Skip to main content
Enforcement Edge
May 23, 2025

California Privacy Protection Agency Brings Second Enforcement Action Under the California Consumer Privacy Act

Enforcement Edge: Shining Light on Government Enforcement
By M. Hannah Koseki Jami Vibbert

Earlier this month, the California Privacy Protection Agency (CPPA), which is responsible for implementing and enforcing the California Consumer Privacy Act (CCPA), issued a decision and order requiring clothing retailer Todd Snyder, Inc. to change its privacy practices within 90 days and pay a $345,178 fine to resolve claims that the clothing retailer violated the CCPA. The CPPA’s enforcement action against Todd Snyder comes just two months after its first enforcement action against American Honda Motor Co. Inc. We discussed Honda’s settlement with the CPPA in a recent Enforcement Edge Blog post.

The Enforcement Division of the CPPA alleged that Todd Snyder violated the CCPA by:

  • Failing to effectuate consumers’ personal information opt-out preferences. The CPPA alleged that, for a period of 40 days in 2023, the technical infrastructure on Todd Snyder’s website was not properly configured to enable consumers to exercise their right to opt-out of the sale/sharing of their personal information. According to the CPPA, Todd Snyder would have known about these issues had it been properly monitoring its website, but instead deferred to third-party privacy management tools without knowing their limitations or validating their operations.
  • Applying a verification standard for requests to opt-out of sale/sharing. As noted in the order, Todd Snyder implemented a data request form that allowed consumers to submit different CCPA requests, including opt-out of sale/sharing requests. Consumers, however, were required to provide an “identity document,” regardless of the type of request they submitted. Under the CCPA, businesses are prohibited from requiring consumers to verify themselves before processing requests to opt-out of sale/sharing. At most, businesses can ask for information necessary to complete the request, such as information required to identify the consumer within their own systems.
  • Requiring consumers to submit more information than necessary to verify privacy rights requests. The CCPA requires businesses, when verifying a consumer request, to consider a number of factors and, whenever possible, match the information provided by the consumer to the personal information already maintained by the business. Businesses must avoid requesting more information than necessary, such as government identification, unless necessary to verify the consumer. According to the CPPA, Todd Snyder required consumers to submit more information than necessary, including government-issued identification, to exercise their privacy rights.

As part of the order, Todd Snyder agreed to: (1) modify its current mechanism for enabling consumers to submit requests to opt-out of sale/sharing to ensure that it is not requiring consumers to provide more information than necessary or verify requests to opt-out of sale/sharing, as well as implement procedures to ensure that it appropriately processes requests and monitors the effectiveness/functionality of its methods for submitting opt-out requests; (2) not require consumers to provide more information than necessary to process a rights request; (3) develop, implement, and maintain procedures to ensure that all personnel handling personal information are informed of the business’ requirements under the CCPA; (4) maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place; and (5) pay an administrative fine of $345,178.

Key Takeaways

The CPPA’s enforcement action against Todd Snyder, coupled with its earlier enforcement action against Honda, makes clear that the CPPA expects companies to evaluate their policies and procedures related to data subject rights requests to ensure that they are not discouraging consumers from exercising their rights by collecting more information than necessary to process the request. Additionally, businesses should regularly review and validate their third-party privacy management tools to ensure that the tools are functioning properly and in compliance with the CCPA.

Please contact the authors of this post or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group if you have questions about the CCPA or privacy compliance more generally.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

Authors

M. Hannah Koseki
M. Hannah Koseki
Senior Associate
New York
+1 212.836.7492
Jami Vibbert
Jami Vibbert
Partner
New York
+1 212.836.7950

Related Services

Related Posts

April 28, 2025
2025 Brings Heightened Focus on Location Data and Online Tracking Through Increased Enforcement and Litigation
By
January 24, 2025
FTC Finalizes Changes to the Children’s Online Privacy Protection Rule
By
January 10, 2025
New Jersey Data Privacy Law FAQs Released
By