What can we learn from recent CCPA breaches?

Kevin Tunison | 2nd Sep 2022

The CCPA (California Consumer Privacy Act) – California's answer to Europe's GDPR (General Data Protection Regulation) – has been enforceable since 2020. However, some organizations still make major blunders when handling California residents' personal information (PI). 

Under the act, those living in the state can opt out of their data being sold to third parties and take more control over their data's usage. Any business breaking these rules could face serious financial penalties; unintentional violations can cost $2,500, or $7,500 for intentional ones.

Some major instances of non-compliance have occurred over the last couple of years – but there are lessons to be learned. Here are a few of the biggest CCPA non-compliance cases in recent times.

CCPA cases

An avoidable breach for T-Mobile

In July this year, a settlement was filed where cell phone network T-Mobile agreed to pay $350m and spend $150m investing in its data security following a 2021 data breach. T-Mobile claimed no customer data was affected, but over 40 punitive class action claims were filed. Plaintiffs alleged they 'entrusted their sensitive PII (personally identifiable information) to T-Mobile, understanding that T-Mobile would keep their information secure.' Claims ranged from negligence, to breach of implied and express contract, to violation of CCPA.

'Zoom-bombing' attacks

Video conferencing business Zoom agreed to pay $85m to improve its security practices to comply with the CCPA as part of a settlement in August 2021. This followed a spate of 'Zoom-bombing' (hijackers interrupting Zoom meetings to post disturbing or otherwise offensive content). The lawsuit claimed users' rights were violated thanks to Zoom sharing personal data with major social media networks and Google.

Lack of transparency

The State of California Department of Justice Office of the Attorney General (OAG) began sending notices of alleged non-compliance in July 2020 and has extensive notable case examples of organizations failing to comply with the CCPA.

A children's toy distribution company failed to provide notice of required CCPA consumer rights, didn't include methods for consumers to exercise those rights, didn't list the types of personal information it disclosed, and wasn't transparent about whether it had sold information in the past year. It also claimed customers could be charged a fee for processing their request to know how their data had been used. It was forced to update its privacy policy to address these problems. 

Opting-out clarity

A location data broker was informed of alleged non-compliance, thanks to a lack of clarity in its data collection information. Its opt-out process directed consumers to mobile device settings to set up their desired opt-out choices and provided a web form for them to opt-out of data collection.

However, it didn't include whether the web form would also opt customers out of the sale of personal information. The organization has since updated its web form for clarification, adding that it would allow consumers to effectuate their CCPA opt-out rights.

Targeting of minors

A mobile game application fell foul of the OAG by installing software from a third-party advertising platform that made players' personal information available – some of whom were teenage minors. An opt-out mechanism wasn't provided for adults, nor was an opt-in for minors, and the organization has since had to remove the ad platform and tighten its privacy rules.

Lessons learned

There are a few great takeaways from these organizations' mistakes, all of which are essentially common sense but are sometimes overlooked. 

Update privacy disclosures

One of the repeated issues with the cases outlined above is the lack of transparency within privacy disclosures. Customers must know exactly what you're doing with their data and be able to opt in or out as necessary, or you risk CCPA non-compliance. 

Get up-to-date on your responsibilities

Review your policies regarding data collection of California residents so you understand what your regulatory responsibilities are – and the consequences of non-compliance. 

Keep on top of your data

You must have a tight grasp on how sensitive data is stored, where it's stored, who has access to it, and whether it gets shared with anybody else. This might require an IT investment.

Educate the wider business

Keeping private data secure and up-to-date with regulations are tasks for the entire team, not just one person. CCPA compliance requires ongoing education and training.

 

As we've seen, even huge organizations can get this wrong in a big way, so it's vitally important to understand CCPA and your responsibilities with it. Find out more about CCPA and other types of compliance here.