CalPrivacy targets cookies in CCPA enforcement against ticketing service

Key allegations

CalPrivacy alleged that the ticketing provider violated the CCPA through its use of cookies and other tracking technologies and deficient consumer disclosures, including:

• Not providing consumers a method to opt out of “selling” and “sharing” of personal information through tracking technologies. The company allegedly did not offer consumers its own tracking technology opt-out methods. Instead, they directed consumers to opt-out tools offered by industry groups or a phone number and email address (which CalPrivacy alleged did not meet the CCPA webform requirement).
• Not honoring Global Privacy Control (GPC) signals. The provider’s digital properties allegedly did not recognize and honor GPC signals.
• Deficient notices. The provider’s privacy notice and notice of the right to opt out of sales and sharing allegedly did not contain all CCPA-required information. The privacy notice also allegedly had not been updated in the previous 12 months.
• Customers were forced to “agree” to cookie deployment on mobile devices and through the app. CalPrivacy alleged that the ticketing provider’s cookie banner displayed on mobile websites and the apps required a consumer to click that they agreed to tracking technologies in order to actually use the site, although CalPrivacy did not expressly allege this practice violated the CCPA.

Key order requirements

The resolution with CalPrivacy requires the ticketing provider to:

• Pay a $1.1 million fine.
• Provide its own, clear, accessible method to opt out of tracking technology sales and sharing.
• Scan all digital properties quarterly to inventory tracking technologies.
• Execute required contract terms with tracking technology providers.
• Conduct newly required privacy impact analyses (called “risk assessments” under the new CCPA regulations) tied to the provider’s selling and sharing of personal information.
• Publish compliance metrics and maintain accurate privacy disclosures that are appropriate to their high school student audience.

Takeaways

This enforcement action is a reminder that both CalPrivacy and the California attorney general continue to aggressively enforce the CCPA. Companies should make sure to:

• Implement company-specific consent management tools to process opt-out requests for sales and sharing through tracking technologies.
• Configure consent management tools to recognize GPC signals where required by applicable law.
• Regularly test consent management tools to make sure they are working properly.
• Confirm that all privacy notices comply with applicable laws and establish an annual (or more frequent) review cadence.
• Review privacy notices and tracking technology consent management tools for deceptive language and potential dark patterns, such as mandatory “agree” buttons.
• Assess children’s privacy obligations under the CCPA, app store accountability acts, and other children’s privacy laws.

If you have questions or would like to discuss any issues related to this enforcement action, contact your regular McDermott Will & Schulte lawyer or one of the authors.