Latest CCPA fine: 6 figures for multi-million retailer’s privacy mistakes

The latest company to find themselves in hot water with the California Privacy Protection Agency (CPPA) regulatory body is menswear retailer, Todd Snyder.

The CPPA Board has fined Todd Snyder, Inc., to change its business practices and pay a $345,178 fine to resolve allegations that it violated the California Consumer Privacy Act (CCPA).

Widely considered the benchmark for data privacy standards in the US, California is leading the way when it comes to retaliatory action against brands found to be making mistakes, too.

Any organization that has customers or data subjects in California needs to take note. There’s not only monetary risk but also reputational damage to consider.

With consumers caring more about their privacy than ever before, they’ll put their money where their mouth is and actively choose brands that they believe protect their privacy more.

This specific fine also highlights that it’s not just the giant companies on the CPPAs radar.

Why has Todd Snyder been fined over $345k by CPPA?

• Not processing consumer opt-out requests due to incorrect configuration for 40 days
• Collecting additional personal data during privacy requests
• Excessive identity verification processes

A warning: California is stepping up enforcement

This enforcement action is the latest in a string of fines, most notably Honda faced a $632k fee earlier this year.

It’s not hard to foresee further incursions. CCPA is now fully embedded and with the legislation active for over five years it’s time for them to start showing their teeth.

They’re also moving to build stronger connections both internally and globally. The Consortium of Privacy Regulators is a bipartisan coalition to drive nationwide enforcement, as well as a partnership with privacy watchdogs in France, UK and Korea.

What retailers need to do to avoid same mistakes

Prioritize Privacy Requests & check portal processes

• Automating privacy rights requests: Implementing tools that automate the intake, orchestration, and response to privacy rights requests can streamline the process and ensure compliance with regulations like CCPA and GDPR.
• Regular audits and updates: Conducting regular audits of privacy request portals to identify and rectify any configuration issues that might prevent the proper processing of opt-out requests.
• User-friendly interfaces: Ensuring that the privacy request portals are user-friendly and accessible, making it easy for consumers to submit their requests and track their status.

Focus on data minimization

• Assess data needs: Regularly reviewing the types of data collected and ensuring that only the minimum necessary data is gathered.
• Implementing data retention policies: Establishing clear data retention policies that specify how long data should be kept and ensuring that unnecessary data is deleted promptly.
• Training staff: Educating employees on the importance of data minimization and how to implement it in their daily tasks.

Consider third-party vendor risk

• Conduct thorough vendor assessments: Before engaging with third-party vendors, conduct comprehensive risk assessments to evaluate their data security practices and compliance with privacy regulations. They might implement technology or processes that you don’t know about that cause problems further down the line because they don’t match your risk appetite.
• Continuous monitoring: Implement ongoing monitoring of third-party vendors to ensure they maintain high standards of data protection and promptly address any identified risks.

Implement technology to enhance privacy processes

Leveraging technology can significantly improve data privacy and compliance processes. Organizations should consider:

• Consent and Preference Management (CPM) platforms: Using a CPM platform to centralize and manage consumer consent and preferences across all systems and platforms, ensuring compliance with global privacy regulations.
• AI and automation: Implementing AI and automation tools to enhance data processing, identify potential privacy risks, and streamline compliance efforts.
• Regular technology audits and updates: Keeping all privacy-related technologies up-to-date to ensure they can handle new regulatory requirements and emerging threats.