Earlier this year, the California Attorney General (AG), Rob Bonta, released the first-year enforcement update for the California Consumer Privacy Act (CCPA). The report includes anonymized examples of the various enforcement actions taken by the AG’s office over the past year which will serve as a useful tool for companies and practitioners to examine trends and highlight gaps within their own CCPA programs.

The investigative actions carried out by the AG’s office seemed to center around three main areas of compliance. In this blog, we will take a closer look at these three areas as well as provide solutions to help avoid violating them.

Top 3 Areas of Non-Compliance with the CCPA

  1. Insufficient Privacy Policies and Notices

The examples listed by the AG’s office included a variety of issues noted in privacy policies. For example, several businesses had privacy policies that failed to mention the rights of consumers under the CCPA, or how to exercise those rights. Others failed to list the categories of data sold or disclosed to third parties. Notably, one organization was cited for having a privacy policy that contained legal jargon that the AG’s office felt was difficult for consumers to understand.

Several organizations failed to give notice at the collection of personal information, while another failed to give notice regarding financial incentives. Others failed to include required notices in their privacy policies.

OneTrust Policy and Notice Management helps organizations to simplify the process of creating, updating, and managing privacy policies. OneTrust eliminates the manual processes of tracking policies across websites and apps enabling organizations to centrally manage and update policies across their digital landscape while eliminating the need for custom coding and manual backend development processes.

  1. Inadequate or Non-Existent Do Not Sell Links and Processes

There were several examples of issues regarding the Do Not Sell link. Some organizations had broken links that needed to be remedied for consumer use. Others failed to include the link on the organization’s homepage.

One organization required separate opt-outs for each business under its portfolio; this organization had to streamline its processes for handling these opt-outs across several organizations. Another organization improperly required both the creation of an account and identity verification for a request to opt out.

OneTrust CCPA Compliance Solutions offer default cookie banners that reflect the requirements of the CCPA. OneTrust’s solutions for CCPA can display different cookie banners with different consent models depending on the website visitor’s location by using geolocation. These banners can be customized to include a “Do Not Sell My Personal Information” link in line with the CCPA.

  1. Lack of Consumer Request Methods

Several organizations failed to disclose the methods by which consumers could exercise their rights under the CCPA. Others listed request methods that did not function. Several organizations failed to include toll-free numbers in their methods for exercising consumer rights.

OneTrust Privacy Rights Request (DSAR) automation streamlines the DSAR fulfillment process from start to finish with automated data discovery and redaction capabilities. OneTrust also offers a CCPA Toll-Free Number solution to help businesses add a phone workflow into their privacy rights request process.


As noted above, the AG’s office has taken note of a variety of compliance issues and has informed many companies in a variety of sectors about the areas of non-compliance that need to be addressed. Notably, all the examples outlined in the AG’s report ended with the organization fulfilling its compliance obligations. CCPA compliance can be tricky and many organizations, as seen here, struggle with similar issues, however, OneTrust’s CCPA Privacy Management Software can help businesses to operationalize and automate their obligations under the CCPA and automate common compliance issues such as opt-out of sale, consumer rights, and privacy governance operations.

Further resources on CCPA enforcement:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on CCPA compliance.