On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced that it had issued an Order requiring clothing retailer Todd Snyder, Inc. (the “Company”) to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act (“CCPA”).
The CPPA alleged that the Company had violated the CCPA by:
- failing to oversee and properly configure the technical infrastructure of its privacy rights portal, resulting in a failure to process consumer requests to opt out of the sale or sharing of their personal information for 40 days;
- requiring consumers to submit more information than necessary to process their privacy rights requests, including requiring consumers to submit a photograph of themselves holding an identity document to submit a request; and
- requiring consumers to verify their identity before they could opt out of the sale or sharing of their personal information.
The CPPA alleged that the Company’s opt-out tool was improperly configured and that the Company “would have known that consumers could not exercise their CCPA rights if the company had been monitoring its website.” The Company instead “deferred to third-party privacy management tools without knowing their limitations or validating their operation.” In announcing the Order, Michael Macho, head of the CPPA’s Enforcement Division, echoed the sentiment that companies should not solely rely on third-party privacy compliance tools, stating that “businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” and that “using a consent management platform doesn’t get you off the hook for compliance.”
In addition to paying a $345,179 fine, the Order requires the Company to:
- Develop, implement and maintain opt-out of sale/sharing policies, procedures, methods and technical measures that:
- do not require consumers to verify such requests or provide more information than is necessary to process the requests;
- comply with the CCPA and its implementing regulations, including requirements relating to opt-out preference signals;
- identify disclosures of personal information that constitute a “sale” or “sharing” of personal information under the CCPA to ensure the Company appropriately processes opt-out requests;
- monitor the effectiveness and functionality of the Company’s methods for submitting opt-out requests; and
- apply opt-out preference signals.
- Not require consumers to provide more information than is necessary to process verifiable consumer privacy requests (g., access, deletion, correction);
- Develop, implement and maintain procedures to ensure that all personnel handling personal information are informed of the Company’s requirements under the CCPA relevant to their job functions; and
- Maintain a contract management and tracking process to ensure that all contractual terms required by the CCPA are in place with external recipients of personal information.
The full Order is available here.