Enforcement Action Issued Against Retailer for CCPA Violations

Earlier this month, the Board of the California Privacy Protection Agency (the “CPPA”) announced an enforcement action against clothing retailer Todd Snyder for non-compliance with the California Consumer Privacy Act (the “CCPA”).  The findings resulted in an approximately $350,000 fine and a requirement that the company modify its CCPA compliance program.  The CPPA’s action is the second major enforcement action announced by the agency this year, following the recent decision to fine Honda $632,500 for CCPA violations. 

Todd Snyder was alleged to have committed the following violations:

Failure to Process Opt-Out Requests.  The Todd Snyder company website told consumers they could opt-out of sharing or sales of their personal information by visiting the ‘Cookie Preferences Center’ in the footer of the website.  For a 40 day period in 2023, the ‘Cookie Preferences Center’ link was improperly configured, such that when consumers clicked the link, a consent banner would appear but then immediately disappear, making it impossible for a consumer to submit opt-out requests.

Excessive Information Collection.  Consumers were required to submit more information than necessary to process their privacy right requests, including requiring consumers to submit a photograph of themselves holding an “identity document” to submit any request.  Driver’s licenses, state ID cards, passports and other identity documents are not required for consumers to submit opt-out requests for the sale or sharing of personal information. 

Unnecessary Identity Verification.  Consumers were required to verify their identity before they could opt out of the sale or sharing of their personal information. 

The allegations about improper verification reinforce a CPPA Enforcement Advisory issued last year, warning businesses against collecting excessive information from consumers asserting their privacy rights.

In addition to paying the fine, Todd Snyder agree to the following measures:

• • Establish, implement, and maintain opt-out of sale/sharing policies, procedures, and technical measurements that (a) do not require consumers to verify such requests or provide more information than is necessary to process the requests; (b) comply with the CCPA and its implementing regulations; (c) identify disclosures of personal information that constitute a “sale” or “sharing” of personal information to ensure the company appropriately processes opt-out requests; (d) monitor the effectiveness and functionality of the company’s methods for submitting opt-out requests; and (e) apply opt-out preference signals to known consumers in compliance with the CCPA.
  • Not require consumers making verifiable consumer requests to provide more information than is necessary to process the requests.
  • Develop and implement procedures to ensure that all personnel handling personal information are informed of the company’s CCPA requirements relevant to their respective jobs (with such implementation occurring within 90 days of the effective date of the enforcement action); and
  • Maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with external recipients of personal information.

In announcing the action, Michael Macko, head of the CPPA’s Enforcement Division, reinforced the fact that companies cannot rely solely on third party compliance tools, stating that “[b]usinesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” and that “[u]sing a consent management platform doesn’t get you off the hook for compliance.”  All compliance tools, whether third party or internal, must be validated to ensure they function in compliance with the CCPA requirements.