Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains. 

This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.

California Attorney General Rob Bonta last week announced a USD2.75 million California Consumer Privacy Act settlement, the largest to date, and I think companies should adopt the Snow White and the Seven Dwarfs refrain in response: "Heigh-ho, heigh-ho, it's off to work we go" to make sure sites, applications and services address CCPA and other state privacy requirements. 

The basic privacy rule seems simple at a high level: give consumers the opportunity to opt out of sales or sharing of their personal data for targeted and/or behavioral advertising. But the reality is that achieving compliance with this rule is increasingly complicated. This is the case even for good companies trying to do the right thing. 

Technologies are changing rapidly. Several years ago, companies could assume their cookie management tools could largely handle all of this without much trouble. Today, cookie management tools require more attention. The underlying technologies are changing — for example, cookies, pixels and tags are still active, but they are also being re-scoped and absorbed into service-side application programming interfaces as opposed to relying on consumer browsers. 

Users have opportunities to express choices right on businesses websites — like through opt-out links — but they also can go to third parties, such as the Global Privacy Control, to configure a universal opt-out mechanism through their browsers, which must be recognized and honored by law in California and other U.S. states. 

Third parties in the ecosystem are updating their code and terms, which need to be reconciled with the company's controls. 

Moreover, companies themselves are rapidly developing new sites, apps and services that interact with users in different ways. And of course, plaintiffs' firms are continuing to innovate with new theories and claims — for example, wiretapping — to extract payments from companies, and regulators are exerting their authority under new privacy laws and regulations.    

Lessons learned 

Regulators are paying close attention to how companies manage opt-out for sales, sharing or targeted advertising. It is relatively easy for regulators to analyze the surface of a company's sites, apps and services to see whether core opt-out functionality is available and working as needed. California and other state agencies are jointly investigating businesses on issues related to honoring rights to opt-out of sales, sharing or targeted advertising. 

California regulators are focused on assuring that opt-out procedures are easy to use. This recent California settlement seems to focus on ease of use of opt-out procedures. 

As part of the settlement, the company must ensure there is a clear and conspicuous opt-out link that either immediately effectuates the consumer's choice or directs to a notice of the right to opt-out. 

When a consumer is not logged into an account, the company needs to honor an opt-out request in connection with the browser, application or device the consumer is using, and also provide notice to the consumer that they may need to log into an account or take other steps to fully effectuate an opt-out. 

If the consumer is logged into their account, the settlement appears to require that the opt-out needs to be implemented to apply across the services the business associates with that account. 

The settlement also discusses other points, including that the notice to opt-out needs to be formatted and designed to fit and scale to the web browser, application or device, and that the business must provide an easy to use opt-out method, such as a simple toggle or check box. In addition, the business must ensure it does not sell or share personal information about consumers that it knows are children or minors, unless it has affirmative authorization for such activity from the parent, for the child, or from the minor.   

Settlements often include ongoing injunctive relief, ongoing oversight, fines and potential heightened consequences for noncompliance. Several downsides for entering into settlements include that they typically provide injunctive relief for compliance with specific statutory and settlement provisions and include elements for ongoing oversight. 

This recent settlement requires the company to update the regulator every 60 days until all compliance requirements are met, and to provide an annual report for each of the next three years on compliance. 

The business is also required to pay a USD2.75 million fine. In addition, because the settlement is a court order, subsequent noncompliance can lead to additional consequences, including judicial sanctions and renewed enforcement actions, which could include penalties of USD2,500 per violation and other consequences.

Recommendations at this stage

Tone at the top. As with any other area of corporate compliance, privacy compliance starts with the tone at the top. If not already in place, this latest CCPA settlement, along with the string of other recent privacy enforcement and privacy litigation matters, should be shared with the company's senior leadership. This will help ensure that they understand the importance of the issue and properly instruct the relevant aspects of the business to take this seriously. 

Pen test privacy programs, including opt-out rights. It's important for companies to test whether their privacy controls are working as intended in the production versions of their sites, apps and services.  

Ensure privacy teams have up-to-date technical training. The technologies, browsers, third party code and other aspects of the ecosystem are changing and developing rapidly. Legal theories and enforcement actions are also advancing at pace. It is no longer enough to purchase a brand-name cookie management tool and rest easy thinking everything is properly handled. 

The privacy team needs sufficient technical training to make sure they understand how cookie management and other tools and technologies are working, and to be able to trouble shoot and fix problems, including with external help as needed.

Keep privacy documentation updated. It is important to maintain appropriate documentation to evidence the effectiveness of the company's privacy practices, including inventories of data recipients, opt-out procedures, relevant privacy agreements, legacy and current privacy policies, and other documentation.

Brian Hengesbaugh, CIPP/US, is the global chair of data and cyber at Baker McKenzie.