CPPA Enforcement Action Against Retailer for Failing to Monitor Cookie Consent and Requiring Excessive Verification Information for Opt-Out Requests

PDF

On May 6, the California Privacy Protection Agency (CPPA) issued a decision requiring national clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 administrative fine.

The stipulated order found that the retailer incorrectly configured and failed to monitor its consent management platform, such that the retailer did not effectuate consumer requests to opt out of third-party tracking technologies (i.e., cookies and pixels).  Specifically, for 40 days in late 2023, when consumers clicked on the “Cookie Preference Center” link, a consent banner appeared on the side of the screen but immediately disappeared, thus rendering it impossible for consumers to submit opt-out requests.  This misconfiguration also meant that the site did not recognize Global Privacy Control (GPC) signals.

Significantly, the CCPA’s order states that the retailer “would have known that consumers could not exercise their CCPA rights if the company had been monitoring their website”. Instead, however, the retailer “deferred to third-party privacy management tools without knowing their limitations or validating their operation.”  

In addition, the order continued, the retailer required consumers to submit government identification when submitting requests – which the CPPA found to be more information than necessary: “By requiring Consumers to submit government identification to exercise Verifiable Consumer Requests, instead of using other available data points, [the retailer] unlawfully required Consumers to provide more information than necessary to exercise their CCPA rights and discouraged Consumers from submitting CCPA Requests.”  [This was an issue raised in an earlier CPPA enforcement action against a vehicle manufacturer.]

As a result, the retailer must pay an administrative fee of $345,178, as well as take the following remedial actions:

• Not require consumers to verify their opt-out requests;
• Not require consumers to provide more information than necessary to process opt-out requests;
• Develop, implement, and maintain procedures to identify any disclosures of personal information that constitute sales or shares to ensure that it appropriately processes opt-out requests;
• Establish, implement, and maintain policies and procedures to monitor the effectiveness and functionality of its methods for submitting opt-out requests;
• Recognize opt-out preference signals;
• Develop, implement, and maintain procedures to ensure personnel handling personal information are informed of the business’ requirements under the CCPA; and
• Maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of personal information.

Why is this significant?

• This serves as an important reminder that businesses must ensure that they are not only deploying consent management tools but also regularly checking and verifying that these tools are working correctly. They cannot merely rely on or blame the third-party management tool service provider if it is not functioning correctly.
• It also emphasizes the data minimization principle in the context of processing opt-out requests.

Takeaways:

• Don’t just install cookie banners and consent management tools. Monitor the website and implementation of the tools to make sure they are functioning properly.
• Don’t collect more information than needed as part of verification/authentication of consumer opt-out requests. (However, note that this decision was about requiring identification in the context of an opt-out request, not an access request, for which proof of identification may be more appropriate.)