Technical CCPA Violations Result in $345,178 Fine from California Privacy Protection Agency
The California Consumer Privacy Protection Agency (CPPA) Board has issued a Stipulated Final Order against Todd Snyder, Inc., a clothing retailer, ordering Todd Snyder to pay a $345,178 fine and implement various changes to its privacy program to resolve allegations from the CPPA that it violated the California Consumer Privacy Act (CCPA).
High-Level Summary of the Allegations
The CPPA alleged that Todd Snyder violated the CCPA in the following ways:
- Todd Snyder’s consumer privacy request process collected much more information than necessary to fulfill privacy requests (including sensitive personal information), and applied an unlawful verification standard to requests from consumers to opt-out of the sale or sharing of their personal information; and
- Todd Snyder failed to oversee and properly configure its third-party provided consumer privacy request portal for 40 days.
Key Lessons and Takeaways for Businesses
Businesses cannot offload their privacy compliance to third-party privacy management solutions and are ultimately responsible for the functionality (or non-functionality) or such solutions and tools. In a press release announcing the order, Michael Macko, head of the CPPA’s Enforcement Division, noted “Using a consent management platform doesn’t get you off the hook for compliance,” and “..the buck stops with the businesses.”
Even relatively brief compliance gaps can get businesses into trouble with CPPA. Here, the CPPA cited certain non-compliance that occurred over just a 40-day period.
Businesses should carefully align their consumer privacy request processes with the CCPA, including the technical functionality of the processes, as well as the information that is collected through those processes. Businesses cannot, and should not, trust that their third-party privacy management solutions will get it right.
What Went Wrong?
Opt-Out Request Process Lapsed for 40 Days
The CPPA alleged that Todd Snyder installed third-party tracking software on its website, including cookies, pixels, and other technologies that automatically send data about consumers’ online behavior to third-party companies for various purposes, including analytics and cross-context behavioral advertising. The issue, according to the CPPA, was that the opt-out mechanism on Todd Snyder’s website, where consumers were told they could opt-out of such technologies, was not properly configured for a 40-day period. During the 40-day period at issue when consumers clicked a “Cookie Preferences Center” link, a consent/cookie banner appeared on screen, but immediately disappeared – making it impossible for consumers to opt-out of the sale/sharing of their personal information. This also meant that opt-out preferences signals, such as the Global Privacy Control, were not processed by Todd Snyder.
The CPPA noted that Todd Snyder would have known that consumer could not exercise their CCPA rights if the company had monitored its website – but instead, according the CPPA, Todd Snyder relied on its third-party privacy management tools without knowing their limitations or validating their operation.
Unlawful Privacy Requests Verification Standards
The privacy portal on Todd Snyder’s website through which consumers could submit privacy requests required consumers to provide their first and last name, email, country of residence, and a photograph of the consumer holding the consumer’s “identity document” (such as a government identification), regardless of the type of privacy request. Identity documents often included driver’s licenses, state identification cards, and passport information, which are considered “sensitive personal information” under the CCPA – and should not have been necessary to submit in order to exercise a request to opt-out of the sale/sharing of personal information. The CPPA pointed out that the CCPA prohibits business from requiring consumers to verify themselves before processing requests to opt-out of sale/sharing of their personal information – and at most, businesses may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer within the business’ systems.
The CPPA also looked more broadly at Todd Snyder’s privacy request verification process and found that Todd Snyder’s requirement that consumers submit highly sensitive personal information, such as government identification documents, violated the CCPA. The CPPA cautioned that businesses must avoid collecting this type of information unless necessary for verification purposes. To really drive the point home, the CPPA noted that consumers could make a purchase on Todd Snyder’s website without ever submitting government identification - but could not exercise their privacy rights without providing it. In the CPPA’s view, this dissuaded consumers from exercising their privacy rights due to privacy concerns over the potential for identify theft.
Penalties, Fines, and Remediation
Todd Snyder will pay $345,178 in administrative fines to the CPPA, and is ordered to specifically comply with various CCPA provisions. Todd Snyder must also implement changes to its privacy program, including prescribed methods for submitting and fulfilling privacy requests, and personnel training, within 90 days of the Order. Todd Snyder is also required to maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of personal information, and shall confirm in writing to the CCPA within 180 days of the Order that it has implemented such measures
Looking Ahead
This is just one of a growing number of CPPA enforcement action against businesses for failing to comply with the CPPA and certainly will not be the last. In March, the CPPA fined American Honda Motor Co. $632,500 for similar alleged CCPA violations. All indications point to continued aggressive enforcement by the CPPA.
Author
