California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording of customer service calls. Although part of a settlement and thus not binding on other companies, the requirement illustrates what regulators believe is reasonably necessary for companies to do to ensure they are meeting privacy and data security obligations. The CPO is required to “ensure that Houzz develops privacy policies and procedures for Houzz that are consistent with applicable state and federal privacy laws,” “oversee Houzz’s compliance with such policies and procedures,” and “have authority and autonomy to perform these responsibilities and to report any significant privacy concerns to the Chief Executive Officer….” The required privacy assessment is required to “evaluate: (1) issues… that are implicated by the Company’s business processes, use of technology, and (if applicable) related to any business partners with whom Houzz shares personal information; and (2) Houzz’s efforts to mitigate or avoid any adverse effects of such issues on individuals in the United States.” Any company that does not have a robust privacy and data protection program, overseen by a senior-level executive, should take note of this settlement and undertake to evaluate their data practices, ensure legal compliance, and implement best practices.

For more information on how to do so, see:  An Ounce of Prevention Is Better (and Cheaper) Than a Pound of Cure: It’s time for a data protection checkup.

Read a copy of the Houzz Final Judgment and Permanent Injunction, here