By Ethan Forrest
For the first time, California Attorney General Kamala Harris has announced a privacy breach settlement that requires the defendant company to create a “chief privacy officer” position to oversee compliance with privacy laws.
The company in question is Houzz Inc., a popular online platform for home design and décor. Attorney General Harris asserted that Houzz violated California anti-eavesdropping and anti-wiretapping laws, which forbid recording phone calls without notifying the other parties to the call and obtaining their consent. According to the complaint, for about six months in 2013, Houzz had recorded all incoming and outgoing calls for “quality assurance and training purposes.” But it never notified parties to the calls, or obtained their consent.
The settlement requires that Houzz official appoint a chief privacy officer (often called a “CPO”) within sixty days of the settlement’s entry. The chief privacy officer must be knowledgeable of all state and federal privacy laws; establish privacy policies and procedures for that comply with those laws; and oversee Houzz’s compliance with those policies and procedures. The chief privacy officer will have the authority to report significant privacy concerns to Houzz’s CEO and other executive officers. The settlement also includes $175,000 in penalties and fees, and requires Houzz to complete an extensive privacy risk assessment and monitoring program.
While this settlement is a first for the California Attorney General’s office, the Federal Trade Commission has included similar requirements in past settlements. And increasingly, companies have been proactive in establishing their own privacy officer positions, as high-profile data breaches, privacy litigation, and overall concerns about user privacy have become more acute.