On March 10, 2025, the Office of the Attorney General of California (CAAG) announced an enforcement sweep of the California Consumer Privacy Act (CCPA) focused on the location data industry. Attorney General Rob Bonta stated that this sweep is intended to bolster the privacy rights of California residents in light of recent federal actions targeting undocumented immigrants, abortion, and gender-affirming healthcare.
Background
The CCPA imposes numerous requirements on businesses that collect personal information, including the requirements to notify consumers of the types of personal information collected, the purpose of such collection, and whether that information is sold or shared.
Further, the CCPA bestows on California consumers numerous rights over their personal information, including sensitive personal information such as geolocation data. For example, a consumer has the right to direct a business collecting their geolocation data to limit its use and sharing of such data to what is necessary (as defined in the CCPA) to provide the products or services.
Takeaways
Businesses that collect data of California residents should review their data policies and procedures carefully for CCPA opt-out compliance. Opt-out compliance refers to the ability of the consumer to (i) understand the business’s use of their data and (ii) request that they limit their use or sharing of such data. In particular, businesses should ensure the following:
- Make sure consumers know when, what, and why data is being collected. This is particularly important when sensitive personal information such as geolocation data is collected. Consumers must know when data is being collected and the types of data collected so that they can exercise their rights under the CCPA. Knowing the business’s purpose for data collection enables the consumer to make a fully informed decision about their data, which can also benefit the business by fostering a sense of transparency.
- Make sure to comply with consumer requests to limit the use or sharing of data. The CCPA prohibits businesses from using or disclosing sensitive personal information (beyond certain statutory exceptions) after receiving a consumer request to refrain from such activities. Therefore, failure to comply with the consumer’s request without a statutory exception violates the law.
Businesses receiving an investigation letter from the CAAG should contact counsel immediately and work with their internal and external teams to begin preparing their responses. Those with additional or related questions about the implications of this sweep or how to comply with the CCPA may contact Lowenstein Sandler’s Data, Privacy & Cybersecurity practice at privsec@lowenstein.com.