CCPA Enforcement in Action: Todd Snyder Ordered to Overhaul Privacy Practices and Pay $345,178 Fine

The California Privacy Protection Agency issued an enforcement order against national retailer Todd Snyder, Inc., mandating a $345,178 fine and requiring substantial overhauls to its privacy practices following violations of the hasztag#CCPA.

Key Violations:

⚠️ Failed to Process Consumer Opt-Out Requests Properly

For over 40 days, the retailer’s privacy portal failed to process optout requests, violating consumers' rights to restrict the sale or sharing of their personal data.

⚠️ Collected Excessive Data During Privacy Requests

The company demanded more personal information than necessary from consumers submitting opt-out or deletion requests.

⚠️ Inappropriate Identity Verification Practices

Todd Snyder required consumers to verify their identity before being able to opt out of data sales or sharing—a practice flagged by CPPA as a barrier to consumer rights.

The CPPA emphasized that businesses are fully responsible for ensuring that privacy management platforms work correctly, and cannot outsource accountability.

This fine is a textbook example of how failing to implement even basic administrative privacy controls under the CCPA can result in regulatory action. While CCPA requirements differ from GDPR and other global privacy laws, there are clear parallels in administrative obligations.

Companies processing Californian consumer data under CCPA and CPRA need to understand the full spectrum of compliance duties, thresholds, and risks.

Who needs to comply:

✅ Companies with over $25 million annual global revenue.

✅ Companies that buy, sell, or share personal data of over 100,000 Californians annually.

✅ Companies deriving 50%+ of revenue from selling or sharing personal data.

Author: Sebastian Burgemejster