Consent Consent Consent: Opt Out Enforcement is a Wake-Up Call for U.S. Organizations

The enforcement of data privacy laws in the United States continues to become a critical point for organizations doing business in major consumer juggernaut states like California. Notably, regulations such as the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), have established clear requirements for companies to honor consumers’ right to opt out of the sale or sharing of their personal information. These clear requirements have led to two major enforcements in two years since enforcement. However, enforcement can and will come from the FTC and other US states in the coming years. Enforcement actions, including significant fines and settlements, serve as a cautionary case study for organizations nationwide.

4 Significant Public Enforcement Actions related to Opt Out & Do Not Sell/Share

• Sephora, Inc. – Fined in 2022
  Issue: Sephora failed to disclose the sale of personal data via third-party cookies and failed to comply with “Do Not Sell” requirements by not providing a clear opt-out mechanism. The company had 30 days to comply with the requirement but could not meet this cure period deadline. CCPA no longer has a 30-day cure period as of January 1, 2023.
  Outcome: A $1.2 million settlement with the California Attorney General.
  Impact: The first of its kind, this case highlighted the importance of transparency in data-sharing practices and was a landmark in demonstrating California’s commitment to enforcing privacy laws.
• GoodRx – Fined in 2023
  Issue: The Federal Trade Commission (FTC) investigated GoodRx over the use of tracking tools and determined that the FTC Act had been violated. GoodRx shared sensitive health data with advertisers without properly disclosing or honoring opt-out rights.
  Outcome: GoodRx disagreed with the FTC’s findings. However, they chose to settle the alleged violations with the FTC for $1.5 million rather than fight them in court.
  Impact: The settlement agreement now requires GoodRx to refrain from sharing users’ health information with third parties for advertising purposes and to obtain consent before sharing data for non-advertising purposes.
• TikTok – Fined in 2019 and Ongoing Enforcement Actions
  Issue: In 2019, TikTok, then operating as Musical.ly, was fined $5.7 million by the FTC for violating the Children’s Online Privacy Protection Act (COPPA). The company was found to have collected personal information from users under 13 without parental consent. Despite agreeing to the fine and implementing measures to comply with COPPA, new allegations have surfaced.
  Outcome: TikTok paid a $5.7 million fine in 2019 and introduced a separate experience for users under 13. However, in 2024, the FTC and the U.S. Department of Justice filed a joint lawsuit alleging TikTok violated the 2019 consent decree by continuing to collect data from minors without proper consent.
  Impact: The ongoing investigations and allegations highlight the heightened scrutiny on platforms handling significant amounts of user data, particularly when minors are involved. TikTok’s case underscores the necessity of consistent and transparent compliance with privacy regulations.
• DoorDash (2024)
  Issue: According to the AG Office’s findings, DoorDash failed to adequately inform consumers about their right to opt out of the sale of their personal data, violating California’s “Do Not Sell” provisions. The company allegedly used third-party tracking technologies that facilitated data sharing without providing a clear mechanism for consumers to opt out.
  Outcome: DoorDash reached a $375,000 settlement with the California Attorney General. Under the agreement, the company was required to improve its privacy disclosures and implement robust mechanisms for consumers to exercise their data rights.
  Impact: The case underscores the importance of implementing transparent and accessible opt-out mechanisms, especially for companies using tracking technologies like cookies.

Opt Out Preference Signal and Universal Opt Out Mechanisms

Requiring organizations to enable a Universal Opt Out Mechanism (UOOM) is becoming ubiquitous across all US data privacy laws. 17 of the US privacy laws currently passed, including Florida, which is not considered comprehensive, require Global Privacy Controls. Though the language across the law gambit is nuanced, they all reenforce the same idea. Organizations collecting data must implement a robust opt out mechanism.

Implications for Organizations doing business in the US

• Broader Compliance is Needs The high-profile enforcement actions in California set a precedent for how other states might approach their data privacy laws. Organizations operating in multiple jurisdictions must anticipate stricter requirements and align their practices accordingly.
• Transparency as a Business Imperative Businesses are now under pressure to clearly disclose their data practices, including any sale or sharing of personal information. This requires clear, accessible privacy policies and opt-out mechanisms prominently displayed on websites.
• Adoption of Universal Opt-Out Mechanisms California mandates recognition of Global Privacy Controls (GPCs) as valid opt-out requests. Organizations must implement technical solutions to ensure compliance with these emerging standards.
• Vendor and Partner Management Third-party relationships play a critical role in compliance. Businesses must ensure that their partners adhere to applicable data privacy laws, as non-compliance could implicate them in enforcement actions.
• Potential Expansion of Federal Oversight As state-level actions gain momentum, federal data privacy legislation is a growing possibility. Companies should prepare for a more uniform set of rules that might replace or complement existing state laws.

What Businesses Should Do Today

• Audit and Update Data Practices: Conduct regular reviews of data collection, sharing, and selling practices.
• Implement Clear Opt-Out Mechanisms: Ensure compliance with “Do Not Sell” and “Do Not Share” regulations by providing conspicuous links and functional tools for consumers.
• Utilize Data Privacy Tools Like Clarip: Leverage Clarip to streamline compliance efforts. Clarip’s solutions can help businesses identify data-sharing practices, automate opt-out mechanisms, and ensure adherence to privacy regulations.
• Educate and Train Employees: Build organizational awareness around data privacy obligations and best practices.
• Monitor Legal Developments: Stay informed about changes in state and federal privacy laws to remain ahead of compliance requirements with Clarip Privacy Law Tracking.

Turn Challenges into Opportunities with Clarip

The enforcement actions against companies like Sephora, GoodRx, DoorDash, and TikTok underscore the evolving landscape of data privacy in the United States. As consumer awareness and regulatory scrutiny grows, businesses must take proactive steps to align with these expectations. Failure to do so could result in significant financial penalties and reputational damage. By embracing transparency and prioritizing compliance, organizations can turn these challenges into opportunities to build consumer trust and safeguard their operations against future enforcement actions.

Click here to learn more about our Preference and Consent Management Platform! Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com