Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The recent California Privacy Protection Agency settlement with American Honda Motor Company over violations of the California Consumer Privacy Act, highlights four key areas companies should review and focus on immediately.
The USD632,500 settlement resolves claims around various aspects of Honda's privacy practices, including use of an "online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way" and sharing consumer data without "contracts that contain the necessary terms to protect privacy."
Cookie consent management
In the wake of the settlement, companies should review their cookie setup immediately.
Regulators don't like dark patterns. Customers don't either. Cookie consent technology needs to be properly established to comply with privacy laws and routinely reviewed and tested.
The CCPA requires symmetry in privacy choices. This means if companies have a cookie banner, there should be two equally prominent buttons: "Accept All" and "Reject All." If it takes one click to opt in, it should equally take just one click to opt out.
Note that the CCPA wants companies to avoid dark patterns so these boxes shouldn't differ in color, font size, or have boxes around the more favorable option to the company. It's also important companies include a "Reject All" button within the manage settings section to make it easy for consumers to opt out.
The CCPA also focuses on Global Privacy Control signals and the ability for a user to opt out of the sale of data. As such, companies should make sure GPC signals are honored. Cookies that could be deemed a sale should be categorized appropriately and the "do not sell or share my personal information" link or the "Your Privacy Choices" icon — from the attorney general's office — should be available on the home page and function properly.
Now is a great time to inventory cookie and tracking technologies. Companies should schedule at least quarterly audits to catch new or changed cookies. Weekly or monthly audits might be better for those with many trackers on their site. Cookie governance instills processes and procedures for managing cookies and all digital trackers. Companies should codify cookie practices into official policies and train appropriate employees on the processes.
Privacy rights webform design
It should be simple for a consumer to make a privacy rights request. Not all rights require the same level of verification and steps. Opting-out of the sale of data and limiting my sensitive personal information are different and do not require verification, compared to the privacy rights to know, delete and correct. Collecting too much information can violate the CCPA's data minimization principles.
Companies should take these steps to ensure they comply with the CCPA. Start with reviewing the verification procedures and ensure only requests to know, correct and delete personal information request verification. As a part of the verification process, the CPPA suggests the least amount of data points possible.
Per the latest enforcement action, it suggests two data points could be necessary for verification. Privacy and legal professionals can clarify if a company may be different and require additional verification points.
The webform to submit rights requests should be easy to follow and understand, accessible and mobile-friendly. Spend time to review and simplify the privacy requests webform to reduce friction for consumers exercising their rights. User experience design matters in all aspects of privacy, including the privacy rights process.
Vendor management and contracts
Companies need to have contracts with all vendors covering CCPA obligations. Having a vendor management — third-party risk management — process in place will ensure all vendors are complying with CCPA and other in-scope privacy laws. The TPRM process should be documented and include the vendor assessment process, regular contract review schedules, and a vendor management system to track compliance status.
An immediate next step is to set up a schedule to review all contracts with vendors who access customer data, especially those using adtech companies. Agreements should contain CCPA-required language establishing service provider, third party or contractor relationships.
Syncing the TPRM process with the privacy impact assessment and data inventory process is important to flag new use cases of data with existing vendors. A contract today might not cover a new use case the business wants to use, and the contract may need adjustments.
Employee training and process documentation
Employee training for those handling CCPA privacy rights has always been a requirement. It's best practice for all employees to undergo privacy training and companies should specifically train employees who handle consumer privacy requests.
Privacy rights are complicated, and companies should document compliance procedures. For example, if there's a complex privacy request, there should be a clear escalation path. It's also encouraged to perform regular compliance audits to catch any part of the process that's not working. It's much better to do so during a test than on a real request.
Appointing privacy champions within relevant departments can help keep privacy top of mind for teams and disseminate important privacy information.
The UX, privacy connection
A key lesson from the Honda case is the growing regulatory focus on the user experience of privacy.
The settlement specifically requires Honda to engage a UX designer to evaluate its methods for submitting requests. Companies should follow UX best practices, which include making privacy choices intuitive and accessible, using clear, jargon-free language in privacy communications, and testing the privacy interfaces with real users.
By documenting the UX testing methodology for privacy interfaces, it will be easier for companies to follow a privacy by design approach for new digital initiatives.
Beyond compliance to trust
While avoiding a USD632,500 fine is certainly motivation enough, there's more at stake than regulatory penalties. Building privacy-respectful digital experiences demonstrates a company's commitment to customer trust.
By implementing lessons from Honda's settlement, companies not only mitigate regulatory risk but also position the business as a responsible steward of customer data.
Remember that compliance is not a one-time project, but an ongoing commitment. Creating governance around the use of data, especially cookies and digital trackers, conducting regular audits, reviewing new vendors and new data use cases, as well as delivering employee training will set companies up for an effective privacy program that protects both customers and the business.
Jodi Daniels, CIPP/US, is the founder and CEO of Red Clover Advisors.
