The privacy enforcement landscape continues to evolve rapidly, with recent actions by California and Texas authorities highlighting the increasing enforcement of state privacy laws. These developments underscore the urgency for businesses to proactively review and strengthen their data privacy practices to ensure compliance across multiple jurisdictions.
California
In California, the California Privacy Protection Agency (CPPA) has announced a $345,178 settlement with national clothing retailer Todd Snyder, Inc.
This action stemmed from allegations that Todd Snyder failed to properly configure its privacy portal, resulting in a 40-day lapse in processing consumer opt-out requests. In addition, the company required consumers to provide more information than necessary to process privacy requests and imposed identity verification requirements for opt-out requests, both of which violated the California Consumer Privacy Act (CCPA). As part of the settlement, Todd Snyder has agreed not only to pay the fine but also to overhaul its privacy management infrastructure and provide CCPA compliance training for its employees.
This enforcement action is a clear signal from the CPPA that technical errors and excessive data collection in privacy request processes will not be tolerated. The agency has reiterated that businesses are fully responsible for the effectiveness and legality of their consent management solutions, which it also highlighted in its enforcement action against Honda earlier this year. Companies must ensure that their privacy portals and related mechanisms are properly configured, collect only the minimum information necessary to verify requests, and avoid imposing unnecessary verification hurdles for consumers seeking to exercise their opt-out rights. The CPPA’s recent enforcement history – including actions against major corporations and data brokers – demonstrates its commitment to protecting Californians’ privacy rights and its willingness to impose significant penalties for non-compliance. See CPPA’s Advisory on Applying Data Minimization to Consumer Requests.
Texas
Meanwhile, in Texas, Attorney General Ken Paxton has taken initial legal action against several Chinese and Chinese Communist Party-affiliated companies, including TP-Link, Alibaba, and CapCut, for alleged violations of the Texas Data Privacy and Security Act (TDPSA).
These companies have been given thirty days to comply with the state’s privacy requirements, which require transparency in data processing, robust opt-out options, and the ability for consumers to delete their personal data. The Texas Attorney General’s office has made it clear that failure to comply will result in further legal action, and this move follows a broader pattern of heightened scrutiny on foreign, particularly Chinese, technology firms operating in Texas.
The Texas enforcement action follows Consumer Protection Division’s major data privacy and security initiative and highlights the need for all companies-especially those with international ties or operations – to carefully review their compliance with state-specific privacy laws. Businesses should ensure that they have transparent data processing disclosures, effective consumer opt-out and data deletion mechanisms, and clear protocols for responding to regulatory inquiries.
Privacy Action Items for Businesses
Attorneys General are actively monitoring compliance and taking legal action against companies of all sizes that are not complying with state privacy laws. Now is a good time to audit your organization’s privacy practices by testing all privacy workflows and internal policies and procedures. Specifically, organizations should:
- Review Privacy Notices: Review and update privacy notices to clearly disclose how your business and third parties process consumer personal data.
- Ensure Cookie Management Tools Are Fully Functional: Regularly audit and test cookie consent buttons and mechanisms to confirm they allow consumers to manage their preferences without technical issues or broken links.
- Make “Your Privacy Choices” Visible and Easy to Access: Avoid hiding or disabling privacy choice features. Non-functional or hard-to-find options likely violate applicable privacy laws.
- Properly Handle “Do Not Sell” Requests: Do not simply direct consumers to your privacy policy in response to “Do Not Sell” requests. Provide a clear, actionable mechanism for consumers to exercise this right.
- Remove Unnecessary Identity Verification Barriers: Do not require IDs or similar documentation for opt-out requests from all consumers.
- Consolidate Data Subject Request Forms and Standardize Systems: Avoid maintaining separate or confusing forms for privacy requests and ensure requests are processed efficiently. Integrate and harmonize your systems to ensure consistency and reliability and avoid using multiple, uncoordinated systems (e.g., both in-house and vendor-provided) to reduce compliance risks.
- Test Privacy Workflows: Routinely test all privacy rights workflows, including opt-out, data deletion, and access requests, to ensure they function as intended and comply with applicable laws. Do not rely solely on third-party solutions without validating their effectiveness and compliance.
- Adopt Data Minimization and Data Security Practices: Only collect data necessary for processing activities, especially when processing privacy requests. Establish and maintain reasonable data security practices to protect the confidentiality and integrity of consumer data.
- Provide Comprehensive Employee Privacy Training: Ensure all employees involved in handling consumer data or privacy requests receive up-to-date training on state-specific requirements, best practices for compliance, and instructions on how to respond to regulatory inquiries promptly.
For further guidance or support in navigating these evolving regulatory requirements, please contact our Privacy Law Group.
NEED HELP WITH DATA PRIVACY AND SECURITY LAW COMPLIANCE?
The CommLaw Group Can Help!
Susan Duarte – Tel: 703-714-1318 / E-mail: sfd@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com
