UPDATE: Todd Snyder CPPA Enforcement Action: What Companies Need to Know

On May 1, 2025, the California Privacy Protection Agency (CPPA) issued a final order against clothing retailer, Todd Snyder, for violations of the California Consumer Privacy Act (CCPA).

The enforcement action targeted the retailer's consumer opt-out settings and unlawful methods for verifying opt-out requests, resulting in a $345,178 fine and a mandate for comprehensive compliance measures. These issues mirror those seen in other recent cases, such as the Honda settlement, and show that such enforcement actions are becoming more common and can lead to significant statutory penalties.

This case centered on three key violations of the CCPA on the part of the retailer:

(1) failure to properly configure technical infrastructure, which included third-party tracking software, resulting in a 40-day delay in processing opt-out requests;

(2) requiring consumers to provide more information than necessary to process privacy requests; and

(3) imposing identity verification requirements for opt-out requests, which is not permitted under the CCPA.

Key Takeaways for Companies

Ensure proper processing of opt-out requests and monitor third-party management tools. The CPPA found that, during a 40-day period in late 2023, the retailer's third-party tracking software on its website was misconfigured, leading to CCPA noncompliance. The CPPA found that, for a 40-day period in late 2023, the retailer’s third-party tracking software on its website was misconfigured, leading to CCPA noncompliance. Although consumers were told they could opt out of the sale or sharing of their personal information via a “Cookie Preferences Center,” a technical glitch caused the consent banner to disappear instantly, making it impossible for consumers to submit opt-out requests. Additionally opt-out preference signals (such as the Global Privacy Control (GPC)) were not processed due to the same configuration issue. Companies must implement and maintain CCPA-compliant opt-out mechanisms, including proper processing of opt-out signals and monitoring of third-party management tools.

Do not require consumers to provide more information than necessary to process their privacy requests. Todd Snyder required consumers to provide extensive personal information beyond what the retailer needed to verify the request, including providing a photo of themselves holding a government-issued ID. By requiring government identification for all requests, the retailer not only imposed an undue burden on consumers, but also collected sensitive personal information unnecessarily, increasing the risk of identity theft and discouraging consumers from exercising their privacy rights. As a result, companies should avoid requiring consumers to provide more information than necessary, especially any unnecessary sensitive personal information, when processing requests in accordance with the CCPA.

Do not require verification for opt-out requests. The enforcement action also addressed the retailer’s use of a single data request form for all CCPA requests, which required verification for every request, including opt-out requests. The CCPA prohibits businesses from requiring verification for opt-out requests. Therefore, companies should not ask consumers to verify opt-out requests and should have separate mechanisms for verifiable requests and opt-out requests.

What Steps Should Companies Take?

1. Confirm cookies do not fire until the consumer has had the chance to review information presented in a cookie banner about the use of third-party cookies and similar technologies.
2. Ensure any cookie banner is properly configured and permits consumers to exercise their privacy rights.
3. Verify the cookie preference manager is (i) capturing and properly categorizing all cookies and similar technologies implemented on your website, and (ii) complying with consumer requests to opt out of non-essential cookies and similar technologies (including via the GPC signal).
4. Confirm consumers are not required to take more steps to opt out of cookie-based sales than they are to opt back in (e.g., provide a “Reject Non-Necessary Cookies” button if you provide an “Allow All” button).
5. Ensure any third-party consent management tool is configured properly and complying with all consumer requests. In addition, companies should (i) continually monitor these tools and (ii) confirm that they have contractual terms required by the CCPA in place with any relevant third party.
6. Confirm non-cookie-based CCPA opt-out mechanisms ask solely for the information needed to find the consumer in your database (e.g., only an email address) and do not ask the consumer to otherwise verify their identity (e.g., no email 2FA or requiring consumers to submit identity verification documentation such as a driver’s license). This may require separating the opt-out request mechanism from other consumer rights mechanisms.

We recommend companies continue to monitor these recent enforcement trends and to engage with counsel to review their cookie and third-party vendor practices. Our team helps companies build out and maintain robust compliance programs tailored to your organization. Please reach out to your Orrick contact or one of the authors (Shannon Yavorsky, Nick Farnsworth, Anna Booth, or Tori Downey) for more information.