While businesses have been preparing for enforcement of the CPRA regulations a California court has delayed enforcement of some of the CPRA rules until March 29, 2024, allowing more time to implement processes related to data processing agreements, consumer opt- out mechanisms, and the handling of data subject access requests. In its second enforcement action, the California Attorney General alleged DoorDash violated the CCPA and CalOPPA by participating in a marketing cooperative where DoorDash provided California consumers’ personal information to other businesses in the cooperative. The California Department of Justice investigated and found that DoorDash sold its customers’ personal information without providing consumers proper notice or an opportunity to opt out, thereby violating the CCPA and CalOPPA. As part of its $375,000 settlement announced February 21, 2024, DoorDash must comply with California’s requirements regarding a business’ sale of personal information, ensure its vendors comply with California’s laws regarding the selling and sharing of consumer personal information, and provide annual reports to the California Attorney General. Key takeaways from the DoorDash settlement: 1.Disclosure = Sale. Under the CCPA, providing consumer personal information, even without the exchange of money, is sufficient to meet the definition a “sale.” 2.Privacy Practices and Policies. CalOPPA outlines the requirements of companies processing the personal information of California residents. Companies should ensure their practices and privacy policies (both internal and external) are aligned with the statute’s requirements. It’s important to note that CalOPPA may apply, even if the CCPA does not. California IOT law (SB327) On September 28, 2018, California Governor Jerry Brown signed legislation making California the first state to expressly regulate the security of connective devices, which
122
Made with FlippingBook - Online Brochure Maker