After a New CPPA Enforcement Announcement, it’s Time to Ask: Is Your Consumer Privacy Request Process Compliant?

What happened? The California Privacy Protection Agency (CPPA) has been making clear that failing to ensure your compliance with consumer privacy requests can be costly. This week, on May 6, CPPA announced that it was imposing fines of $345,178 on clothing retailer Todd Snyder for violations of the California Consumer Privacy Act (CCPA) with respect to the retailer’s procedures in responding to consumer privacy requests. CPPA’s announcement is its second major enforcement announcement in recent months, following the announcement in early March of a $632,500 fine on Honda that included similar privacy violations by Honda.

CPPA found that Todd Snyder had failed to properly oversee its privacy portal resulting in failures to process consumer requests to opt out of sale or sharing of personal information for 40 days; that the retailer was unnecessarily requiring consumers to verify their identify before processing their opt out requests; and that consumers were being required to submit more information than necessary to process privacy requests. These violations echo some of the violations CPPA found in the earlier Honda enforcement action, where the car manufacturer was similarly alleged to have been requiring verification for requests that under the CCPA do not require verification (such as opt outs from sale and sharing of personal information), and otherwise requiring consumers to provide more information than necessary to process verifications.

What do these enforcement actions mean for your business? First, they make clear that the responsibility for consumer request compliance cannot be simply delegated to a third-party provider; the business itself must take responsibility for ensuring that the mechanisms and procedures set up to respond to consumer requests are functioning as intended. This requires frequent monitoring. Second, data minimization is critical. When responding to a consumer request, a business should seek to rely, as much as possible, on data it already has in its possession to process a consumer request. Don’t ask consumers for information that isn’t needed to process the request. And finally, relatedly, don’t engage in verification when it isn’t necessary, and make sure that your policies and procedures are clear as to when a consumer’s request needs verification and when it doesn’t (tip: if it’s an opt-out request, it doesn’t need verification).

What’s Next? CPPA has shown that a failure of consumer request compliance can be significantly costly to businesses, but sometimes it can be difficult for a business to muster the resources to maintain a regular compliance program. At InfoLawGroup, we offer a DSR Service for our clients to manage their consumer request process where we work hand-in-hand with internal stakeholders to meet the requirements of applicable privacy law. Give us a call and we can help!

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.

Dave Radmore and Dhara ShahCPPA