Industry Insights

California Privacy Takeaways from ANA-BAA Law Marketing Conference

Post by
Dan Frechtling
California Privacy Takeaways from ANA-BAA Law Marketing Conference

The ANA-BAA Law Marketing conference Nov 15-17 in San Diego included a half dozen sessions on data privacy. To varying degrees, each of them referenced on the landmark California privacy laws, CCPA and CPRA. Below are several takeaways related to California regulations from two sessions in particular.

1. CA Attorney General enforcement of CCPA addresses many business types
In their presentation on California privacy regulations, Alan Friel of Squire Patton Boggs and Dave Manek of Ankura cited 27 examples of CCPA noncompliance notices. The notices covered a breadth of industries, perhaps reinforcing all firms that process personal data need to comply.


They noted companies that buy and sell personal data, share data or allow others to collect data for interest-based advertising (IBA) were prevalent through the examples.  Examples include a data broker, social media site, online event seller, online advertiser, and online marketer.


Firms accessing data from children and other sensitive data such as geolocation were also mentioned, such as a video game site, toy distributor, and education technology provider. The attorney general’s office also included auto, consumer electronics, grocery, clothing retailer, and pet industries in their examples.

2. Global Privacy Controls (GPC) are a force to be reckoned with.
GPCs are browser plug-ins, device settings, or other signals when a visitor reaches a website to tell the website the visitor doesn’t want to be tracked and doesn’t want their personal information sold. They can be much faster and more user-friendly than opt-out links or emails.


In their presentation on state, federal, and international regulation, Elliott Siebers of Frankfurt Kurnit Klein and Selz and Nicolette Martz of Yelp showed how GPC is getting serious attention from US state regulators.


They cited CCPA regulations that say businesses provide two or more methods for submitting opt out requests. The methods can be the “Do Not Sell” link as well as a toll-free phone number, email address, web form, in-person form or mail-in form. But businesses collecting online information must accept GPCs as a valid opt-out.


Colorado’s privacy law requires mandatory recognition of a GPC-like mechanism as of July 1, 2024. Virginia has no such requirement, but a working group recently recommended adoption of global controls. Further momentum came two weeks prior to the conference, when Mozilla Firefox announced it joined a group of privacy-first browsers to implement GPC.

3. Compliance teams may want to consider a CCPA year end checklist for enforcement
Friel and Manek also provided a year end CCPA checklist for enforcement topics

·      Consumer Rights – Audit consumer rights request process to ensure it includes all rights and responses are complete and timely. Revisit the right to protection from discrimination and instructions for authorized agents.


·      Sale Position – Either have a Do Not Sell link, or make statement that you do not sell. Also include reference to having no knowledge of a sale of minor's data in the last 12 months. If you take the position you do not sell:

-        Revisit third party cookies
-        Check your privacy notice for conflicting language such as “we may share your information with third-party companies,” “our advertising partners may collect information about you,” or “we provide information to other companies, sites, or platforms to develop services to offer you”


·      Service Provider Contracts – Make sure you meet requirements of final CCPA regulations and consider updating now for upcoming laws such as CPRA, VCDPA anc CPA


·      Pre-collection Notices At Entry Points – Maintain a data inventory that includes a log of all personal information entry points and confirm there is a privacy notice at each collection point. Don’t forget white labeled marketing sites, login pages of portals and mobile apps.


·      Cookie Solutions including GPC – Run regular cookie scans and bucket cookies.  Consider cookie banners and consent management platforms (CMPs), addressing GPC signals, understanding of IAB programs and Google / Facebook solutions.


To learn about how to keep your brand and your site compliant with data privacy laws in California and elsewhere, check out Boltive Privacy Guard.