Articles

August 29, 2025

Important Compliance Notes on CCPA

Megan Nicholls

On July 1, 2025, California Attorney General Rob Bonta announced a breathtaking $1.55 million settlement with the operator of a health and wellness information website. The operator is alleged to have failed to comply with certain requirements under the California Consumer Privacy Act ("CCPA"). The allegations focused on the following CCPA requirements: (1) honoring opt-out requests; (2) the purpose limitation principle; and (3) third-party contract provisions. The complaint provides some noteworthy compliance tips which we highlight below.

Opt-Out Requests
A California consumer has the right to opt out of the sale or sharing of personal information under CCPA. A business "shares" personal information when it makes a consumer's personal information available to a third party for "cross-context behavioral advertising" (i.e., targeted advertising). We tend to think of "personal information" as a consumer's name, address, and Social Security number. CCPA includes those standard identifiers in the definition of "personal information," but also includes the consumer's browsing history, interaction with a website, and inferences that can be drawn from any personal information of the consumer. Therefore, if a business shares information related to a consumer's interaction with its website with a third party for targeting marketing purposes, the consumer has the right to opt-out of this sharing, and the business must effectuate this request.

The AG's complaint alleges that the AG tested the operator's website in the fall of 2023 and found that the operator continued to share personal information with third-party advertisers after the AG opted out of this sharing. In addition to the CCPA violation, the AG also noted that the operator's consent banner was deceptive because the operator's opt-out mechanism did not work as claimed, and therefore a violation of California's Unfair Competition Law,.

Compliance Tip: Businesses should routinely test website opt-out mechanisms for proper functionality.

Purpose Limitation Principle
A business is required to limit its collection, use, retention, and sharing of personal information under CCPA. Specifically, a business needs to have a reason to collect, use, etc. a consumer's personal information and a business may only collect necessary personal information. Under the CCPA, the context under which personal information is collected and shared matters - we can infer (and the CCPA regulations clarify) that a consumer's reasonable expectation also matters.

The operator is accused of sharing information with advertisers that was not necessary or within the scope of what a consumer would expect to be shared. For example, the operator allegedly shared titles of articles reviewed during a user's visit to the website. The complaint states that this could infer something about the user of the website - such as, the user had a particular medical condition (which is sensitive information under CCPA).

Compliance Tip: Businesses should only collect, share, and use information necessary for an identified and expected purpose. The consumer's reasonable expectation of how a business collects, uses, and shares personal information is important to the analysis.

Contractual Protections
The CCPA requires specific contract provisions be included when a business sells or shares personal information with a third party (including a service provider) for targeted advertising. For example, these provisions must identify the "limited and specific" purpose for which the information is being shared and require the third party to comply with the CCPA.

The complaint alleges that the operator assumed that the third-party advertisers with which the operator shared personal information followed standard industry frameworks. Additionally, the contracts reviewed by the AG did not include the contractual provisions mandated by CCPA.

Compliance Tip: Businesses should ensure contracts with third parties and service providers include the required contractual provisions under CCPA and verify the third parties and service providers do what they say they will do.

The AG notes that this is the fourth settlement for CCPA violations and that the AG will continue to enforce California's privacy laws. As regulators continue to focus on tracking, sensitive information, and the consumer's ability to exercise their rights under the state's comprehensive consumer privacy law, businesses should ensure they have robust compliance management systems and controls to meet the technical requirements under the law.

Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.