California Fines Todd Snyder for Opt-Out Failures; Colorado Privacy Act Amendments Await Signature 

Want to receive these privacy recaps in your inbox each week? Subscribe here.

UNITED STATES

Clothing Retailer’s Opt-Out Misconfiguration Results in 6-Figure CPPA Fine

The California Privacy Protection Agency (CPPA) issued a decision fining Todd Snyder $378,178 based on allegations that the men’s clothing retailer failed to properly process requests to opt out of the sale or sharing of personal information. Specifically, Todd Synder installed on its website third-party tracking software that disclosed personal information to advertising networks for cross-context behavioral advertising (constituting a “share” under California law) and told consumers they could opt out, but, due to a misconfiguration of the company’s opt-out mechanism that persisted for a 40-day period, it was impossible for consumers to actually submit opt-out requests during such period.

TAKEAWAY

The CPPA stresses in the case the importance of not only putting required mechanisms in place, but also monitoring to ensure such mechanisms are functioning as intended, stating specifically that Todd Snyder “would have known that Consumers could not exercise their CCPA rights if the company had been monitoring its website” and “had taken steps to ensure that its mechanism for Consumers to submit Requests to Opt-out of Sale/Sharing was properly configured and functioning”. In addition to the fine, the decision requires Todd Synder to implement policies, procedures and technical measures designed to monitor the effectiveness and functionality of methods for submitting opt-out requests. 

Colorado Privacy Act Amendments Sent to the Governor

As part of a broader immigration bill , the Colorado legislature sent revisions to the Colorado Privacy Act to the Governor for signature. Specifically, if signed, the Colorado Privacy Act will be amended to: (a) clarify that opt-in consent is required to process or sell sensitive data; (b) add precise geolocation data to the definition of sensitive data (requiring such consent); and (c) define precise geolocation data as information identifying the present or past location of a device that links or is linkable to an individual within an 1850-foot radius.

TAKEAWAY

This case is a reminder that AG privacy enforcement is not limited to those states that have passed a comprehensive privacy law. Although there is a lot to unpack from the 54-page complaint, one particularly notable element demonstrating a clash of state laws is the Attorney General’s analysis of Roku’s “Your Privacy Choices” screen, which gives all users (regardless of jurisdiction) the ability to enable a “Do not share or sell my personal information” setting–a setting required under California law. Although the Michigan Attorney General would not be able to make a claim based on a company’s failure to offer this setting (since it is not required under Michigan law), Roku’s decision to offer this setting to Michigan users and alleged failure to effectuate the setting as described has opened the platform up for liability under Michigan’s consumer protection act. Specifically, the complaint alleges that, by failing to disclose on the “Your Privacy Choices” screen that enabling the setting only opts the user out of disclosures of personal information that support targeted advertising (rather than all personal information sharing), Roku engages in unfair, unconscionable, or deceptive methods, acts or practices in violation of Michigan law. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

United States

• Texas AG announces $1.375 billion privacy settlement in principle with Google

Europe

• Italian DPA (Garante) opens public consultation on lawfulness of newspaper publisher “pay or ok” models 

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.