On May 1, 2025, the California Privacy Protection Agency (CPPA) issued a Stipulated Final Order against Todd Snyder, Inc., (Snyder) a national retailer of men's clothing and accessories, for multiple violations of the California Consumer Privacy Act (CCPA).The enforcement action highlights critical compliance features related to consumer opt-out rights and the handling of personal information, with particular emphasis on the company's reliance on third-party privacy management tools and its imposition of excessive verification requirements. The Final Stipulated Order levies an administrative fine of $354,178 against Snyder.
Key Findings
The CPPA investigated several elements of Todd Snyder's data subject access request (DSAR) infrastructure and process, finding a number of CCPA violations: failure to affect consumer opt-out requests; a lack of validation of third-party tools; and excessive verification requirements for opt-out requests.
1. Failure to Effectuate Consumer Opt-Out Preferences
The CPPA found that Snyder installed third-party tracking technologies (such as cookies and pixels) on its website, which collected and shared consumer personal information for analytics and cross-context behavioral advertising. Although the company represented to consumers (through outright statements that this would be the case) that the consumer could opt out of the sale or sharing of their personal information via a Cookie Preferences Center, a technical misconfiguration rendered the opt-out mechanism inoperable for 40 days in late 2023. The consent banner would appear and then instantly disappear, making it impossible for consumers to submit opt-out requests. Additionally, opt-out preference signals (such as the Global Privacy Control) were not processed during this period.
2. Lack of Oversight and Validation of Third-Party Privacy Tools
The CPPA found that Snyder failed to monitor or validate the operation of its third-party privacy management tools. The company relied on these tools without understanding their limitations or ensuring they functioned as intended. The CPPA emphasized that had Snyder properly monitored its website or validated these tools, it would have discovered the malfunction that prevented consumers from exercising their opt-out rights. Businesses cannot simply defer to third-party tools—they must actively ensure these tools are properly configured and effective. Here, the CPPA is signalling that one cannot defer their own liability simply by relying on the representations (or ideal functioning) of third party tools. Rather, a business must be proactive in ensuring that its tools actually function as they expect, and that the tools are implemented properly to perform the functions required by the business.
3. Unlawful and Excessive Verification Requirements for Opt-Out Requests
Snyder's privacy policy directed consumers to a Data Request Form for submitting CCPA requests, including opt-out requests. The form required consumers to provide their first and last name, email, country of residence, and a photograph of themselves holding a government-issued identity document. This requirement was imposed regardless of the type of CCPA request, including opt-out requests, which under the CCPA do not require verification. The CCPA prohibits businesses from requiring consumers to verify their identity or provide more information than necessary for opt-out requests. By requiring government identification for all requests, Snyder unlawfully imposed an undue burden on consumers and discouraged them from exercising their privacy rights. This wasn't a situation in which Snyder had to respond to a consumer request in order to provide requested information to that user—in which case Snyder may request verification information. Rather, Snyder here was requiring verification for all opt-out requests, regardless of source.
But, according to the CPPA, even for verifiable consumer requests (where verification is appropriate), the CCPA requires businesses to avoid collecting more information than necessary and to use information already maintained by the business whenever feasible. Snyder's blanket requirement for government identification exceeded what was necessary and violated these provisions.
Remedial Measures and Penalties
The Final Stipulated Order lists four remedial measures/penalties with which Snyder must comply:
- Pay an administrative fine of $345,178.
- Implement and maintain compliant methods for submitting opt-out requests, ensuring that no verification is required for such requests and that no more information than necessary is collected.
- Monitor and validate the effectiveness of its opt-out mechanisms and ensure that opt-out preference signals are honored.
- Train personnel on CCPA requirements and maintain proper contract management with third parties handling personal information.
Key Takeaways for Businesses
Though still relatively early in CCPA enforcement, this Stipulated Order sets forth a number of key takeaways that inform how the CPPA will approach similar enforcement actions in the future.
Businesses cannot simply rely on third-party privacy management tools without ongoing oversight. Companies must regularly monitor, test, and validate the effectiveness of these tools to ensure that consumer privacy rights are respected and that opt-out mechanisms are functioning as required by law. This requires an ongoing interface between both the technical teams and legal teams to ensure both know what technologies are actually being implemented as well as the appropriate (and compliant) actions taken with respect to those technologies.
Opt-Out Requests Must Be Simple and
Unburdened:
The CCPA prohibits imposing verification requirements or collecting
more information than necessary for opt-out requests. Businesses
must ensure that consumers can exercise their opt-out rights
easily, without being required to provide sensitive personal
information such as government-issued identification.
The Final Stipulated Order also suggests a number of best practices for CCPA compliance with respect to DSARs:
- Regularly audit and test all consumer-facing privacy tools and opt-out mechanisms to ensure they are operational and compliant.
- Review and update privacy policies and request forms to ensure that only the minimum necessary information is collected for each type of CCPA request.
- Train staff on CCPA requirements, particularly regarding the handling of opt-out requests and the distinction between verifiable and non-verifiable requests.
- Maintain robust contract management processes with all third parties that receive consumer personal information.
Conclusion
This enforcement action serves as a strong reminder that CCPA compliance is an ongoing obligation.Businesses must take proactive steps to ensure that privacy management tools are effective and that consumer rights are not impeded by technical failures or unnecessary verification requirements. Failure to do so can result in significant regulatory penalties and reputational harm.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
