ARTICLE
30 May 2025

California Privacy Protection Agency Intensifies Enforcement: Recent Enforcement Actions And Trends

MB
Mayer Brown

Contributor

Mayer Brown logo
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
Explore Firm Details
The California Privacy Protection Agency (CPPA) has intensified its enforcement activities in 2025, bringing enforcement actions under both the California Consumer Privacy Act (CCPA) and the California Delete Act in the last few months.
United States California Privacy
Arsen Kourinian,Lei Shen,Megan P. Von Borstel
+1 Authors
 Your Author LinkedIn Connections

The California Privacy Protection Agency (CPPA) has intensified its enforcement activities in 2025, bringing enforcement actions under both the California Consumer Privacy Act (CCPA) and the California Delete Act in the last few months.The recent enforcement actions against Todd Snyder, Inc. and Jerico Pictures, Inc.—and other actions by the agency—reflect a strong commitment to holding businesses accountable for violations of these laws, and highlight the CPPA's priorities in protecting consumer rights and ensuring data broker accountability.

Enforcement Trends and Priorities

The CPPA's recent enforcement actions highlight several emerging regulatory priorities:

  • Focus on Honoring Opt-Out Requests: The CPPA has penalized businesses for failing to properly process and honor consumer opt-out of sale/sharing requests, including those submitted via cookie banners and opt-out preference signals such as Global Privacy Control (GPC).
  • Crackdown on Dark Patterns:In September 2024, the CPPA issued anenforcement advisory targeting "dark patterns,"user-interface designs that impair or subvert consumer autonomy.
  • Emphasis on Data Minimization:AnApril 2024 enforcement advisoryemphasized data minimization as a foundational principle of the CCPA. The agency noted that some businesses collect excessive personal information when processing consumer requests, which may lead to enforcement actions.
  • Scrutiny of Data Broker Compliance Under the Delete Act:After launchinginvestigative sweepsto ensure data brokers comply with registration requirements under the Delete Act, the agency penalized a company for failing to register and pay an annual fee as required by the Delete Act. Noncompliance can result in administrative fines, including penalties of $200 per day.

Case Analyses

Todd Snyder, Inc.

In May 2025, theCPPA ordered a national clothing retailer, Todd Snyder, Inc., to change its business practices and imposed a $345,178 fine for multiple CCPA violations, including:

  • Failing to properly configure its privacy portal and cookie banner, resulting in a 40-day delay in processing consumer opt-out requests.
  • Requiring consumers to submit more personal information than necessary to process their privacy requests.
  • Requiring consumers to verify their identity before they could opt-out of the sale/sharing of their personal information.

The CPPA found that Todd Snyder lacked adequate oversight of the third-party cookie tools on its website. For 40 days in late 2023, the site's opt-out mechanisms were not properly configured to process consumer requests to opt-out of the sale or sharing of their personal information. Specifically, when consumers clicked a link to manage their preferences, a cookie consent banner appeared but then disappeared instantaneously or failed to work properly, resulting in consumers being unable to exercise their right to opt out. The site also ignored opt-out preference signals, such as GPC.

The CPPA also highlighted failures with Todd Snyder's data privacy request procedures. Todd Snyder directed consumers to submit a "Data Request Form" for all data privacy requests, requiring consumers to provide their name, country of residence, and a photograph of the consumer holding their "identity document." This information was requested regardless of the request type, including for requests to opt out of sale/sharing. This violated the CCPA in two ways: (i) applying a verification standard to opt-out of sale/sharing requests (which do not require verification under the statute) and (ii) requiring more personal information than necessary—including sensitive information, like a driver's license, state identification card, or passport number—to verify a consumer's identity.

Under the order, Todd Snyder must implement and maintain specific methods for submitting requests to opt out of sale/sharing—including refraining from requiring consumers making a request to opt out of sale/sharing to provide more information than necessary to process the request, ensuring that the company's methods for submitting requests to opt-out of sale/sharing comply with the CCPA—and ensuring that it honors opt-out preference signals for known consumers.

Jerico Pictures, Inc.

In February 2025, the CPPA brought anenforcement actionagainst Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker. The CPPA alleged that the company failed to register and pay an annual fee as required under the Delete Act. Instead, the company registered 230 days late, and only after being contacted by the CPPA's Enforcement Division. The CPPA sought a $46,000 fine against the company for its violations. This enforcement action comes after the CPPA previously filed a claim against the company in October 2024 in the U.S. Bankruptcy Court for the Southern District of Florida alleging that the company owed the agency an administrative fine related to its failure to register as a data broker in California.
Since October 2024, the CPPA has also taken action against five additional data brokers, resulting in settlements.

Key Takeaways

  • Proactive Compliance is Crucial:Staying ahead of regulatory requirements is essential to avoid costly fines and reputational damage.
  • User Interface Design Should Support Consumer Choice:The use of dark patterns—designs that mislead or manipulate users—can trigger enforcement actions. User interfaces should clearly and easily enable consumers to exercise their privacy rights.
  • Don't Outsource Compliance: Businesses should regularly monitor and validate their third-party privacy management tools to ensure they are working as expected. A business cannot simply defer to their third-party tools without understanding their limitations or validating their operation.
  • Data Minimization is a Core Expectation:Businesses should collect only the minimum personal information necessary to fulfill a specific purpose, particularly when processing consumer data privacy requests.
  • Timely Data Broker Registration is Mandatory:Data brokers must comply with registration deadlines under the Delete Act to avoid daily penalties and enforcement scrutiny.

The CPPA's recent enforcement actions underscore its ongoing commitment enforcing California's data privacy laws. Businesses should regularly evaluate and update their compliance strategies, focusing on user-centric design, data minimization, and transparent data practices to align with evolving regulatory expectations.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2025. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Authors
Photo of Arsen Kourinian
Arsen Kourinian
Person photo placeholder
Lei Shen
Photo of Amber Thomson
Amber Thomson
Photo of Megan P. Von Borstel
Megan P. Von Borstel
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More