On May 6, 2025, the California Privacy Protection Agency (CPPA) announced that menswear retailer Todd Snyder, Inc. agreed to pay a $345,178 fine and implement significant changes to its privacy practices to resolve allegations of violating the California Consumer Privacy Act (CCPA).

Alleged CCPA Violations

The CPPA’s Enforcement Division alleged several compliance failures:

• Failure to Process Opt-Out Requests in a Compliant Manner: Todd Snyder’s privacy portal was misconfigured, resulting in a failure to process consumer requests to opt out of the sale or sharing of personal information for 40 days.
• Excessive Information Requirements: Consumers were required to provide more information than necessary to process privacy requests.
• Unnecessary Identity Verification: The company mandated identity verification even for opt-out of sale/sharing requests.

Settlement Terms

In addition to the monetary penalty, Todd Snyder agreed, among other things, to:

• Ensure its mechanisms for submitting and managing opt-out preferences comply with the CCPA, including the requirements relating to opt-out preference signals.
• Implement procedures to ensure personnel handling personal information are informed of Todd Snyder’s obligations under the CCPA relevant to their job functions.
• Make sure consumers making a verifiable consumer request are not required to provide more information than is necessary to process the request.

Compliance Takeaways

This enforcement action underscores the importance of:

• Timely Processing: Businesses must process opt-out requests within the 15-business-day timeframe stipulated by the CCPA.
• Data Minimization: Not collecting more information is necessary from consumers exercising their rights.
• Vendor Oversight: Relying on third-party consent management platforms does not absolve businesses from ensuring compliance. Companies must validate that these tools function correctly before implementing them.

Conclusion

The Todd Snyder case serves as a cautionary tale for businesses handling California residents’ data. Ensuring that privacy portals are correctly configured, minimizing data collection, and avoiding unnecessary verification steps are essential for compliance with the CCPA.

For more information on the CPPA’s decision, visit their official announcement: https://cppa.ca.gov/announcements/2025/20250506.html

QUESTIONS? 

If you have any questions about the topics discussed, please reach out to your Bortstein Legal Group attorney or Julian Conway at jconway@blegalgroup.com.