Todd Snyder Faces Fine in CPPA Enforcement Action for CCPA Violations
National clothing retailer Todd Snyder, Inc. (acquired by American Eagle Outfitters in 2015) has been ordered to pay a $345,178 fine and overhaul its privacy practices following a settlement with the California Privacy Protection Agency (CPPA) announced on May 6, 2025. The enforcement action addresses allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to properly handle consumer privacy requests.
Alleged Non-Compliance Details
The CPPA’s Enforcement Division identified several key areas where Todd Snyder allegedly failed to meet CCPA requirements:
- Failure to Process Opt-Out Requests: For a 40-day period in late 2023, Todd Snyder’s privacy portal, specifically its “Cookie Preference Center” link, was improperly configured. When consumers clicked the link, a consent banner would appear but then immediately disappear, making it impossible for them to submit opt-out requests. This misconfiguration also meant the site did not recognize Global Privacy Control (GPC) signals. The CPPA stated that Todd Snyder “would have known” its opt-out mechanism was not functioning correctly if it had been monitoring its website, but instead “deferred to third-party privacy management tools without knowing their limitations or validating their operation.”
- Excessive Information Collection: The company was accused of requiring consumers to submit more personal information than necessary to process their privacy requests. This included demanding details like first and last name, email, and a photograph of the consumer holding their “identity document” for all requests, even for opt-out of sale/sharing requests. The CPPA found that requiring government identification for such requests was excessive.
- Unnecessary Identity Verification: Todd Snyder allegedly required consumers to verify their identity before they could opt out of the sale or sharing of their personal information. This is a step generally not required under the CCPA unless sensitive information is being accessed or deleted.
Corrective Actions and Settlement Terms
To resolve the allegations, Todd Snyder has agreed to several measures in addition to the monetary penalty:
- Overhaul Privacy Practices: The company will make significant changes to its business practices to ensure CCPA compliance.
- Reconfigure Opt-Out Mechanisms: Todd Snyder will properly configure its mechanisms for submitting and managing opt-out preferences to ensure they function effectively. This includes not requiring consumers to verify their opt-out requests and recognizing opt-out preference signals.
- Data Minimization for Requests: The company will not require consumers to provide more information than necessary to process opt-out requests.
- Monitoring and Procedures: Todd Snyder will develop, implement, and maintain procedures to identify disclosures of personal information that constitute sales or shares, and to monitor the effectiveness and functionality of its methods for submitting opt-out requests.
- Contract Management: The company will maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of personal information, primarily via data processing agreements (DPAs).
- Provide CCPA Compliance Training: Employees, particularly those handling personal information, will receive training on CCPA compliance and the business’s requirements under the act.
Lessons Learned and Key Takeaways
This enforcement action offers several important lessons for businesses subject to the CCPA:
- Ensure Operative Opt-Out Mechanisms: Businesses must not only have opt-out mechanisms but also ensure they are properly configured, functioning, and regularly monitored. This includes active oversight of any third-party privacy management tools, such as those providing cookie banners or other consent or opt-out functionality. The CPPA emphasized that “the buck stops with the businesses that use them,” and using a consent management platform does not absolve a company of its compliance obligations.
- Tailor Privacy Request Mechanisms: Companies should avoid a “one-size-fits-all” approach to privacy requests, including via privacy policies and associated portals. The information collected and verification steps required should be tailored to the specific type of request and comply with the CCPA’s detailed rules, which emphasize minimal data collection.
- Validate Vendor Tools: Businesses are responsible for ensuring that any third-party privacy management tools are correctly implemented, their limitations are understood, and their operation is validated. Merely deploying privacy technology is insufficient; ongoing management and validation are critical.
- Scrutinize Verification Processes: Efforts to verify the identity of consumers submitting opt-out of sale/sharing requests will be scrutinized. Collecting excessive information, such as government identification for opt-out requests, is a compliance risk and discourages consumers from submitting requests. This echoes a 2024 CPPA Enforcement Advisory warning against collecting excessive information. Note that this decision pertained to opt-out requests, not access requests, where proof of identification might be more appropriate.
- Prioritize Privacy Training: Regular and comprehensive privacy training for employees is crucial for maintaining CCPA compliance and is often a component of settlement agreements.
Broader Context and Pertinent Insights
The Todd Snyder case is the CPPA’s second non-data broker enforcement action and signals an uptick in the agency’s enforcement activities across various industries (though there have been other enforcement actions of the CCPA by the California Attorney General, such as the action against Sephora). It follows a similar enforcement action against American Honda Motor Co., which also involved allegations of improper opt-out processes and excessive verification requirements. This pattern suggests a systematic focus by the CPPA on how businesses implement and manage consumer privacy rights requests, particularly the right to opt out, and the functionality of their privacy technology.
Michael Macko, head of the CPPA’s Enforcement Division, stated, “Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them. Using a consent management platform doesn’t get you off the hook for compliance.” Tom Kemp, Executive Director of the CPPA, reinforced the importance of opt-out rights, stating, “Opt–out rights are one way for Californians to assert control over their personal information and protect themselves from real harms. The board’s decision should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”
This enforcement action underscores the CPPA’s commitment to actively enforcing California’s privacy laws. It highlights that businesses must be diligent in ensuring their privacy compliance programs are not only designed but also implemented, monitored, and maintained in full compliance with the CCPA. The agency is also collaborating with other states through the bipartisan Consortium of Privacy Regulators to enforce privacy laws nationwide.
