On May 6, 2025, the California Privacy Protection Agency announced its second enforcement action over violations of the California Consumer Privacy Act. Menswear company Todd Snyder settled allegations that it failed to properly honor consumer opt-outs, agreeing to pay $345, 718. The company must also reconfigure its opt out process and implement other internal procedures to address privacy obligations, including a contract management and tracking process.
Third-party privacy management again came under scrutiny, with the CPPA alleging that Todd Snyder violated the California Consumer Privacy Act by improperly implementing its privacy portal, resulting in a 40 day “failure to process consumer requests to opt out of sale or sharing.” The Agency also alleged that Todd Snyder’s privacy portal violated the CCPA by requiring an excess of personal information to process privacy requests. The company required consumers to submit their full name, email, country of residence, and a photograph of the consumer holding an identity document to opt out of sales and similarly sensitive information to exercise other privacy rights.
This decision highlights the importance of business oversight into privacy compliance, including the technical configurations of third-party solutions. According to the CPPA, Todd Snyder “would have known” of the existing issues if it had “taken steps to ensure that its mechanism . . . was properly configured and functioning.” Per Michael Macko, head of the CPPA’s Enforcement Division, “businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them. Using a consent management platform doesn’t get you off the hook for compliance.”