The California Privacy Protection Agency wrapped up its first CCPA enforcement action after reaching a substantial settlement with the automotive manufacturer.
The California Privacy Protection Agency (CPPA) is keeping up the pressure on businesses. Right on the heels of its recent settlement with Honda, the CPPA announced the conclusion of another case, this time against clothing retailer Todd Snyder, resulting in a fine of $345,000.
It’s become clear that the Agency’s long period of apparent inaction on enforcement of the California Consumer Privacy Act (CCPA) was not inaction at all, but rather the initial calm as its first investigations were underway.
In what is becoming a common theme, Todd Snyder’s privacy violations were related to its handling of privacy requests, with particular attention paid to opt-outs. Here’s what we learned from the CPPA’s decision.
During the relevant time period, Todd Snyder’s website “shared” consumers’ personal information—that is, it used their data to engage in cross-context behavioral advertising. That's no big deal, but it does trigger opt-out rights under the CCPA. Knowing this, Todd Snyder offered an opt-out method via its cookie banner and also stated that it respected opt-outs via the Global Privacy Control (GPC) browser signal.
The problem? According to the CPPA, “the technical infrastructure told a different story.” For at least a 40-day period from the end of 2023 through the beginning of 2024, whenever a consumer tried to open up the cookie banner, it would appear and then immediately disappear. This obviously meant consumers could not opt-out via the banner, and GPC opt-outs were not functioning either.
This was because Todd Snyder’s third-party privacy-management tool “was not property configured.” The Agency's decision emphasizes that the retailer was being held responsible for the technical failings of its consent manager:
Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them.
The takeaway is that businesses should choose their privacy vendor wisely, and not expect to be able to point the finger elsewhere if their opt-outs don’t function properly.
Consumers who visited the Todd Snyder privacy policy were directed to a privacy portal to submit any requests, including opt-outs. The privacy portal used the same form for all request types, and required consumers to submit a photo of themselves holding an ID in order to verify their identity.
As should be abundantly clear by now, businesses cannot require identity verification for CCPA opt-outs. The CPPA released an enforcement advisory in 2024 to this effect, and it is one of the reasons that Honda was fined earlier this year.
Any third-party privacy portals that combine all request types into a single form are likely to get businesses into trouble. The requirements for an access or deletion request simply are not the same as for an opt-out or request to limit.
Even for those privacy requests which require verification, businesses cannot require more information than is necessary to verify the consumer’s identity. The CPPA found that Todd Snyder’s requirement of submitting a photo of the consumer with their ID was a violation of that rule.
The Agency provided the following reasons for its decision:
Businesses must therefore navigate a fine line between getting enough information to verify someone’s identity and requiring too much information so that it creates other compliance problems. The appropriate level of verification will depend on the type of request and the sensitivity of the personal information at issue.
Privacy compliance is trickier than many businesses realize, and what’s becoming clear is that regulators like the California Privacy Protection Agency aren’t giving companies a lot of leeway. Even unintentional mistakes can result in fines of hundreds of thousands of dollars.
That’s why it’s critical to stop putting off privacy compliance and to get it right the first time.
TrueVault helps businesses of all sizes get privacy-compliant quickly, even if they don’t have in-house expertise. Through a combination of guided workflows and automated tools, you can create your company’s data map, publish privacy notices, and be ready to receive privacy requests, all in as little as a few hours.
Contact our team to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.