The California Privacy Protection Agency (CPPA) has made clear that failing to ensure compliance with consumer privacy requests can be costly. Last week was no different when the CPPA took decisive enforcement action against national clothing retailer, Todd Snyder, Inc., signaling that companies’ execution of consumer rights requests under the California Consumer Privacy Act of 2018, as amended (the CCPA), is at the center of the California privacy regulator’s priorities. This article explores the basis for the CPPA’s latest enforcement action and summarizes key takeaways to help minimize regulatory scrutiny.

Key Findings

On May 6, 2025, the CPPA announced that it had issued an order requiring the clothing retail company to change its business practices and pay a US$345,178 fine to resolve alleged violations of the CCPA with respect to the retailer’s procedures in responding to consumer privacy requests. This is the CPPA’s second major enforcement announcement based on similar privacy violations in recent months.

Specifically, the CPPA alleged that the clothing retailer had violated the CCPA in the following ways:

• Failure to Process Consumer Opt-Out Requests: For a period of 40 days, the company’s privacy portal was not properly configured. As a result, requests from consumers to opt-out of the sale or sharing of their personal information were not processed. 
• Excessive Information Collection: When consumers submitted privacy-related requests, the company required them to provide more personal information than was necessary to process these requests. This ran counter to the CCPA’s data minimization requirement. 
• Unnecessary Identity Verification: Consumers were also required to verify their identity (even to opt-out of personal information sales or sharing — a step that is generally not required under CCPA unless sensitive information is being accessed or deleted).

The CPPA’s latest enforcement action highlights critical compliance features related to consumer opt-out rights and the handling of personal information, with particular emphasis on the company’s reliance on third-party privacy management tools and its imposition of excessive verification requirements.

Lessons Learned

Below are some key takeaways that can help CCPA-regulated businesses stay out of the CPPA’s crosshairs when it comes to complying with consumer rights requests:

1. Do not simply rely on third-party privacy management tools without ongoing oversight, but instead regularly monitor, test, and validate the effectiveness of these tools to ensure that consumer privacy rights are respected, and that opt-out mechanisms are functioning as required by law. This requires an ongoing interface between both the technical and legal teams to ensure both know what technologies are being implemented as well as the appropriate (and compliant) actions taken with respect to those technologies. According to the CPPA, “[u]sing a consent management platform doesn’t get you off the hook for compliance.”

Illustrative Example

The CPPA found that Snyder installed third-party tracking technologies (such as cookies and pixels) on its website, which collected and shared consumer personal information for analytics and cross-context behavioral advertising. Although the company represented to consumers (through outright statements that this would be the case) that the consumer could opt-out of the sale or sharing of their personal information via a Cookie Preferences Center, a technical misconfiguration rendered the opt-out mechanism inoperable for 40 days in late 2023.

2. Ensure that consumers can successfully exercise their opt-out rights easily, as well as identify and remediate any website design flaws that prevent consumers from exercising their requests via your website or other online interface. 

Illustrative Example

In this latest enforcement action, the CPPA alleged that the clothing retailer’s website did not properly configure its opt-out mechanism (e.g., opt-out preference signals, such as the Global Privacy Control, were not processed during the 40-day period noted above), and its consent banner kept disappearing before consumers could submit their requests to opt-out of sale and sharing of personal information, making it impossible for consumers to submit opt-out requests.

3. When responding to a consumer’s CCPA rights request (i) seek to rely, as much as possible, on data it already has in its possession to verify the identity of the consumer making the request, and (ii) do not ask consumers for information that is not needed to process the request.

Illustrative Example

Todd Snyder required consumers to upload pictures of their driver licenses (which is considered sensitive personal information) to verify their identity for any CCPA request submitted. This requirement was imposed regardless of the type of CCPA request, including opt-out requests, which under the CCPA do not require verification. By requiring government identification for all requests, Snyder unlawfully imposed an undue burden on consumers and discouraged them from exercising their privacy rights. In addition, according to the CPPA, even for verifiable consumer requests (where verification is appropriate), the CCPA requires businesses to avoid collecting more information than necessary and to use information already maintained by the business whenever feasible. Accordingly, Snyder’s blanket requirement for government identification exceeded what was necessary and violated these provisions.

4. Do not engage in verification when it is not necessary to do so, and make sure that your policies and procedures are clear as to when a consumer’s request needs verification and when it does not.

Illustrative Example

As discussed above, Todd Snyder required consumers to provide certain information to verify their identity in connection with opt-out requests they submitted, even though the CCPA prohibits businesses from requiring consumers to verify their identity for opt-out requests. Thus, if you are subject to the CCPA and receive an opt-out request, you should not proceed to verifying the identity of the consumer making that request.

Conclusion

By understanding the alleged CCPA violations brought against Todd Snyder in this latest enforcement action, CCPA-regulated businesses can help to ensure that its processes and mechanisms for managing consumer privacy requests align with the CCPA’s requirements and reduce the likelihood that its practices for handling consumer requests under this state law are not subject to regulatory scrutiny.