Clothing Retailer Fined for CCPA Violations
The California Privacy Protection Agency (CPPA) Board fined clothing retailer Todd Snyder $345,178 for California Consumer Privacy Act (CCPA) violations. On top of the financial penalty, the company has also agreed to properly configure its mechanisms for submitting and managing opt–out preferences and provide CCPA compliance training for its employees.
Here are the CCPA violations that led to the penalty:
Not Honoring Opt-out Requests for Forty Days
Todd Snyder used cookies, pixels, and other tracking technologies to send data about consumers’ online behavior to third parties, including for cross-context behavioral advertising. The company told consumers they could opt out of the sale or sharing of their data on the Cookie Preference Center on its websites, but the opt-out mechanisms were not functioning properly. For forty days in 2023, when consumers clicked the Cookie Preference Center link, a consent banner appeared but immediately vanished, making it impossible to submit opt-out requests.
The CPPA alleges Todd Snyder did not know consumers couldn’t submit opt-out requests because it relied on third-party management tools and wasn’t monitoring its website.
Requiring Consumers to Verify Their Identity to Opt Out of Sale/Sharing
Todd Snyder’s privacy policy included a link to a Privacy Portal where consumers could submit CCPA requests. People who clicked the link were redirected to a Data Request Form that allowed them to select a request type, including “Do Not Sell or Share to a Third Party.” Regardless of the selected request type, the Data Request Form required consumers to provide their first and last name, email, country of residence, and a photograph of the consumer holding their “identity document.” Under the CCPA, government identification (driver’s license, passport, etc.) is considered sensitive personal information.
The CCPA prohibits businesses from requiring consumers to verify their identity to opt out of the selling or sharing of their data.
Todd Snyder is also accused of making consumers provide more information than necessary (such as a government ID) for Verifiable Consumer Requests (right to know, delete/correct data, etc.), which is a CCPA violation.
You can read more about the CCPA violations in the Order of Decision.
Other CCPA Fines for Improper Website Privacy Functionality
The Todd Snyder fine isn’t the first the CPPA handed down in 2025 for violations related to website privacy functionality. In March 2025, Honda was fined $632,500 for the following CCPA violations:
- Requiring excessive personal information to exercise privacy rights
- A longer opt-out process than opting in
- Creating barriers for consumers using authorized agents to act on their behalf
- Not being able to produce contracts with advertising technology vendors
Continued Emphasis on Website Privacy and Consent
The CCPA penalties against Honda and Todd Snyder are the latest in this list of actions that demonstrate the importance of properly functioning website privacy and software tools:
- Meta Pixel lawsuits
- A CCPA enforcement advisory for dark patterns
- The New York Attorney General’s privacy controls guidance website
To mitigate the risks of lawsuits and fines, businesses must assess if their website’s privacy and preference tools are functioning in a manner that is compliant with applicable privacy and consumer protection laws. Businesses must also be sure the information provided to website visitors on cookie banners, privacy notices, privacy control configurations, etc., accurately describes how their privacy controls work.
Watch the podcast below to learn more about best practices for website privacy functions and controls. A transcript of the episode is also available.
CompliancePoint offers Cookie Management Services to help businesses with privacy and consent functionality. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.