On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.
As summarized in the consent order, the CPPA alleged the following:
- Despite engaging in activities that Todd Snyder characterized as a “sale” or “sharing” through “automated tracking technologies” installed on its website, the website opt-out mechanism was not properly configured. The CPPA states that Todd Snyder “would have known” that the opt-out did not function correctly, but it “instead deferred to third-party privacy management tools without knowing their limitations or validating their operation.”
- The consumer rights request form required consumers to provide information to validate their identity (e.g., first and last name, email, photograph of the consumer holding their “identity document”) for all requests, including opt-out of sale/sharing requests.
- Todd Snyder allegedly collected more information than required – including government identification – to exercise privacy rights.
The allegations and order share some similarities with the recent Honda enforcement action and CPPA’s 2024 Enforcement Advisory. Taken together, these suggest an enforcement interest in efforts to verify the identity of consumers submitting opt-out of sale/sharing requests, required information to submit a request (including both the type and number of data elements required), and oversight of privacy vendors.