The California Privacy Protection Agency (CPPA) has announced that national clothing retailer Todd Snyder, Inc. must pay a $345,178 fine and make substantial changes to its privacy practices. The decision comes after the agency’s Enforcement Division found that the company violated several key provisions of the California Consumer Privacy Act (CCPA).
These issues reflect broader concerns the CPPA has previously highlighted. In fact, the agency had issued an enforcement advisory last year cautioning businesses about the risks of collecting too much information when consumers exercise their privacy rights.
Privacy Violations Identified by CPPA
The CPPA’s Enforcement Division alleged that Todd Snyder failed to comply with California’s privacy law in multiple ways:
- Failure to Process Consumer Opt-Out Requests: For a period of 40 days, the company’s privacy portal was not properly configured. As a result, requests from consumers to opt out of the sale or sharing of their personal data were not processed.
- Excessive Information Collection: When customers submitted privacy-related requests, the company required them to provide more personal information than was necessary to process these requests. This ran counter to CCPA guidelines, which emphasize minimal data collection.
- Unnecessary Identity Verification: Consumers were also required to verify their identity even to opt out of personal data sales or sharing — a step that is generally not required under CCPA unless sensitive information is being accessed or deleted.
Todd Snyder’s Settlement and Compliance Measures
To resolve the allegations, Todd Snyder has agreed to:
- Pay a $345,178 fine.
- Implement internal changes to better support consumer privacy rights.
- Properly configure its online privacy portal to ensure opt-out requests are received and processed correctly.
- Provide CCPA compliance training for its employees.
The settlement marks one of several enforcement actions by the CPPA aimed at ensuring businesses take their responsibilities under California’s privacy laws seriously.
Michael Macko, who leads the agency’s Enforcement Division, commented on the case: “Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them. Using a consent management platform doesn’t get you off the hook for compliance.”
The Importance of Opt-Out Rights
The CPPA stressed that this case highlights the importance of opt-out rights under the CCPA. These rights give Californians the ability to limit how businesses collect, use, and share their personal data — a vital control as companies increasingly gather and analyze information from every customer interaction.
Tom Kemp, Executive Director of the CPPA, reinforced the agency’s message:
“Opt-out rights are one way for Californians to assert control over their personal information and protect themselves from real harms. The board’s decision should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”
According to the CPPA, improper use or sharing of personal information can expose consumers to serious risks, especially when data relates to sensitive topics like health, immigration, finances, religion, or ethnicity.
A Broader Pattern of Enforcement
This is not the first time the CPPA has taken action against companies for violating privacy laws. In recent months, the agency has ramped up enforcement to protect consumers, reflecting a broader commitment to ensuring privacy regulations are properly implemented and enforced. Some recent actions include:
- American Honda Motor Co. was ordered to pay a $632,500 fine and revise its privacy practices, marking the second-highest fine in the history of the CCPA.
- Background Alert, a data broker known for claiming it could uncover “scary” amounts of personal information, was required to either shut down operations or pay a significant penalty.
- National Public Data, Inc., a Florida-based data broker, faced enforcement action after a data breach exposed millions of Americans’ Social Security numbers and other personal data.
- The CPPA also launched the Consortium of Privacy Regulators, a bipartisan coalition designed to support enforcement of privacy laws nationwide.
- In addition, the agency has partnered with international privacy watchdogs in Korea, France, and the United Kingdom, showing its commitment to cross-border collaboration in safeguarding Californians’ data.
These efforts come on the heels of several other actions, including penalties against unregistered data brokers and an investigative sweep into how these entities are complying with California’s Delete Act, a law aimed at helping consumers permanently delete personal data held by data brokers.
A Reminder to Review Compliance
Beyond enforcement, the CPPA remains focused on its mission to educate both consumers and businesses about privacy rights and obligations. The agency regularly issues advisories and guidance documents, helping organizations navigate complex compliance issues.
Businesses operating in California — or offering goods and services to Californians — are required to understand and honor the privacy choices of consumers.
The Todd Snyder case reinforces the need to:
- Audit and test privacy systems regularly.
- Minimize data collection for privacy request processing.
- Avoid unnecessary identity verification for opt-out requests.
- Ensure that third-party privacy platforms and tools are compliant.
While the fine itself may be manageable for a large retailer, the reputational and operational consequences of non-compliance can be significant. The CPPA’s increasing activity sends a clear signal: businesses must take consumer privacy seriously, or face the consequences.
As California continues to lead the way in privacy protection, businesses across the country and beyond are expected to align their practices with its standards. The case against Todd Snyder is one of many — and it likely won’t be the last.
