S3 E20: Lessons Learned from CCPA Enforcements

Audio version

The Lessons Learned from CCPA Enforcements

Transcript

Jordan Eisner (00:00)

Here we are once again Compliance Pointers, Matt Dumiak, the privacy profit 16-year Compliance Point that good to have you on. Are you standing right now?

Matt Dumiak (00:10)

Good to be here, Jordan. I’m at my standing desk. This is a standing podcast at this time.

Jordan Eisner (00:14)

This is a standing podcast. And maybe we’ll make it an outstanding podcast. You know what? Our combined five kids is making this really, really bad on the dad joke side.

Matt Dumiak (00:24)

We’re gonna try our best.

Oh, I feel put on the spot. I’m gonna I’m trying to think of one, but I think you’re.

Jordan Eisner (00:39)

You’re the only one. That makes it worse. You can’t think you just need to say. That’s what everybody’s always told me in life. Don’t think, just say.

Matt Dumiak (00:46)

Yep, I think some tidbits will come out through just organically through the through the.

Jordan Eisner (00:50)

We’ll see it, because we’re going to try and do a lean and mean one today for our audience. We’re talking about CCPA enforcement. So therein lies the lean and meanness. There haven’t been that many. But we’re going to talk about the Honda one. That’s right. And the, what is it, the Snyder case? Tom Snyder?

Matt Dumiak (01:05)

Vaguely.

Todd Snyder. Todd. These are the two recent ones, Todd Snyder and Honda.

Jordan Eisner (01:15)

Yep, we already lost a whole bunch of audience when I said the name wrong, so sorry to see him go. But if you’re still listening and watching, thank you. Good to have you. Thank you for trusting us that we’re going to have some good content here.

Matt Dumiak (01:28)

I think it’s been entertaining thus far.

Jordan Eisner (01:31)

Yeah, you’re not biased at all. So, all right. Tell us about the finding that Honda’s allegations are actually better yet. Yeah, break them down one by one.

Matt Dumiak (01:39)

Yeah, absolutely happy to do that. So with Honda first and foremost was a bit upset to see this given that I’m a proud owner of a Honda Odyssey. I know we already talked about our five children between the two of us. So with two at home ⁓ made a lot of sense to get a van regardless as the proud owner of a Honda Odyssey, but also one of my first cars being a 1995 Honda Accord. So obviously a believer in the Honda. We are a Honda household at the Dumiaks.

Jordan Eisner (02:09)

This is neither paid for or sponsored by Honda.

Matt Dumiak (02:14)

Yeah, was when I saw this come through, I said, oh no, they’re they’re tracking us through their their on star or whatever technology they use within Honda that I don’t pay for. That is not the case. Well, not necessarily the case within this settlement. So this settlement was pertaining to a few things from Honda, so it was pertaining to four things actually. So it was pertaining to. How they honored consumer rights.

And some contract obligations. The consumer rights piece was pretty interesting because the settlement names the privacy software that Honda was relying upon to honor consumer rights and then made some allegations through the settlement of how they were honoring consumer rights. ⁓ What they were doing was and what they settled for was that there are a few things under the CCPA that consumers obviously have rights around.

Namely, with the right to opt out of sale for Honda, what Honda was doing under the right to opt out of sale, and this is getting a little in the weeds, but Jordan, please feel free to add some color to this or ask some questions around it. But not every consumer privacy right under the CCPA requires that you verify the consumer’s identity to honor it. Specifically, the right to opt out of sale or to limit the sharing of sensitive information.

Those do not require in all circumstances that the business, and in most circumstances they don’t, that the consumer verify their identity. Based on how the web form was set up for Honda though, when a consumer would make a request to opt out of the sale of personal information, Honda was requiring that the consumer verify their identity. So they were asking for

Jordan Eisner (04:04)

Probably a spillover because they do that for the other rights. That’s exactly right.

Matt Dumiak (04:10)

That’s exactly that’s the correct assumption there that they set up their web form and had all of the available rights under the CCPA. I’ll you know sometimes these web forms can be dynamic and that you can select a certain right and it will change what the consumer needs to enter to get that right honored. That was not the case here, so if someone said I want to opt out of the sale of my personal information or limit the sharing of my sensitive information versus right to be deleted or right to know. It collected the same personal information. It collected eight pieces of information to be specific, eight separate pieces of information, even though Honda only needed two pieces of information to verify that consumer’s identity. So it was kind of two things. They dinged them on two things. The agency said, the CPPA, your favorite, right, if you want to go through that acronym spill through out of California, but they

Jordan Eisner (05:10)

Referencing is that I often like to tell our clients when they feel like they’re being overwhelmed with acronyms that it’s really not that confusing. The CCPA was amended by the CPRA and is enforced by the CPPA. I don’t understand what’s hard to keep up with all that, but keep going.

Matt Dumiak (05:27)

Exactly right. they are they’re alleging that they the agency. Had issue with a few things from Honda with this regard, right? They were verifying identity for right to sale, which is not required, and they were collecting too many pieces of information to verify the identity. Next, so there was a couple things there next with Honda was and this was interesting. This is a concept under.

A lot of the state privacy laws is symmetry of choice, so this has to do with their cookie preference center. And what Honda had set up with their cookie.

Jordan Eisner (06:05)

I ask one thing real quick, Matt? Yeah, go ahead. That all made sense. Also, they were requesting identification information when they weren’t required to. Or consumers should not be expected to have to give that in order to receive that from the client. Now you’re going to get into the lack of symmetry in giving and requesting or what you’re requiring of them to give you in order to give them something as opposed to what you required of them to get something you’ll say more eloquently than I did, but I curiously going through these. Honda and the platform however they were, you know, handling these access requests was that home built or were they using a privacy management software?

Matt Dumiak (06:51)

They were. They were using a third-party software.

Jordan Eisner (06:54)

Okay. Software.

Matt Dumiak (06:59)

Named in the enforcement is OneTrust.

Jordan Eisner (07:01)

OK, I appreciate you sharing that. I was going to ask. You’re familiar with that product. It’s a trade forward how to create those nuances and how to request or not request. Is it complicated? I mean, are you seeing this elsewhere? I don’t want to create any targets for the CPPA, but is this a common thing? They’re just implementing like the default settings as opposed to tweaking it.

Matt Dumiak (07:09)

Yes, for sure.

That’s exactly yeah and good question. So it’s very common to see out of the box implementation. And it is common to see that it would be set up in such a structure that we saw.

Jordan Eisner (07:40)

Where companies typically brag about that. Turnkey.

Matt Dumiak (07:43)

Turnkey out of the box set it up exactly and so it is pretty common and know it is. It’s not as straightforward as you would think, and that’s not in. That’s not to be critical of the software, but as soon as you start customizing anything, turning knobs, twisting, you know, turning things, making it custom for your organization here there in order to comply with the law, it is going to become a little bit more complex and you know, we’ve talked about a little bit of a science and an art. You have to have a certain mindset for that type of implementation.

Basically, I mean, it’s not for everyone. And I think that there’s this habit and we’ll talk about it a little bit with the Todd Snyder case in the market of really putting a lot of reliance in that software out of the box, not just OneTrust privacy software out of the box. Pay for it, put it on the website.

They’ve got it. That’s like some of the value prop there. They’re helping us comply with this law and we don’t need to check it. We don’t need to monitor it. We don’t need to configure it any further to ensure that it is aligning with these laws. They’ve got that covered and we’ve gone through this exercise. And I think that’s starting to change, right? Common pitfall, exactly right. Exactly right. And so very similar in why we, know, OneTrust was named in the enforcement. Everyone knows it. So I’m not, you know, I’m not naming anything here that’s not public knowledge, but another thing that was turnkey out of the box was their cookie preference center. so under California’s law, there’s this concept of sale of personal information that can be both through targeted data or cookies and trackers and certain things like that. Not to get into the definition of sale, but just some use cases or illustrative examples, but also offline selling where you might be selling personal or sharing personal information or selling personal information to a third party and they are not a service provider in there. So that that could fall under a sale. So regardless, with the cookie preference center, which was also is also seen as a sale under or certain cookies are seen as a sale under California’s law under the CCPA that when a consumer click the link to opt out of the sale of personal information in terms of cookies and trackers. So when that drove to the cookie preference center.

What the agency had issue with was that it took two. It was again, we’re talking about a symmetry of choice thing here where it needs to be equal, right? It took two months to opt out. So you had to click opt out and click save as a consumer to opt out. If you wanted to opt back in, all you needed to do was accept all and immediately the cookies turned back on and the preference center tray, it went away.

Jordan Eisner (10:32)

You’re telling me that they wouldn’t want to make it easier to opt in and opt out?

Matt Dumiak (10:37)

Right, surprising, right? So that was another thing the agency took issue with. Another one is authorized agent. I don’t know if you’re familiar with that concept under these privacy laws and that consumers can provide authorized agents with permission to make privacy requests on their behalf. I’m sure you are familiar with Jordan. I don’t know why I said that.

Jordan Eisner (10:58)

No, I’m just nodding my head because now I understand. You asked me previous to describing it, I could not have described it.

Matt Dumiak (11:05)

And so well, and it’s why they, you that was a concept. And then what we’ve seen over the last few years is that services have been developed or services have come out that will assist consumers with deleting their personal information across the web. Whether or not you see that as a service might depend on what side of the aisle you’re sitting on.

In essence, what they’ll do is understand or look to understand the business or service will look to understand what businesses you’re doing, what businesses have your personal information, whether that’s scraping your email inbox or through some other means, and they will make a privacy request on your behalf and say, ⁓ please, I’ve been, they will send that request to any company you’ve done business with requesting to delete your personal information. Early on, what we saw was these services, were acting as an authorized agent, there is a, they were acting as an authorized agent to make a deletion request on behalf of consumers. And there is the ability for businesses to, in certain circumstances, which I’ll call out here, to go directly to the consumer to verify the request. However, if the authorized agent has power of attorney to make that request on your behalf as the consumer, business needs to work directly with the authorized agent. If the power of attorney exists so early on, I bring this up because there’s a little bit of a tailspinner, but if…

Jordan Eisner (12:35)

A lot to determine as the company receiving the request.

Matt Dumiak (12:40)

It is there are a lot of caveats exactly right there are lot of nuances to go through this and what happened was and here’s another twist is that early on when these services started doing these types of things they did not include the power of attorney and so a lot of times an organization would go to the consumer because they’d say I don’t know who this service is I’m going to go to the consumer and say did you actually make this request if so can you verify your identity many times they did not even know that they made that request or they didn’t know who the service was coming from, so they wouldn’t verify their identity. It was kind of like the firewall of the privacy request, but.

Yeah, and authorized agents sorted that out basically or said, OK, well, they’re going to consumers directly because they have that ability to in certain circumstances under the under the CCPA. What we’ll do is start and I’m talking as the service now. What we’ll start doing is getting the power of attorney to make this request and so that the business needs to work directly with the authorized agent. So that’s what was happening in this case with Honda is that these services more than likely these authorized agent services, privacy request services were sending these rights in which as you’re well aware can they can come in at hundreds at a time which can make it very difficult to manage for organizations. I’m not saying that’s Honda received but it can be that type of thing. They sent that with the power of attorney Honda was still going directly to the consumer. They should have worked directly with the authorized agent with that power of attorney. Everyone’s aware of that now. So but that’s what they were doing.

Jordan Eisner (14:12)

So let me ask you a question on that because we’re going to get to. And we we promised our audience. Lean and mean right quick and dirty, so we’re going to get to some key takeaways, but yeah in your work. Which has been with. Lots and lots of organizations on privacy posture on formalizing access request policies and procedures and workflows and leveraging technology or leveraging. Internal or external technology I should add. yeah. How often it makes really often.

But is the granularity there inside the processes in the workflows for somebody receiving this to check power of attorney and that sort of thing? I mean, this seems really nuanced, maybe not, and just really tedious for building processes for how to respond to these and all the different checkpoints to solve for compliance. It seems like you know poor Todd Snyder in this. This probably would have happened to most. Organizations or am I wrong?

Matt Dumiak (15:22)

No, I don’t think you’re wrong. I think organizations are still getting grasping with these nuances and understanding that because it is complex and it is complicated and. There are amendments to these laws all of the time and I say that like all of the time someone might take issue with that, but there are draft regulations out there. It’s a it can get my really quickly periodically. That’s a great term periodically, right? That there are updates so the power of attorney amended. That was a change with these with the regulation. Now that wasn’t within the last 12 months, that was a while ago, but they do change. And so that’s why these services, okay, we can do with power of attorney, we’ll take that and go from here, right? And so it is really common to see even through our, you know, through assessments and working with organizations and businesses on the early stages that they don’t have.

Jordan Eisner (16:20)

Right. So here’s a key takeaway, have a designated point person in your organization, have external counsel, have some sort of resource that is constantly keeping your company abreast of these privacy law amendments and changes and how it could impact current processes and procedures. It’s a lot.

Matt Dumiak (16:47)

It’s a key takeaway. And one thing, know, when that was, it was already a challenge with when California was the leader of the pack in terms of one of three privacy laws out there. Now we have 19 that have passed and it’s getting more and more complex. And while it’s a habit to fall into the, to the crosswalk and that they’re all mirrored on each other and look the same team.

Like it or not, there are nuances to each of these that you should be aware of because each state cares about their residents and they will act accordingly.

Jordan Eisner (17:20)

It’s getting real. Six more of these and a majority of the country will have privacy law.

Matt Dumiak (17:26)

It’s here. You’re not you’re not burying your head in the sand. So. Not yet.

Jordan Eisner (17:30)

Is New York doesn’t have one right? But Texas and California so you can almost even say that. Probably more than 50 % of population that has privacy law rights now when you group Texas and California. I don’t know. It’d be interesting to see just population of the states that do that. Even Colorado too. Those are some highly populated areas.

Matt Dumiak (17:52)

I think it’s like in the 60 % or something like that that’s covered.

Jordan Eisner (17:55)

60 % of US residents have a privacy law. Privacy law. if New York puts one in place, it’s going to wow. Yeah. How about that?

Matt Dumiak (17:58)

Yeah, exactly. It’s not going away.

Jordan Eisner (18:07)

So our key takeaways.

Matt Dumiak (18:09)

Key takeaways in general, if we’re talking about Honda and Todd Snyder, just these lessons from these enforcements, and Todd Snyder was relatively similar in terms of what the enforcement was about was, ⁓ well, actually they had one additional caveat that I or one additional thing that I would add here is that, and we’ve seen this too, Jordan, is that Todd Snyder had, the agency took issue with, rightfully so, that they were offering the ability to opt out of tracking that tool was not effectuating the choice. So it wasn’t actually working. wasn’t, they named the, it was not working for 40 days. So if a consumer went and said, I want to turn off targeted advertising, I don’t want to be tracked. They would have the ability to select that on the website, but it wasn’t working for 40 days. So we’ve seen that right. Other states have gone through and commented that that’s an unfair deceptive trade practice. There are ways to go about that. Professional plaintiffs are getting after that too in that an organization when they say something in their privacy policy or on their website or giving consumers choice, they really better be honoring that. Todd Snyder was dinged for that. They were also not, they were verifying identity for sale. So common issue. And they were collecting too much information to verify identity. So anyway, some really great key takeaways, I think to your point, the first one there is designate responsible parties to track all of this and make sure that you’re staying aware of it as a business because it is always changing and there are a lot of nuances.

Second, and we harp on this a lot, but it just continues to come up, is to test and monitor your privacy program. That was already something from a consulting perspective and in our experience with all these other regulations that we’ve been at compliance point for 16 years. Obviously, it’s not always been CCPA that I’ve been consulting on and helping clients operationalize their programs around, but is that it continues to pop up that organizations have to monitor and enforce their compliance program. Check their check there. You know when they have a cookie preference center, go in and make sure that it’s working, not just that the banner is popping. That it’s actually effectuating the choice. Now Todd Snyder, when you would select when you would click on the opt out, their cookie tray would open and then immediately close.

So that’s a pretty easy indicator that something’s not working, but we have seen many times when an organization will look at their cookie banner or preference center and they see that that thing pops up and that’s all they need. That’s what they look at. Well, no, there’s some backend work that needs to go on there to make sure that when a consumer actually opts out, that that’s actually turning the cookies off, right? That’s stopping the tracking. So monitoring and force is absolutely a key takeaway, but also something that the…

That Todd Snyder specifically is required to do in the in the settlement. It was named that they establish that technical controls to monitor their privacy program. Not just always going to look.

Jordan Eisner (21:09)

It’s going to depend on obligations. It’s going to depend on your business, the sort of data you’re collecting. And so that’s where, you know, there’s not an off the shelf solution for it. It’s going to take brain power. It’s going to take awareness of obligations, current ways that you’re solving for it, and creativity about how you test that.

Matt Dumiak (21:32)

Yep, exactly.

Jordan Eisner (21:34)

Well, I think that’s a good time as ever for a shameless bug. The compliance point does that. From regulatory updates and what it means for your business from processes and procedures standpoint to Matt’s point, ongoing monitoring and testing. We’ve been doing it for regulations with, I’d say even more teeth than CCPA for the better part of two decades. So very familiar with building bespoke programs around this or at least advising organizations on how to do so.

If this podcast has been meaningful for you and that’s of interest, please don’t hesitate to reach out to Matt or myself on LinkedIn. Come to CompliancePoint website. You can email us at connect at compliancepoint.com. be happy to hear obviously about any of your issues, especially if there’s a pain point we could solve, but I think you’d leave the conversation feeling like it was good time spent regardless. So listeners, watchers, thank you for your time. Hit the subscribe button. Leave us a review.

We continue to produce content like this and we’ll keep doing it. Thanks, Matt. See you guys.

Matt Dumiak (22:39)

Thanks, Jordan. Talk to you all soon. Bye.