On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA). This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information.
Investigative sweeps have been fairly common of late, and it isn’t a surprise to see a focus on mobile apps. But, in addition to hitting mobile apps that did not offer a mechanism to opt out of the sale of personal information, the sweep also focused on mobile apps that could not process requests submitted through authorized agents—including those sent by the mobile app “Permission Slip.” Permission Slip is an app that files requests on users’ behalf, instructing companies to stop selling data. In some ways, Permission Slip is similar to the Global Privacy Control (GPC), which was the focus of the Attorney General’s Sephora action last fall.
The regulatory emphasis on user enabled mechanisms, whether through apps or browser extensions, adds another layer of complexity for businesses attempting to implement their CPRA compliance efforts. And, while the GPC had been publicly endorsed by the California Attorney General months before the Sephora action, Permission Slip is a relatively new and unknown app. It therefore raises the question of which apps and extensions businesses have to honor in order to stay in compliance with the CPRA and other privacy laws. With a likely flood of new products or services, it is no small issue.