Skip to main content

Privacy with teeth: First CCPA enforcement action

By Gamelah Palagonia | September 14, 2022

What are the impacts stemming from the recent enforcement action from the California Consumer Privacy Act?
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

On August 24, California Attorney General Rob Bonta announced a settlement with a cosmetics retailer resolving allegations that the company violated the California Consumer Privacy Act (CCPA), California’s landmark privacy law. After conducting an enforcement sweep of online retailers, the Attorney General alleged that the cosmetics retailer failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of sales via user-enabled global privacy controls in violation of the CCPA, and did not cure these violations within the 30-day period currently allowed by the CCPA. The settlement is the first of its kind under the CCPA and should serve as a wake-up call for all organizations doing business in California. It very likely is a bellwether for the kind of enforcement activity that will be coming, not only for the remainder of this year, but also under the more expansive California Privacy Rights Act (CPRA) which goes into full effect on January 1, 2023.

Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

Attorney General Bonta | State of California

Privacy gets real

The CPRA, also known as Proposition 24, was a ballot proposition that voters approved during the November 3, 2020 general election. The proposition amended the CCPA by expanding California's consumer privacy rights. For example, while the CCPA allows for a 30-day cure period, the CPRA does not – leaving businesses open to immediate enforcement. Additionally,  the CPRA established the California Privacy Protection Agency (CPPA), the nation’s first state agency dedicated solely to protecting consumer privacy. The CPPA’s sole mission will be to enforce the CPRA and ensure that consumers are well-informed about their privacy rights and that businesses comply with their legal obligations. Penalties under the current law, which the CPPA will be free to pursue under the CPRA, are substantial. The cosmetics retailer settlement requires the offending company to pay $1.2 million in penalties and – within 180 days and for a period two years thereafter – comply with important requirements, such as:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (GPC);
  • Conform its service provider agreements to the CCPA’s requirements; and 
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. 

Enforcement timeline

On June 14, 2021, Attorney General Bonta’s office confirmed that companies holding California consumer information are required to honor the GPC tool as a mechanism for people to opt-out from data collection. The GPC allows consumers to opt out of all online sales in one fell swoop by broadcasting a "do not sell" signal across every website they visit, without having to click on an opt-out link each time. This reflects the AG’s focus on online tracking and the implementation of and compliance with global opt-out signals such as the GPC.

On January 28, 2022, Data Privacy Day, Attorney General Bonta announced an investigative sweep of several businesses operating loyalty programs in California. His office sent notices alleging that the investigated companies were failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA. Notices also were sent to two other companies:

  • An online advertising company whose privacy disclosures were not understandable to the average consumer (i.e., they did not include the required information) and
  • A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.

Attorney General Bonta is committed to robust enforcement of the CCPA and future CPRA. As part of his ongoing efforts, his office issued non-compliance notices to a host of other businesses advising that they have 30 days to remedy alleged CCPA violations or face enforcement.

Key takeaways

With the expiration date of the CCPA’s 30-day cure period just four months away, companies doing business in California that are not CCPA compliant should heed the AG’s promises of aggressive enforcement and work to become compliant before year’s end. To get started, a simple way for companies to test their compliance is to assess their privacy policies and procedures against the individual rights outlined in both the CCPA and CPRA.

  • The right to know and request disclosure of personal information collected by businesses about the consumer, from whom it was collected, why it was collected, and, if sold, to whom.
  • The right to delete personal information collected from the consumer.
  • The right to opt-out of the sale of personal information.
  • The right to opt-in to the sale of personal information of consumers under the age of 16.
  • The right to non-discriminatory treatment for exercising any rights.
  • The right to initiate a private cause of action for data breaches.
  • The right to correct inaccurate personal information.
  • The right to limit use and disclosure of sensitive personal information.

Current privacy policies may only include CCPA consumer individual rights as CPRA does not go into effect until January 1, 2023.

Cyber insurance implications

Given the nature of the fine, the lack of insurability of punitive damages in California, and the fact that this case is a matter of first impression for insurance carriers, it is unclear if it would be covered under cyber insurance. Further, the fact that the retailer was given notice to cure the violation but didn’t do so, could be deemed an intentional violation of law and wrongful act and preclude coverage.

Businesses should tender any non-compliance notices they receive from the AG to their cyber insurance carrier, as regulatory actions. As cyber insurance does provide regulatory defense coverage, the carrier likely would have implored the retailer to cure the violation within the 30-day period allowed by CCPA avoiding the fine all together.

We are closely monitoring the fallout of this enforcement action and working with the carriers to determine their coverage intent with respect to non-compliance fines of this nature.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).



Executive Vice President – Cyber Development & Regulatory Leader

Related Capabilities

Contact Us