Two recent enforcement actions by the State of California have targeted companies for nontransparent opt-out mechanisms and overbroad identity verification processes. These actions demonstrate a desire to hold California businesses accountable for their data subject request processes.
Honda
The California Privacy Protection Agency (CPPA) Board recently issued a decision that requires American Honda Motor Co. (Honda) in Torrance to change its business practices and pay a $632,500 fine to settle allegations that it violated the California Consumer Privacy Act (CCPA).
Honda is the North American subsidiary of Honda Motor Co., Ltd., a company incorporated in Japan.
The investigation stems from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies that began in July 2023. The Enforcement Division asserted that the company violated Californians’ privacy rights by:
- Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, like the right to opt-out of sale or sharing and the right to limit. The CPPA said it was more information than necessary;
- Employing an online privacy management tool that didn’t give Californians their privacy choices in a symmetrical or equal way;
- Making it hard for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
- Sharing consumers’ personal info with ad tech companies without producing contracts that contain the necessary terms to protect privacy.
The CPPA also said that Honda’s cookie management system violated the CCPA. This system required a two-step process for opting out of advertising cookies and tracking technologies; consenting (or reconsenting) to cookies required only one click. As such, it was more burdensome to opt out as opposed to consent to Honda’s data processing. Honda will use a simpler process for consumers to exercise their privacy rights, reduce its data collection for verification purposes, and change its contract management and tracking processes.
“The remedy should fit the problem behavior,” said Michael Macko, head of the Agency’s Enforcement Division. “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations. Today’s resolution reflects Honda’s early cooperation and commitment to make things right,” said Macko.
Todd Snyder
The California Privacy Protection Agency (CPPA) Board has issued a decision requiring national clothing retailer Todd Snyder, Inc., to overhaul its business practices and pay a $345,178 fine to address claims that it violated the CCPA.
The Enforcement Division alleged that Todd Snyder violated Californians’ privacy rights by:
- Not monitoring or properly configuring the technical infrastructure of its privacy portal, which resulted in a failure to process consumer requests to opt-out of the sale or sharing of personal information for 40 days;
- Requiring consumers to submit more information than necessary to process their privacy requests; and
- Requiring consumers to verify their identity before they could opt–out of the sale or sharing of their personal information.
To resolve the allegations, the retailer agreed to pay a $345,178 fine. In addition, the company will alter its business practices, including properly configuring its mechanisms for submitting and managing opt–out preferences and providing CCPA compliance training for its staff.
“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, head of the Agency’s Enforcement Division. “Using a consent management platform doesn’t get you off the hook for compliance.”
“Opt–out rights are one way for Californians to assert control over their personal information and protect themselves from real harms,” said Tom Kemp, the CPPA’s Executive Director. “The board’s decision should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”
Takeaway
These CPPA decisions emphasize the significance of Californians’ opt–out rights. Businesses collect and repurpose considerable amounts of personal information in each contact with consumers, and they can then use and share consumers’ personal data in ways that may be unsafe and un expected. For example, this personal information may include information about reproductive health, religion, immigration status, financial health, employment, political preferences, and ethnic identity.
The allegations concerning improper verification mirror a 2024 CPPA Enforcement Advisory that cautioned businesses against collecting excessive information from consumers who assert their privacy rights. Businesses will be held accountable for their data subject request processes. Here are some action to consider to make sure your polices are in compliance and mitigate the risk of similar problems:
- Review your process for responding to data subject requests and be certain that your verification process is customized appropriately;
- Simplify your opt-out and user interface design;
- Assess (or implement) your cookie management platform to make sure the opt-out processes are simple and symmetrical;
- Review your contracts with vendors to confirm they include the required provisions.
- Limit identity checks for consumer request processing; and
- Conduct regular audits and staff training on CCPA/CPPA compliance.
Contact Us
Businesses need to make sure they have adopted appropriate compliance standards that comply with the CCPA. Reach out to the attorneys at Eanet, PC for help.