioral advertising and certain uses of sensitive data. The Agency considered the solicitation of these data elements akin to requiring verification for the opt-out requests, which is not permitted under the CCPA. The Agency applied the same logic to opt-out requests submitted by authorized agents.
Symmetrical Management of Privacy Choices. Requiring two steps to opt out of the cookies' functionality—first selecting "turn off" then "confirm my choices," but only one step to opt back in—returning to the cookie management tool and selecting "allow all" is asymmetrical and in violation of the CCPA regulations.
Ad Tech Contracts. As a final cherry, the Agency required the production of contracts containing CCPA-required language with online advertising technology vendors. We've been here before with the California Attorney General's action against Sephora in 2022, but it is a reminder that the Agency will demand to see actual contracts and will review them at the text level to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
