Ensuring Compliance In Retail Checkout Processes

Last week, the California Privacy Protection Agency fined a retailer $345,000 for failing to effectively effectuate consumers’ opt-out preference signals to prevent the sharing of their personal information (see decision below). The remedies outlined in the settlement are a clarion call for #privacypros. In short, the CPPA says privacy tech alone is not enough, just as Teresa (T) Troester-Falk wrote in an op-ed published by the IAPP today https://lnkd.in/eNqYpD4x. The CPPA alleges that the retailer relied on third-party privacy management tools without assessing their limitations, validating their operations or monitoring their functioning. They also allege the retailer required consumers to provide too much personal information (including sensitive information) to process their opt-out requests. Privacy tech is often critical today – there are far too many consumer requests, data sources, third-party partners, and assessments to manage manually – but it is equally vital to have a knowledgeable #privacypro building and overseeing the privacy program around it. This will only get more important as AI achieves its potential and scales across society. So what does the CPPA settlement require specifically? Beyond correcting the alleged deficiencies, the CPPA specifically requires the retailer to: -       “develop, implement, and maintain procedures” to identify disclosures and ensure it processes opt out requests appropriately -         “establish and implement, and thereafter maintain policies, procedures, and technical measures designed to monitor the effectiveness and functionality” of its methods for complying with opt-out requests -         “develop, implement, and maintain procedures to ensure that all personnel handling Personal Information are informed of the Business’ requirements under the CCPA and its implementing regulations relevant to their job functions” – i.e. conduct #privacy training -         “maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of Personal Information” Lots for privacy pros to focus on as they gain efficiencies and scale with privacy and #AI governance tech.

Over the last quarter, 20+ businesses have come to us for guidance after receiving noticed for sales tax audits. This isn’t a coincidence. Sales tax audits are increasing, especially within e-commerce. States are increasing their efforts to find non-compliant businesses. It's been almost 7 years since the Wayfair decision, and states aren’t as lenient as before. Audit task forces are growing in high-population states like California, Texas, and Illinois. And since sales tax revenue funds budget items, states have a vested interest in closing the gap between the taxes owed and the taxes paid. Pre-audit questionnaires are also becoming more common. States are sending them to businesses, even if they haven't registered, requesting up to 3 years of sales data. And on top of all this, states are working together—sharing business information, making it easier to find non-compliant sellers. So if you’re non-compliant in one state, you may be caught by another. Staying compliant across every state you sell in is more important than ever. You might be subject to an audit if:  → You've failed to register and remit sales tax → You report high amounts of sales tax immediately after registering → You're connected to other vendors or customers being audited The penalties for non-compliance are high and getting stricter. In some states, penalties can be as high as 39% of taxes owed. My advice to ensure compliance: 1. Stay on top of it—once you’ve reached the nexus threshold in a state, register and file.  2. Partner with an expert or use sales tax software to help you keep track of changes. 3. If you’ve been non-compliant for some time, a Voluntary Disclosure Agreement could help reduce penalties and liability. States aren’t playing around, and they will come knocking. The cost of non-compliance far outweighs the effort of staying on top of your sales tax obligations. If you have any questions about staying compliant, shoot me a message—happy to help.

If your site collects credit card payments, this could affect you. New PCI DSS Requirements Target Script-Based Attacks on Checkout Pages  Starting March 31, 2025, PCI DSS v4.0 enforces two new requirements focused on client-side security. What's changing: Online merchants must now track, verify, and monitor all scripts running on payment pages. That means: * Maintaining an inventory of scripts * Understanding each script’s purpose * Detecting tampering or unauthorized changes * Using tools to monitor real-time modifications Who’s impacted: Any business that processes cardholder data through their own checkout page. Hosted checkouts (e.g. Stripe Checkout) may be exempt -- but documentation is still required. Why it matters: Magecart-style attacks and e-skimming campaigns target checkout scripts. These new measures are designed to close that gap. If you’re dealing with payment updates, security stuff, or PCI compliance -- we can help.