The California Privacy Protection Agency (CPPA) just issued its second enforcement action under the CCPA and the message is clear: the CPPA is looking at your digital properties and tallying up the violations. Your website is more than a marketing tool; it is a compliance obligation.
Todd Snyder, a fashion brand under American Eagle, got hit with a $345,000 fine for a variety of alleged failures:
• Overcollection of personal data during consumer request processes
• Use of third-party privacy tools that weren’t adequately vetted or monitored
• Malfunctioning opt-out mechanisms
Just a few weeks earlier, one of the world’s major car manufacturers settled for $632,500 over similar issues. Neither company fits the mold of organizations most typically targeted by enforcement agencies; yet both are now case studies for having your privacy house in order, regardless of who you are.
The CPPA has moved past superficial privacy policy reviews. It is conducting functional assessments of websites and mobile apps. That means the CCPA is:
- Submitting data subject requests as live users
- Evaluating your timeline and response protocols
- Testing how your tools actually behave
- Evaluating your use of third party vendors
If your opt-out button doesn’t work, your consent banner vanishes, or your vendor’s tool misfires — you are potentially exposed.
To further highlight this exposure, a recent study conducted by Consumer Reports and Wesleyan University found that 30% of tested retailers ignored Global Privacy Control opt-out signals, suggesting that many companies are not complying with core consumer protection components of many state and federal regulations despite their privacy policies saying otherwise.
And these shortcomings can be identified by the regulators because they maintain their own, in-house engineering staff and by media outlets like Consumer Reports because they collaborate with research universities. And that is not to mention the class action plaintiff’s attorneys that are conducting their own digital explorations.
That’s where Norton Rose Fulbright’s NT Analyzer comes in.
It’s a diagnostic engine for your data collection footprint and opt-out posture. NT Analyzer audits your site, detecting regulatory violations the way engineering professionals at enforcement agencies do — by interacting with your site’s actual data flows and configurations.
With NT Analyzer, Norton Rose Fulbright can help you:
• Identify overcollection of personal information
• Validate the functionality and fairness of consent mechanisms
• Detect data leakage and sensitive data transmissions
The CPPA is no longer focused just on intent; it is measuring execution. And, if your execution is flawed, enforcement is becoming a greater possibility.
On top of these enforcement actions there’s the news that the CPPA is teaming up with seven other state regulators to coalesce around consumer protection across jurisdictions, as well as to coordinate investigations into potential violations of laws. It seems certain that digital properties across the board will be facing more scrutiny in the near future.
For more details on how Norton Rose Fulbright can help, please contact the team:
Steve Roosa – steven.roosa@nortonrosefulbright.com
Phil Hodgkins – phil.hodgkins@nortonrosefulbright.com
Wenda Tang – wenda.tang@nortonrosefulbright.com