On September 30, the California Privacy Protection Agency (CPPA) announced a stipulated final order requiring a national retailer to pay a $1.35 million fine and implement remedial measures to resolve alleged violations of the California Consumer Privacy Act (CCPA). The CPPA described the $1.35 million penalty as “the largest in the CPPA’s history” and noted the decision is the first to address CCPA privacy notice requirements for job applicants, as opposed to just consumers.

The CPPA found the retailer failed to maintain a privacy policy that “notified consumers of their rights,” did not notify job applicants of their privacy rights or how to exercise them, and did not provide consumers with an “effective mechanism to opt-out” of the selling or sharing of their personal information — such as by enabling opt-out preference signals. The CPPA also determined that the retailer disclosed personal information to third parties without entering into contracts that contained “privacy protections.” Under the order, the retailer must “scan its digital properties” and keep “an inventory of tracking technologies” quarterly, update privacy notices and opt-out mechanisms, and require a corporate officer or director to certify compliance annually for four years.