The California Privacy Protection Agency (CPPA) recently fined clothing retailer Todd Snyder almost $350,000 for two types of consumer privacy errors. Due to technical errors during a 40-day period, it was impossible for Todd Snyder website users to request to opt out of having their information sold or shared. When users clicked the button for the Cookie Preferences Center, the consent banner would appear but instantly disappear, thus making it impossible for anyone to actually opt out. For those who were able to actually access the preferences center, Todd Snyder over-collected information from its users who wanted to opt out of having their information sold or shared. Todd Snyder’s data request form required users to verify their identity by submitting a photograph of themselves holding their identity document, even when they wanted to opt out.
In addition to the technical issues associated with opting out, the CPPA has also fined entities for over-collection of information by verifying the identities of consumers who submit opt-out requests. Those who do business in California should be on notice that this is one detail at which the regulators are specifically looking and errors can be costly. California is taking a close look at what companies say they are doing in order to make sure the companies are following through. As more state data privacy laws—and their enforcement—come online, other states are likely to follow suit.
As a matter of good business, companies operating in California need to review their procedures to ensure their opt out processes work and they are not conducting identity verification for those who wish to opt out. It is not sufficient to set it and forget it for web maintenance. If the website’s options do not work, it is the company’s responsibility— regardless of whether that has been contracted out to another entity. California is accepting public comments on the draft regulations until June 2 at 5 p.m. Pacific time. McCarter & English’s Cybersecurity & Data Privacy team stands ready to advise companies doing business in California. Contact Erin Prest for more information or to schedule a consultation regarding your company’s privacy policies.
[View source.]
