Implement GPC signal recognition: Businesses need to update their websites and backend systems to “detect the presence of the GPC header or equivalent signals sent by browsers or browser extensions. The GPC signal is transmitted as part of the HTTP header or via JavaScript, and must be detected reliably on every relevant page where personal data is collected or sold.”Integrate with consent management platforms (CMPs): The advisory recommended that the platforms be configured to recognize GPC signals automatically and override any conflicting consent settings or defaults that would otherwise allow data sales or sharing.Testing and monitoring: It said that businesses should “routinely test that their systems properly detect GPC signals across browsers and devices, and monitor logs to verify that signals are being received and honored in real time.”In addition, organizations need to update their privacy policies, the lawyers suggested, adding, “privacy notices and policies should clearly describe how the business responds to GPC signals, including the rights consumers have and the duration of the opt-out.”Legal action for non-compliance is a distinct possibility. Recent cases involving the enforcement division of the CCPA saw clothing retailer Todd Snyder fined $345,178 for violating the state’s privacy act, and American Honda Motor Co. fined $632,500 for CCPA violations, which the agency described as one of the highest fines imposed in the law’s history.
Quasi-selected targeting seen as prudent move: David Shipley, head of Canadian-based Beauceron Security, likened the move by the CPPA and the three states as the equivalent of a blitz to slow down drivers who go over the speed limit.The initiative, he said, is “the governance and privacy law equivalent of, ‘let’s put the California privacy Highway Patrol out there and see who’s speeding, who’s not actually going to play by the rules,’ and it’s smart. It’s part of the toolkit that should be out there and done responsibly. It’s done in a way that’s not like ‘we’re auditing everybody.’ That’s terrifying, I don’t think anyone has the resources for it, and it would cause mass chaos.”But a random, or even a quasi-selected targeted enforcement initiative, he said, will actually help the privacy sector: “What I mean by that is, there are a lot of hard working folks in in the privacy or governance, risk and compliance side, and they’re going to say, ‘hey, there’s this law’. And then sometimes they run into a lull at senior executive or even board levels, where people go, ‘yes, but what’s the chances we will actually get hit with it? That’s a risk we’re willing to accept and what’s this actually going to cost us? What are the chances that this will happen versus all the other business pressures were under?’”This initiative, said Shipley, “changes the equation in people’s minds, which is not a bad thing.” He added that what is really needed is a national privacy agenda.”The United States functions the best when it acts as a united state,” he said. “What I mean by that is a national comprehensive privacy law with a single reporting mechanism and single set of standards is more cost effective for businesses that operate in multiple jurisdictions.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4055217/california-two-other-states-to-come-down-hard-on-gpc-violators.html
