Photo of Sheila MillarPhoto of Tracy Marshall

Online opinions – and not just from celebrities – are big business. Consumer reviews can be highly influential in convincing other shoppers to buy a product. In fact, the founder and CEO of Sunday Riley Modern Skincare LLC (Sunday Riley Skincare) was so convinced about the power of those starred reviews on cosmetics chain Sephora’s website that she allegedly asked her employees to make up a few to boost the company’s ratings. The result? A complaint from the Federal Trade Commission (FTC) for false advertising.

The FTC’s complaint asserts that between November 2015 and August 2017, the company’s CEO, Sunday Riley, and her managers directed staff to post reviews of Sunday Riley Skincare products on Sephora’s website using false accounts. When Sephora caught on to the fake reviews and pulled them down, the company obtained a VPN IP address to mask its employees’ real identity from Sephora. The complaint goes on to assert that the CEO sent staff an email in which she told everyone to “create 3 accounts on Sephora.com, registered as different identities.” She then gave explicit instructions on how to set up the fake accounts and leave reviews, even going so far as to coach employees on how to make the reviews convincing. The FTC charged Sunday Riley Skincare and Sunday Riley individually with making false or misleading claims and with failure to disclose a material connection with endorsers, in violation of Section 5 of the FTC Act.

In a 3-2 vote, the FTC approved a final settlement with the company that bars it and the company’s CEO from misrepresenting the status of anyone reviewing the company’s products, including implying that employees of the company are ordinary customers. The company must also clearly and conspicuously disclose any unexpected material connection between endorsers and the company or CEO, and the order provides specific details on how to do so in various media.

Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted no. Commissioner Chopra, joined by Commissioner Slaughter, published a statement in which he argues that Sunday Riley Skincare should be subject to monetary fines because of “egregious fake review fraud.” He also recommended that the FTC publish a Policy Statement on Equitable Monetary Remedies, restate legal precedent into rules, seek civil penalties against violators, and designate specific misconduct as penalty offenses under FTC authority.

FTC Chairman Joseph Simons and Commissioners Noah Phillips and Christine Wilson, voting yes, also issued a statement. Regarding the failure to impose monetary penalties, they note that “the expenditure of resources needed to develop an adequate evidentiary basis reasonably to approximate ill-gotten gains may substantially outweigh any benefits to consumers and the market.” Instead, they contend that the order is a sufficient deterrent against future unlawful behavior by the company and its CEO because it “holds Ms. Riley personally liable, prohibits both Ms. Riley and Sunday Riley Modern Skincare from making future misrepresentations (including through fake reviews), and requires them to instruct employees and agents about their legal responsibilities. Each violation of the order could result in a civil penalty of up to $42,530.”

Settlement agreements with the FTC – even where no monetary penalties are assessed – have real consequences for businesses. The Sunday Riley Skincare agreement is no exception, binding both the company and its CEO to adhere to specific requirements for 20 years, with the potential for fines for future violations. The company in this case was not simply careless in dealing with endorsers, but actively urged employees to post fake reviews and “dislike” negative reviews in an effort to get them removed. The Sunday Riley Skincare settlement demonstrates that fake reviews come with real legal consequences.

 

Photo of Sheila MillarPhoto of Tracy Marshall

The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers.

The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.

Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.

Photo of Sheila MillarPhoto of Tracy Marshall

The Federal Trade Commission (FTC) recently announced settlements with two online companies for allegedly misleading customers about automatic membership renewal costs. On September 2, 2020, the FTC announced that Age of Learning, Inc., d/b/a ABCmouse, will pay $10 million to settle charges that the company enrolled thousands of consumers in a negative option scheme to which they did not consent, and also misrepresented its cancellation process. Fewer than three weeks later, on September 22, the FTC announced that online supplement manufacturer NutraClick LLC and two of its individual officers settled with the FTC for $1.04 million over allegations the company violated an earlier consent order that required it to fully disclose the terms of its negative option membership program to customers.

The FTC charged both companies (and the individual defendants in the NutraClick case) with violating two laws: (1) Section 5 of the FTC Act, which prohibits misleading or deceptive statements; and (2) Section 4 of the Restore Online Shoppers’ Confidence Act (ROSCA), which bans online negative options unless the seller (a) clearly discloses all material terms of the deal before obtaining a consumer’s billing information, (b) gets the consumer’s express informed consent before making the charge, and (c) provides a simple mechanism for stopping recurring charges. The FTC also charged NutraClick with violating the Telemarketing Sales Rule, which prohibits deceptive telemarketing acts (the company advertised its “free trials” via text as well as online).

ABCmouse is a membership-based online educational company that offers reading, math, and other scholastic content for children two to eight. According to the FTC’s complaint, from 2015 through at least 2018, the company failed to adequately disclose key terms of its membership program, as required by ROSCA. The company also allegedly neglected to inform customers that their yearly membership, priced at $59.95, would automatically renew for another year at the same price unless users cancelled. And, while the company promised “easy cancellation” in its ads, the reality was anything but. Not only was the cancellation process overly complicated, hundreds of thousands of consumers who had purchased a membership and attempted to cancel later learned they were still enrolled.

The FTC 2020 complaint against NutraClick alleged that the company violated a 2016 order that required the company to disclose the material terms of its membership programs to customers. According to the FTC’s 2016 complaint, NutraClick advertised “free” samples of beauty products and nutritional supplements, but by ordering these samples, customers were unwittingly enrolled in a membership program and charged recurring monthly fees ranging from $29.99 to $79.99 unless they cancelled within 18 days. The FTC claimed that while NutraClick’s websites did contain statements about the monthly membership fee, the statements were not “clear and conspicuous,” as required by ROSCA. Because it was not upfront with its customers about its billing practices, more than 70,000 consumers reportedly complained about NutraClick’s practices.

In addition to the $10 million monetary judgment, the ABCmouse stipulated final order requires the company to disclose all information related to its negative option plans and clearly explain key terms, obtain consumers’ informed consent before enrolling them in automatic billing, and provide an easy means of cancellation. The stipulated final order against NutraClick permanently bans the company from engaging in any negative option marketing. NutraClick was also ordered to pay $1.04 million in a separate proposed contempt order.

The Commission voted 4-0-1 to authorize staff to file the complaint and proposed order against ABCmouse. Commissioner Rebecca Slaughter did not participate, and Commissioner Chopra issued a separate statement in which he pointed to ABCmouse’s “unlawful dark patterns” of deceptive negative options and “unethical” and “illegal” behavior, characterizing the company as a “roach motel.” Commissioner Chopra mentioned a number of tools at the FTC’s disposal to “root out the kinds of tricks and traps” employed by ABCmouse, including ROSCA, the FTC Act, and the CAN-SPAM Act, which prohibits deceptive headers and requires marketers to give consumers an easy way to opt out of future emails.

The FTC continues to pay close attention to online negative option schemes. Brands should be careful to adhere to the terms of ROSCA before enrolling customers in membership programs and charging recurring membership fees.

Photo of Sheila MillarPhoto of Boaz I. Green

Interested in environmental marketing? Do you make and sell plastic products? Partner Sheila Millar and Counsel Boaz Green discuss a bill likely to become law in California that further restricts environmental marketing claims for plastic products sold in California. AB 2287 would expand restrictions on plastic degradability claims by effectively banning marine degradable claims. Read the full article.

Photo of Sheila MillarPhoto of Tracy Marshall

More than 160 million Americans play video games. Originally designed as single-use purchases for consoles or computers, video games are now downloadable, making them more accessible to consumers than ever. One important development for the video game industry has been the creation of “micro purchases” – in-game transactions such as “loot boxes” that players can either buy for a small fee or win through playing. Micro purchases have become a multibillion-dollar market and make up a substantial portion of video game profits. The Federal Trade Commission (FTC) discussed loot boxes and other issues related to in-game purchases in a new staff perspective paper, which offers key takeaways from the FTC’s August 2019 “Inside the Game” workshop and subsequent public comment period.

The purpose of the workshop was to bring a variety of stakeholders together to discuss emerging research on the potential pitfalls of microtransactions, including how they affect children and teens and people with addictive behaviors, disclosure issues, and marketing and monetization techniques. The paper points out that in the United States the video game industry is largely self-regulated through disclosures, including the Entertainment Software Rating Board (ESRB) rating system, parental game controls, and consumer education. However, some panelists at the workshop voiced concern over how microtransactions affect children, who are “vulnerable to manipulation and social pressure, or may not fully understand the cost of the transaction,” despite self-regulatory controls. Following the workshop, in April of 2020, ESRB announced a new disclosure regarding in-game purchases for any game “where the player does not know which specific digital good or premium they will receive at the time of purchase, such as loot boxes and mystery rewards.” The ESRB designation for loot boxes is “In-Game Purchase (Includes Random Items).”

Key issues the FTC identified include:

  • Disclosures: Loot box monetization techniques can mask the real costs to players through confusing details or visuals designed to keep players invested in gameplay.
  • Pressure to spend: Interactive games may pressure players to spend money to avoid letting teammates down or to appear more competitive. Players can get sucked into greater spending than they are perhaps aware. Some video games use pay-to-win tactics, while other games promote loot box purchases that, according to the FTC, may yield disappointing, low-value items. Free games appear to have some of the more problematic microtransactions and loot boxes.
  • Children: Some panelists felt it is difficult for parents to understand how their children interact with video games.
  • In-game spending: Some games use their own made-up currencies rather than real money, which can make it hard for players to keep track of the real cost of every transaction, and “even when a real money cost is disclosed, it may not adequately explain how much a player can expect to pay after the initial transaction.”
  • Content Creators/influencers: There is a growing trend of game players with millions of fans who follow their gaming online. The staff report raised a question of whether content creators may be given better odds by the publisher for promotional purposes than odds given to the general public.

Panelist and commenter recommendations include:

  • Improved industry self-regulation, particularly more detailed disclosures for both players and parents.
  • Possible modification of the ESRB rating for games with loot boxes or creation of a new rating.
  • Disclosure of loot box odds, particularly if a game uses odds that can vary by player or time.
    • Some participants suggested creating in-game purchase disclosures that detail in-game micrtransactions
  • Disclosure by content creators of material connections between themselves and the products they recommend, per the FTC’s Endorsement Guides (recognizing that livestream formats and an inability of content creators to control platforms may be an impediment).
  • Improved consumer education.
  • Additional self-regulatory measures such as a website detailing types of microtransactions, displaying in-game spending in real currency, and making loot box items available for direct purchase.

Industry is looking at the issues the FTC raised, and the fact that ESRB has acted quickly to expand its rating system to address in-game purchases and loot boxes illustrates the ability of self-regulatory organization to respond quickly to challenges raised by new technologies.

Photo of Sheila MillarPhoto of JC Walker

Marketing products as environmentally friendly can induce customers to pay higher prices than they would for other goods. But when promises of lower emissions or higher insultation ratings prove false, that hurts consumers, and the Federal Trade Commission (FTC) steps in. The FTC recently concluded its four-year long false advertising case against Volkswagen and Porsche – the biggest in FTC history – for making deceptive claims about the air emissions levels of their vehicles when they were, in fact, fitting them with illegal devices designed to cover up the real level of emissions. The FTC’s Final Status Report, filed with the U.S. District Court for the Northern District of California on July 27, 2020, stated that, under FTC orders, Volkswagen and Porsche paid out some $9.5 billion to compensate affected customers.

Two days later, on July 29, the FTC filed complaints against Superior Products International II, Inc., SPM Thermo-Shield, Inc., F & G International Group Holdings, LLC and FG International, LLC, and SuperTherm, Inc. in federal court for making unsubstantiated and/or deceptive claims about their paint coatings’ R-values. Because the companies referred to R-values, the complaints referred to the FTC Trade Regulation Rule Concerning the Labeling and Advertising of Home Insulation (commonly referred to as the R-value Rule). The R-value Rule sets out detailed standards and test methods for calculating a product’s R-value and lays out requirements for making energy savings claims. The greater the R-value, the greater the potential energy bill savings to consumers – assuming the stated R-value is real.

In each complaint, the FTC alleges the companies made claims that their coating products had high R-values they could not substantiate. Superior Products and principal Joseph E. Pritchett made statements dating back at least to 2008 in their brochure as well as on their website, in ads, and in a patent application to the U.S. government that the company’s coatings would save consumers “between 40% and 70% on their energy bills,” when the products actually had an R-value considerably lower than advertised. Similarly, SPM Thermo-Shield, Inc., and its principals Peter J. Spiska, and George P. Spiska, marketed Thermo-Shield Roof Coat, Thermo-Shield Exterior Wall Coating, and Thermo-Shield Interior Wall Coating with false R-values, claiming their coating products offered significant energy savings for consumers when the actual R-value was less than one. F & G International Group Holdings, LLC, FG International, LLC, and their principal J. Glenn Davis, also claimed that their FGI-4440 Insulation Coating had a high R-value when, again, the true R-value number was less than one.

The FTC is seeking a permanent injunction against the paint companies to prevent future violations, plus other equitable relief as the court sees fit. This is a far less punitive approach from the Commission’s settlement orders in the Volkswagen-Porsche case, which required the companies to pay consumers the full retail value of their cars plus all other losses they suffered due to the companies’ deceptive advertising, and likely reflects the scale of the deception and number of consumers affected.

Photo of Sheila MillarPhoto of Tracy Marshall

Protecting the online privacy of children by enforcing the Children’s Online Privacy Protection Act (COPPA) continues to be of paramount importance to federal and state regulators. In addition to the Federal Trade Commission (FTC), several state attorneys general (AGs) have brought COPPA actions recently, including the New Mexico and California AGs, and, most notably, the New York AG, who in 2019 worked in concert with the FTC to obtain a record civil penalty against YouTube for alleged COPPA violations. The latest COPPA enforcement action comes from Washington State AG Bob Ferguson, who announced a $100,000 settlement with California-based technology company Super Basic LLC and its parent company, Maple Media LLC, on June 24, 2020.

COPPA applies to operators of websites and online services that collect personal information from children, defined as under 13. Operators may not collect personal information from children without first obtaining verifiable parental consent. AG Ferguson charged that the social media platform We Heart It, operated by Super Basic and Maple Media, collected and disclosed children’s personal information without parental consent, in violation of COPPA. The complaint also asserted that the conduct amounted to an unfair or deceptive business practice under the Washington Consumer Protection Act.

According to the AG’s complaint, We Heart It, which has some 500,000 active monthly users across the United States, hosts a number of channels whose content is designed to appeal to children, such as fan pages for Disney, Harry Potter, DC Comics, and Pokemon. The platform also has its own website where users can create an account and profile, and the default setting on the platform meant that user profiles, including those of children, were public and could be seen by any user. When an account was created, We Heart It collected an email address, name, and username, as well as persistent identifiers, including cookies, IP address, iOS advertising ID, and Android advertising ID. It also permitted third party advertising networks to collect persistent identifiers. In addition, We Heart It collected metadata from uploaded photos that sometimes included geolocation data. The AG contended that the platform did not implement an age gate or obtain parental consent prior to the collection of children’s personal information.

In addition to the $100,000 settlement, Super Basic and Maple Media will be subject to $400,000 in penalties if the companies violate the terms of the consent decree. On top of the fine, the consent decree mandates that the companies set up an age gate to prevent children under 13 from creating accounts without parental consent, and the companies must delete or remove any information collected from children under 13 immediately upon learning that an age gate has been breached. The consent decree requires that the companies operate within the rules of COPPA, including by providing direct notice to parents of the companies’ data collection and disclosure practices; obtaining verifiable parental consent prior to collecting personal information from children under 13; deleting children’s personal information upon request from a parent; and retaining children’s personal information no longer than necessary to achieve the purpose for which it was collected. In addition, the companies must audit users’ profiles, tags, posts, and activity where content is relevant to or directed to children or where the companies have actual knowledge of use by children. Super Basic and Maple Media must also submit a detailed compliance report to the AG’s Office within 15 months.

The FTC’s determination in the FTC-YouTube settlement that a general audience platform has responsibilities under COPPA if content channels are directed to children has obviously caught the attention of regulators at both the national and state level. Protecting the online privacy of children by enforcing COPPA continues to garner intense interest in the age of COVID-19, particularly when many children are engaging more than ever with digital media. It is therefore unsurprising that state AGs are watching closely whether platforms that may attract children are complying with COPPA.

Photo of Sheila Millar

The Federal Trade Commission (FTC) has for some years targeted deceptive Made in USA claims as an enforcement priority, as we have previously discussed (see our most recent blog post on Made in USA here). Since 1999, the FTC has brought 28 enforcement actions against companies falsely claiming their products were American made. The Commission also sent closing letters to more than 150 businesses after they agreed to remove the offending statements.

Even though Made in USA cases frequently attract FTC scrutiny, no existing federal rule specifically governs such claims, although Congress authorized FTC rulemaking to address Made in USA claims on “labels or equivalent thereof” when it enacted Section 45a of the FTC Act. Instead, the FTC’s 1997 Enforcement Policy Statement on U.S.-Origin Claims, and its consent agreements and closing letters offers guidance to marketers about when the Commission views an unqualified “Made in USA” claim may potentially deceive consumers. In the wake of a workshop held last year on such claims, on June 22, 2020, the FTC posted a Notice of Proposed Rulemaking that would codify the Enforcement Policy Statement principles for all Made in USA claims.

The proposed Rule would bar companies from making unqualified Made in USA claims unless the company can show that the advertised product satisfies the following three criteria:

1) final assembly or processing of the product occurs in the United States

2) all significant processing that goes into the product occurs in the United States

3) all or virtually all ingredients or components of the product are made and sourced in the United States

The proposed Rule, if adopted, would apply not only to labels, but also to mail order catalog and mail order promotional material, defined to include “any materials, used in the direct sale or direct offering for sale of any product or service, that are disseminated in print or by electronic means, and that solicit the purchase of such product or service by mail, telephone, electronic mail, or some other method without examining the actual product purchased.” The proposed Rule would not preempt federal or state statutes or regulations relating to country-of-origin labels, except and to the extent such laws or regulations are inconsistent with the Rule. States whose protections are greater than the proposed Rule’s provisions would not be considered inconsistent.

Businesses that violate the Rule’s requirements would face civil penalties.

The proposed rulemaking follows publication of a staff report on the FTC’s Made in USA workshop, held last fall. Staff noted in the report that consumer research and feedback from thousands of workshop attendees made clear that a large number of consumers expect that products that advertise “Made in USA” are 100% homegrown, including all parts and ingredients.

The Commission vote approving publication of the proposed Made in USA Labeling Rule Federal Register notice was 4-1, but several Commissioners issued dissenting or separate statements addressing whether the scope of the proposed rule was consistent with the FTC’s statutory authority under Section 45a.

Commissioner Noah Joshua Phillips dissented and issued a statement in which he voiced the opinion that the proposed Rule overstepped the Commission’s authority under this provision, which applies to Made in USA “labels,” or “equivalent thereof.” Specifically, Commissioner Phillips objected to the addition of mail order catalogs and advertising in the Rule.

Commissioner Christine Wilson approved issuing the Notice of Proposed Rulemaking, but agreed with Commissioner Phillips, commenting, “I support seeking comment on this proposed rule, but write separately to emphasize that the decision to issue an NPRM seeking comment does not prejudge the outcome of the process, which must observe the boundaries of our statutory authority.” She noted her reluctance to leave to the courts the question of whether the FTC overstepped its statutory authority and highlighted express language in Section 45a limiting application to “labels.”

In contrast, Commissioner Rohit Chopra argued that the Rule should have wide reach, including mail order advertising. In fact, he expressed the view that Made in the USA fraud should be subject to “a broader prohibition.”

Comments will be accepted on any aspect of the proposed Rule, including the scope of the Commission’s authority to issue a rule governing claims that may not constitute “labeling” within 60 days after publication in the Federal Register. As of this posting, the proposal has not been published, but publication is expected soon.

Photo of Sheila MillarPhoto of Tracy Marshall

A recent Federal Trade Commission (FTC) settlement with an online game company that allegedly tracked children illegally highlights some important questions, namely, how should the FTC assess the penalties it imposes for privacy violations, and what is the most effective way to both deter and punish companies for such violations?

The complaint in question was filed by the Department of Justice (DOJ) on behalf of the FTC. It charged mobile game developer Hyperbeard, Inc. and its principals with allowing third-party ad trackers to collect children’s personal information without first obtaining verifiable parental consent, in violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule). The COPPA Rule requires that websites and online service providers obtain verifiable parental consent before collecting personal information from children under 13. The FTC alleged that Hyperbeard not only knew that children were using its apps, which used animated animal cartoon characters and child-friendly language, but also created products specifically for kids based on the characters. Hyperbeard also neglected to tell its ad networks that the apps were often child-directed and therefore subject to COPPA, according to the complaint.

The proposed settlement, which bars Hyperbeard and its officers from collecting, benefitting from, or using personal information from children under 13, included a civil penalty of $4 million, which was reduced to $150,000 because of Hyperbeard’s inability to pay. This amount is less than 4% of the stated civil penalty. While the FTC voted 4-1 in favor of the stipulated final order, the outcome sparked a disagreement between FTC Chair Joe Simons and Commissioner Noah Phillips over penalties. Commissioner Phillips and Chairman Simons both issued statements outlining considerations that should underpin the FTC’s approach to remedying and deterring privacy violations.

In his dissent, Commissioner Phillips took a harms-based stance, arguing that the initial $4 million penalty was excessive in relation to the extent of consumer harm caused by Hyperbeard’s violations of the COPPA Rule. Phillips decried what he described as a “recent push to heighten financial penalties even where the law permits only equitable relief, without clear direction other than to maximize the amount in every case,” which he views as potentially unfair and counterproductive – a position he also took regarding YouTube’s settlement with the FTC last September. Chairman Simons addressed Commissioner Phillip’s criticisms directly with a statement of disagreement. Simons expressed the view that the $4 million fine was appropriate because, while harm was an important factor, deterrence was the key priority. “If our goal is to make compliance more attractive than violation, we should also consider the cost and effect of the other sanctions imposed in the context of an enforcement action,” he wrote.

Protecting privacy and safeguarding sensitive information – particularly where children are concerned – are vital goals of the FTC, and those goals are shared by responsible businesses. But in crafting public policy, it is equally important that penalties for alleged privacy violations are appropriate and consistent. The debate over whether a harms-based or deterrent approach should prevail is not likely to be resolved soon, and is part of a larger conversation about how to balance competing public policy considerations where privacy violations are concerned that is likely to play out in continued legislative discussions as well as within the FTC.

Photo of Sheila MillarPhoto of Tracy Marshall

On June 1, 2020, California Attorney General Xavier Becerra submitted the final package of regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL) for approval. The regulations reflect key CCPA compliance obligations for businesses, including specific actions that must be taken to allow consumers to exercise their rights under the law. Substantively, the regulations remain unchanged from the last draft submitted in March of this year. To learn more about the final regulations and what businesses might expect in terms of CCPA enforcement, read our analysis here.