Skip to main content

California AG Announces Investigation of Mobile Apps’ CCPA Compliance

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents. In its announcement, the California AG also “urge[d] the tech industry to innovate for good – including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” The AG’s investigations seem to be becoming an annual tradition in honor of Data Privacy Day. In 2022, the California Attorney General announced an investigation of numerous major corporations in the retail, home improvement, travel, and food services industries operating loyalty programs. While the 2022 notice stated that noncompliant industries would have 30 days to cure and come into compliance, such cure language was not included in the 2023 notice.

The CCPA, as amended by the California Privacy Rights Act of 2020 (CPRA), went into effect Jan. 1, 2023, and enforcement of the amended CPPA will commence July 1, 2023. On Jan. 20, 2023, the AG’s office updated its CCPA website page to include several new FAQs addressing the CPRA amendments. In relation to several issues, the FAQs note the California Privacy Protection Agency (CPPA) is currently engaged in a formal rulemaking process and has proposed CCPA regulations, but the regulations are not final. Once the CCPA regulations are finalized, the FAQs will likely be updated again. While it remains uncertain when the proposed CCPA regulations will be finalized, the CPPA is scheduled to discuss possible action on the proposed regulations, including possible adoption or modification of the text, as well as preliminary rulemaking activities of new rules on risk assessments, cybersecurity audits, and automated decision making during their next meeting on Feb. 3, 2023.