California Attorney General Kamala Harris recently announced a settlement with Houzz Inc., a home design website, over allegations that the company failed to notify individuals that it was recording their phone calls with the company.1 While the settlement included the payment of $175,000 in penalties and fees, it also included the surprising requirement that Houzz appoint a “Chief Privacy Officer” or similar employee responsible for privacy compliance at the company. This settlement is the first time a U.S. privacy regulator has specifically included such a requirement in a privacy settlement, and it signals the importance to the California Attorney General of companies having executive management oversight for a privacy program.
Houzz provides an online platform for home remodeling and design where consumers can browse design ideas, connect with home improvement professionals, and shop for curated products. The company also markets promotional services to home improvement professionals; Houzz promotes the professionals and connects them with potential customers in their area.
In its complaint, the attorney general alleged that from March 2013 to September 2013, Houzz’s sales staff in its Orange County, California, office recorded all outgoing calls for quality assurance and training purposes. However, the call recipients, including professionals Houzz called to market its promotional services, were not notified that the calls were being recorded. Additionally, the attorney general alleged that from July 2013 to September 2013, the sales staff began recording all incoming calls, including calls from customers, for quality assurance and training purposes, and the company did not notify the callers that it was recording the calls. The attorney general’s complaint did note that Houzz never shared any of the recordings with third parties, that a small number of Houzz’s employees had access to the recordings, and only a few of the recordings were actually reviewed by employees. Nevertheless, according to the attorney general, Houzz engaged in unfair business practices because the recordings violated California’s wiretapping and eavesdropping laws, which require all parties to consent the recording of phone calls.2
Under the settlement, Houzz must pay $105,000 in civil penalties and $70,000 in attorneys’ fees, and must comply with California’s wiretapping and eavesdropping laws in the future. Surprisingly, the settlement appears to allow Houzz to keep the recordings, at least until the company determines that it is no longer appropriate to retain them. However, the company must retain the recordings in a secure location and notify the California Attorney General’s office once it destroys them.
The most interesting aspect of the settlement concerns oversight of Houzz’s privacy program. Within 60 days of the settlement, Houzz must designate a new or existing employee that must make good faith efforts to:
- Be or become knowledgeable of relevant and applicable California and federal privacy statutes
- Ensure that Houzz develops privacy policies and procedures for Houzz that are consistent with applicable state and federal privacy laws
- Oversee Houzz’s compliance with such policies and procedures
This employee may be given the title of “Privacy Officer” or “Chief Privacy Officer,” but a specific title is not required. Importantly, this employee must have the authority and ability to perform the required actions and to report any significant privacy concerns to Houzz’s CEO or other designated executives.
The settlement also requires Houzz to complete a privacy risk assessment that addresses Houzz’s efforts to comply with applicable privacy laws governing its U.S. operations. The assessment must evaluate issues that are implicated by Houzz’s business processes, its use of technology, and processes related to any third-party business partners with whom Houzz shares personal information. The risk assessment must also evaluate Houzz’s efforts to mitigate or avoid any adverse effects on individuals in the United States. Once Houzz completes the assessment, it must submit a copy of the assessment’s final report to the attorney general’s office.
While the attorney general’s inclusion of the “Chief Privacy Officer” requirement in the settlement is novel, companies handling personal information should not be surprised at the importance the attorney general places on such a role, as management and oversight is a typical requirement for comprehensive privacy and security programs.3 Additionally, as California often plays a leading role in privacy legislation and enforcement, state attorneys general and privacy regulators may take notice of this provision and begin including similar requirements in their settlement agreements. Companies that have yet to designate and empower an employee with the responsibility for ensuring compliance with applicable federal and state privacy laws should consider doing so if they collect personal information from consumers.
2 See Cal. Penal Code § 632(a) (“a person cannot intentionally and without the consent of all parties to a confidential communication, by means of any recording device, record the confidential communication.”); Cal. Penal Code § 632.7(a)(“a person cannot, without the consent of all parties to a communication, receive and intentionally record a communication between a cellular radio telephone and a landline telephone and/or between a cordless telephone and a landline telephone.”).
3 For example, the FTC’s GLBA Safeguards Rule requires the designation of an employee or employees to coordinate a company’s information security program. See 16 C.F.R. § 314.4(a). FTC privacy and data security orders often include requirements that the company designate an employee or employees to coordinate and be responsible for the privacy or security program. See, e.g., Decision and Order, In the Matter of Facebook, Inc., FTC File No. 092-3184 (August 10, 2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf; Decision and Order, In the Matter of Fandango, Inc., FTC File No. 132-3089 (August 19, 2014), https://www.ftc.gov/system/files/documents/cases/140819fandangodo.pdf.