A basketball going into a hoop.

CCPA Compliance: The Top 6 Areas Where Companies Miss the Mark

Cory Underwood
,
CIPT, CIPP/US, Analytics Engineer
,
Feb 10, 2023

We’ve surveyed 294 websites to check six consequential data privacy areas for compliance with CCPA. Our findings reveal that most of the surveyed sites are not compliant and now risk lawsuits, brand aversion, and fines. Get the details and learn how to mitigate risk to your business.

In 2018, California passed the California Consumer Privacy Act (CCPA). This law took effect in 2020 and was amended in the fall of that same year. In 2023, an updated version of the law is on the horizon, forcing companies to undertake another round of compliance activity.

Given this new regulatory environment, Search Discovery evaluated 294 websites across various focus areas to determine the areas brands are still struggling with compliance. This audit was a highly condensed version of our detailed privacy assessment and roadmap, which includes 106 checkpoints. The results of our analysis present a stark view of the industry regarding compliance, with most brands risking enforcement action over multiple requirement shortcomings.

We conducted our evaluation over a Virtual Private Network (VPN) that caused us to appear as if we were in California. This addressed any potential for false readings, as we would accurately fall within any geofencing logic that may be present. We analyzed results in the first week of January 2023.

Data Privacy Compliance Survey Findings

1. Consent Management

Search Discovery's original research found over half of the 300 evaluated sites lacked any consent management feature, which violates CCPA and exposes companies to data privacy regulatory risk.

During this evaluation, we reviewed each site to determine if it had a consent management system. Just over half (55.1%) lacked any sort of consent management feature, including a consent banner, present.

You likely want (and may even require) a consent platform (such as OneTrust, TrustArc, etc.), but under CCPA the banner serves to provide notice of collection. So, you don’t need a vendor hosted consent management platform, but you do need mechanics for how to handle all the related consent features, such as opting out of sale of personal information. A consent banner is often an easy way to meet some of the requirements. In our evaluation, though, even these were missing in over half the cases.

2. Banner User Experience

earch Discovery's original research found nearly 3/4 of the 300 evaluated sites had one or more problems regarding overall banner design, which violates CCPA and exposes companies to data privacy regulatory risk.

Banner user experience covers items such as dark patterns, button prominence, and related content. Requirements for this area were drawn from a review of the California draft regulations.

When it came to the user experience, a sizable 71.43% of sites reviewed had one or more problems when it came to the overall banner design. Should the draft requirements we evaluated become the regulatory standard used for enforcement (as expected), more than two-thirds of the sites we reviewed would be at risk of enforcement action over their banner designs.

3. Banner Functionality

earch Discovery's original research found nearly 3/4 of the 300 evaluated sites had bad banner functionality, which violates CCPA and exposes companies to data privacy regulatory risk.

Banner functionality testing was an evaluation of the banner doing what it says on the tin. For example, if we, the user, opted out of data collection, was data still collected? If we clicked the ‘Learn More’ link, did it go to the right place?

Unfortunately, we found that in 73.47% of tests, it didn’t matter that we opted out of collection. Our data continued to be collected. This puts affected businesses on a collision course with regulators, who treat that scenario as a deceptive trade practice. Under California law, additional enforcement may come from having a non-functional opt-out process.

Alignment between stated behavior and actual behavior must happen when it comes to data collection, and three-quarters of businesses we reviewed continue to struggle with this, even three years after the rollout of the CCPA.

4. Global Privacy Control Compliance

earch Discovery's original research found 93.2% of the 300 evaluated sites did not properly detect the presence of the Global Privacy Control Signal (GPC), which violates CCPA and exposes companies to data privacy regulatory risk.

Added as a new requirement for CCPA compliance in 2021, the Global Privacy Control (GPC) is a browser-level signal that the website should monitor for and treat as a valid opt-out request. GPC signal compliance gained notoriety in late 2022 when it was cited in the case against Sephora for non-compliance. While the case made headlines, it does not appear to have altered how businesses handle processing the GPC.

We found that a whopping 93.2% of companies did not properly detect the presence of the GPC nor undertake any action to modify data collection and opt-out behavior when presented with a browser broadcasting the signal.

As we know, the GPC will have increased focus in the coming years. Our findings indicate that most businesses are presently ill-prepared to comply with the GPC signal and risk enforcement action from the California Privacy Protection Agency.

5. Privacy Policy Updates

Search Discovery's original research found nearly 3/4 of the 300 evaluated sites were missing at least one required area in their privacy policy, which violates CCPA and exposes companies to data privacy regulatory risk.

When it came to Privacy Policy updates, we looked for a bare minimum of items. We checked for an updated date (that is, the date it was last updated), descriptions of data retention, a section for how California residents could execute their rights, and if there was a form for submitting opting out of sale of personal data.

While most sites (but not all) had a privacy policy, a sizable 73.13% of reviewed sites were missing at least one required area in their privacy policy. This document must be accurate and complete because this is one of the standards businesses are evaluated against regarding compliance enforcement.

This review indicated that most sites face an increased risk of enforcement action for failing to have the required privacy policy fields.

6. Opt-Out Linkage

Search Discovery's original research found over 3/4 of the 300 evaluated sites did not have appropriate opt out links in the site footer, which violates CCPA and exposes companies to data privacy regulatory risk.

Lastly, under California regulations, a site must have a link in the site footer, allowing users to opt out of the sale of their personal information. Non-compliance on link placement reached 76.87%, with less than a quarter of reviewed businesses meeting requirements.

As the link is required to allow consumers easy access to opting out of the sale of data, a missing link may subject the company to an increased risk of enforcement by the California Privacy Protection Agency.

Conclusion and Recommendations

Regulatory compliance can be challenging, and more than three-quarters of the businesses we reviewed failed to comply with at least one of the CCPA requirements with the CPRA amendments.

With California stepping up enforcement compliance and conducting enforcement sweeps to find companies neglecting the law, the risk of non-compliance has never been higher. Further, the Notice to Cure provision was repealed with the amended law that went into effect on January 1st, 2023. This means non-compliant businesses may no longer get a warning and be subject to immediate enforcement action with no chance to take corrective action for a reduced/avoided fine.

We recommend working with Search Discovery’s privacy team to conduct a complete assessment of your site for data privacy and regulatory compliance. While the audit we conducted for this study focused on critical issues, our comprehensive assessment checks over 100 at-risk areas. We provide a detailed roadmap for correcting compliance issues that we find. We invite you to review a complete list of our data privacy, regulations compliance, and tracking prevention solutions here.

Worried about CCPA compliance and the potential consequences of not getting privacy and consent quite right? We can help. Reach out today.

Cory Underwood
,
CIPT, CIPP/US, Analytics Engineer

Cory Underwood is a certified data, analytics, and security expert with more than a decade of experience leading strategies across website development, optimization, and data compliance. As Senior Lead Analytics Engineer at Further, he develops security and privacy strategies for both the internal team and our clients. Cory is dedicated to teaching others the value of data through his blog and numerous speaking engagements. In his free time, Cory can be found playing video games, cooking delicious BBQ meals, or practicing his woodworking.

,

Read More Insights From Our Team

View All

Take your company further. Unlock the power of data-driven decisions.

Go Further Today