On May 6, the California Privacy Protection Agency (CPPA) announced a settlement with Todd Snyder, Inc. over allegations that the men’s retail brand violated CCPA rules on submission and fulfillment of privacy rights requests. Todd Snyder agreed to pay $345,178 and to modify its CCPA compliance program to resolve the case.
The CPPA’s action is the second major enforcement action announced by the four-year-old agency, coming on the heels of the CPPA’s recent decision to fine Honda $632,500 for CPPA violations, and the first against a retailer. The CPPA has also been active in recent months in bringing enforcement actions targeting data brokers for failure to register with the agency.
What are the CPPA’s allegations against Todd Snyder?
Improper Opt-Out Tool Configuration. First, the CPPA alleges that for “40 days starting in late 2023,” Todd Snyder’s tool to opt out of the sale or sharing of personal information did not work. Apparently, according to the Stipulated Final Order, the mechanism to enable consumers to exercise their opt-out choices was not properly configured. When users of the Todd Snyder website clicked on “Cookie Preferences Center,” for example, the consent tool “instantaneously disappeared.” In addition, requests to opt out using opt-out preference signals such as the Global Privacy Control apparently went unprocessed.
This first alleged violation of the CCPA underscores the importance for companies subject to the CCPA to continuously monitor their websites and privacy rights tools for any technical issues. According to the CPPA, Todd Snyder used third-party privacy management tools without “knowing their limitations or validating their operation,” implying that companies should ensure proper oversight and configuration of their consent management solutions.
Verification of Privacy Requests. The CPPA’s second allegation was that Todd Snyder required consumers to verify their identity before submitting a request to opt out of the sale or sharing of their personal information. Pursuant to the CCPA regulations, companies are not permitted to verify opt-out requests. They are only permitted to verify access, correction, or deletion requests, where a fraudulent request could lead to the erroneous deletion of or access to consumer data. The CPPA wrote that applying a verification standard to opt-out requests—in violation of the CCPA—“impairs or interferes with the consumer’s ability to exercise those rights” and “substantially subvert[s] consumers’ choices.”
Requiring a Driver’s License or Other ID to Submit a Privacy Request. The CPPA’s final allegation was that Todd Snyder required more information than necessary to verify consumer identities to submit a privacy request, even when verification was permissible. In particular, Todd Snyder required consumers to submit a government-issued ID, such as a driver’s license, in order to process their privacy rights requests. Government-issued ID numbers are considered sensitive data under the CCPA and could trigger data breach notification obligations if exposed. The CPPA cautioned that “consumers often refrain from submitting CPPA (sic) requests that require documentation due to privacy concerns and the potential for identity theft.”
This concern echoes a similar allegation in the Honda case, where the CPPA charged Honda with asking for more information from consumers than necessary to exercise their privacy rights requests. Taken together, the cases evidence a concern on the part of the CPPA that companies could use privacy rights submission forms to dissuade consumers from submitting privacy rights requests.
What terms did Todd Snyder agree to as part of the settlement?
In addition to paying a $345,178 fine, Todd Snyder agreed to a set of injunctive terms that require the company within 90 days to comply with CCPA regulations related to privacy rights requests and to develop a more robust privacy program for addressing compliance with privacy rights requests.
Specifically, Todd Snyder agreed to:
- Not require consumers to verify requests to opt out of sales/sharing;
- Not require consumers making opt-out requests to provide more information than necessary to process the request;
- Ensure methods of submitting opt-out requests comply with CCPA and the CCPA regulations, including relating to opt-out preference signals;
- Develop, implement, and maintain procedures to identify sales/sharing and process requests to opt out of sales/sharing, including sales/sharing via third-party tracking technologies;
- Establish, implement, and maintain policies, procedures, and technical measures to monitor the effectiveness and functionality of methods to submit opt-out requests; and
- Comply with opt-out preference signals, including for known consumers (i.e., logged-in consumers).
In addition, Todd Snyder agreed to develop, implement, and maintain procedures to ensure its personnel that handle personal information are informed about applicable requirements under the CCPA, and to maintain a contract management and tracking process to ensure CCPA-required terms are included for all external recipients of personal information.
[View source.]
