Recent Enforcements Offer Privacy Compliance Lessons, Lawyers Say
Companies can learn practical lessons from common themes in recent enforcement actions and implementing those takeaways can help them stay ahead of evolving privacy requirements, said Quarles lawyers in a blog post Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The lawyers urged businesses to "exercise caution when relying on privacy vendors." They pointed to California's recent Healthline settlement (see 2507030026), where "the company was held accountable for [California Consumer Privacy Act (CCPA)] violations despite relying on a privacy vendor, demonstrating that vendor solutions should support robust internal compliance measures, rather than replacing them."
The Healthline settlement also revealed that "understanding data collection and use is critical, particularly regarding purpose limitation and advertising practices," the lawyers said. "It is very important to know what data your business has, as regulators are increasingly launching investigative sweeps focusing on specific types of data, such as location data."
The California Privacy Protection Agency (CPPA) settlement with menswear company Todd Snyder (see 2505060043) "highlighted that ineffective cookie banners and improperly configured privacy mechanisms can result in enforcement actions," so "privacy measures must be substantive and effective, not merely procedural," said the lawyers: Keeping your privacy policy up-to-date helps as well.
They also noted that the CCPA's "statute of limitations is five years, and the CPPA is issuing investigative subpoenas dating back the full five years, which sends a clear message that compliance now does not insulate businesses from potential liability for historical noncompliance." The Quarles lawyers suggested organizations keep thorough records that "document various aspects of their privacy compliance program over time," as the "records demonstrate not only current practices but also an ongoing commitment to meeting regulatory standards as they evolve." For example, the CPPA recently revealed that Tractor Supply Co. argued that its actions in 2023 fall outside the scope of CPPA authority, which the agency said was untrue (see 2508060070).
"Effective privacy programs require ongoing attention, proactive planning, and the agility to adapt quickly as regulations and business needs evolve," the Quarles lawyers said. "By prioritizing privacy as an integral part of organizational strategy, businesses can better position themselves to anticipate changes and respond efficiently to new challenges."