California AG's aggressive CCPA enforcement against Sling TV Skip to main content

California attorney general continues aggressive CCPA enforcement against Sling TV

California attorney general continues aggressive CCPA enforcement against Sling TV

| | |
  1. HOME
  2. INSIGHTS

Overview

The California attorney general (CA AG) recently announced a settlement with Sling TV for alleged violations of the California Consumer Privacy Act (CCPA) and Unfair Competition Law (UCL). Sling TV is required to pay a $530,000 fine and implement remedial measures.

The resolution with Sling TV continues the trend of the CA AG staking out aggressive CCPA compliance positions that require material operational changes beyond typical market practices – such as “one-click” opt-outs and webform styles that many consent management platforms do not support. Companies should take this opportunity to review and meaningfully update CCPA compliance efforts, particularly processes for presenting and honoring data subject rights, and heightened rules for children’s data.

In Depth

Allegations

The CA AG alleged several violations of the CCPA and UCL by Sling TV, focusing on “Do Not Sell or Share” compliance and children’s privacy. The key allegations against Sling TV include:

  1. Sling TV allegedly made it difficult to fully opt out of all “sales” and “sharing” of personal information. Like many businesses, Sling TV provided consumers two methods to opt out of sales and sharing under CCPA: i) a cookie preference center to opt out of “sales” or “sharing” done through cookies and similar technologies (cookies) and ii) a webform to opt out of noncookie sales and sharing. The CA AG asserted, however, that CCPA prohibits such a bifurcated approach. The CA AG also took issue with Sling TV allegedly asking consumers to confirm their opt-out requests.
  2. Sling TV allegedly required logged-in consumers to complete the opt-out webform. The CA AG alleged that Sling TV should have used known information of logged-in consumers to complete their requests to opt out of sales and sharing rather than requiring them to complete the webform.
  3. Sling TV allegedly did not provide a sales and sharing opt-out form on its TV app. The CA AG alleged that Sling TV failed to allow sales and sharing opt-out requests through its TV app, which is where the majority of consumers access Sling TV. Sling TV instead directed consumers to the website cookie preference center. In addition to not being an in-app method, the website cookie preference center did not opt consumers out of in-app sales and sharing.
  4. Sling TV allegedly did not obtain opt-in consent to sell and share the personal information of children allegedly known to be under age 16. The CA AG alleged that Sling TV knowingly sold and shared personal information of children under age 16 without consent (from parents for children under 13 or from children aged 13–15 directly).

Required remediation

Under the resolution with the CA AG, Sling TV is required to i) implement a clear, conspicuous, and easy-to-use method to opt out of all sales and sharing on Sling TV’s website, mobile apps, and TV apps; ii) allow logged-in users to opt out of the sale or sharing of data without completing a webform; iii) provide an opt-out mechanism within the Sling TV app; iv) allow parents to designate one or more user profiles as a “kid’s profile” that defaults off the sale and sharing of personal information and targeted advertising; and v) delete already collected personal information from or about children known to be under age 16.

What should you do?

Many companies will need to change their current practices to comply with the CA AG’s requirements. Fully implementing all of these measures could require significant development lead time, so you should start to explore your options as soon as possible. Key action items include:

  1. Minimize methods and effort required to exercise opt-out rights. When you are “selling” and “sharing” information through more than just your use of third-party cookies, use a single webform to opt consumers out of all sales and sharing of personal information, through both cookies and other methods.
  2. Allow logged-in users to opt out with a click or link. Logged-in users should not be required to, for example, provide their name or email in order to opt out.
  3. Offer an opt-out method through the primary method of interacting with consumers and through other “sales” channels. Consumers should be able to opt out of sales and sharing through the primary channel through which they interact with you (e.g., app, website) and all the channels through which you sell or share personal information (e.g., if you sell personal information through a mobile app, consumers should be able to opt out through the app).
  4. Stay on top of children’s privacy practices. Children’s privacy is an enforcement priority for nearly every US regulator, with multiple new age-disclosure laws set to come into effect in the near future. Now is the time to thoroughly vet your children’s privacy practices to ensure they comply with existing and upcoming state and federal requirements.

For more information and strategies to address these requirements, please contact the authors or your regular McDermott Will & Schulte contact.

Stay Connected

Subscribe Follow us on LinkedIn Get in touch

Authors

Jonathan Ende
Partner | Washington, DC
/ +1 202 756 8768
View Profile >

Elliot R. Golding
Partner | Washington, DC
/ +1 202 756 8185
View Profile >

David P. Saunders
Partner | Chicago
/ +1 312 803 8305
View Profile >