On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Banta alleges failed to comply with the California Consumer Privacy Act (CCPA). This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information.
While investigative sweeps have been fairly common of late, every business with a mobile app should pay particular attention to this sweep because it involves honoring an authorized agent in the form of a third party application for submitting requests. In addition to the general focus on mobile apps that did not offer a mechanism to opt out of the sale of personal information, the sweep also focused on mobile apps that could not process requests submitted through authorized agents—including those sent by the mobile app “Permission Slip.” Permission Slip is an app that files requests on users’ behalf, instructing companies to stop selling data.
Much like the requirement to recognize the Global Privacy Control (GPC) on websites, which was the focus of the California Attorney General’s Sephora action, businesses with mobile apps now have to ensure that they can recognize and process automated requests submitted through the Permission Slip app. This sweep adds another layer of complexity for businesses attempting to implement their CPRA compliance efforts.