A couple of weeks ago, regulators settled with health and wellness publisher Healthline over alleged violations of the California Consumer Privacy Act (CCPA) involving unauthorized user data sharing and opt-out failures.
It’s a pretty big deal. At $1.55 million, the settlement with Healthline is the largest penalty under the CCPA to date, and it’s a signal of heightened enforcement focused on companies actually doing what they’re supposed to do, not just points for effort.
Negligence and/or a lack of testing isn’t an excuse for noncompliance.
For example, Healthline had a cookie consent banner in place, but the banner didn’t work, because Healthline failed to properly configure its cookie management tool. As a result, Healthline ignored opt-out requests and kept on sharing personal data with third parties, even when someone had requested that their data not be shared.
Privacy potholes
In short, regulators care about privacy in practice, not just in theory. Simply having a tool or partnership in place isn’t enough to demonstrate effective compliance.
The same issue – a failure to implement functional opt-out mechanisms – was central to two other recent settlements in California.
In March, the California Privacy Protection Agency (CPPA) announced its first enforcement settlement, which was against Honda for making it too hard for consumers to exercise their rights under the CCPA.
Honda paid a $632,500 fine for making consumers provide more personal information than necessary to exercise their opt-out rights and for using an online privacy tool that did not present privacy choices fairly or equally to users.
To opt out of data sales, people had to share very personal details, like their driver’s license and Social Security number. Meanwhile, Honda’s online privacy management system made opting in more straightforward than opting out.
To opt into cookie tracking, all you had to do was click on a bold “Allow All” button. To decline tracking required a two-step process that involved interacting with a toggle and then confirming the choice.
Regulators saw this as a potential dark pattern, said privacy attorney Daniel Goldberg, during a webinar on Thursday hosted by his firm, Frankfurt Kurnit Klein & Selz, highlighting key enforcement trends.
“Symmetry of choice is the idea that it should be just as easy to accept as it is to reject,” Goldberg said. “It’s an area regulators are looking very, very closely at.”
Loose threads
Dark patterns were also a significant issue in the CPPA’s $345,178 privacy settlement with apparel company Todd Snyder, which was finalized in May.
The CPPA found that Todd Snyder’s site had a misconfigured opt-out mechanism that caused the consent banner to appear and then immediately disappear, preventing consumers from submitting opt-out requests for a 40-day period in 2023.
A $345,178 fine might not sound like all that much. And in the grand scheme of things, what does $632,500 really mean to a multibillion-dollar corporation like Honda? Even a $1.55 million fine isn’t going to break the bank for Healthline. (In 2019, Healthline generated more than $100 million in revenue.)
But these fines, however small they may seem, are warning shots. Regulators are just getting started, and the penalties are likely to grow.
“Don’t look at the numbers here,” Goldberg said. “It could become, especially with the CPPA, substantially larger than what we’re seeing.”
What should businesses take away from all this? Put the “do” in due diligence. (Yeah, yeah, I know it’s not perfect wordplay. Sue me.)
“All these cases involve vendor solutions that did not work,” Goldberg said. “In almost all of them, the company did have privacy compliance in place; it just wasn’t working.”
And regulators are watching for that.
Take it directly from Michael Macko, the man in charge of the CPPA’s enforcement division.
This is how he put it in the press release his agency put out about the Todd Snyder settlement: “Using a consent management platform doesn’t get you off the hook for compliance.”
The buck stops with the business.
🙏 Thanks for reading! And it’s a summer scorcher out there, so stay cool! This little guy knows what’s up. As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
