The California Consumer Privacy Protection Agency (CPPA) Board issued a stipulated final order against Todd Snyder, Inc., a clothing retailer based in New York, requiring the company to pay a $345,178 fine and update its privacy program to settle allegations that it violated the California Consumer Privacy Act (CCPA). Specifically, Todd Snyder must update its methods for submitting and fulfilling privacy requests and provide training to its staff about CCPA requirements. Todd Snyder is also required to maintain a contract management and tracking process so that required CCPA contractual terms are included in contracts with third parties with access to or receipt of personal information.

The CPPA alleged that Todd Snyder violated the CCPA as follows:

• Its consumer privacy rights request process collected much more information than necessary to fulfill privacy requests. Specifically, the privacy portal on Todd Snyder’s website used by consumers to submit privacy rights requests required consumers to provide their first and last name, email, country of residence, and a photograph of the consumer holding the consumer’s “identity document” (such as a driver’s license or passport which is considered “sensitive information” under the CCPA), regardless of the type of privacy request. The sensitive information is unnecessary to exercise a request to opt-out of the sale and/or sharing of personal information.
• It failed to oversee and properly configure its third-party consumer privacy request portal for 40 days. The Todd Snyder website utilizes third-party tracking technologies, including cookies, pixels, and other trackers that automatically send data about consumers’ online behavior to third-party companies for analytics and behavioral advertising. The CPPA alleges that the opt-out mechanism on the website was not properly configured for a 40-day period. During that period, if the consumer clicked on the cookie preferences link on the website, a pop-up appeared, but then immediately disappeared, making it impossible for the consumer to opt-out of the sale or sharing of their personal information.

The lesson here is that a company cannot pass on its privacy compliance obligations to a third-party privacy management platform; the company itself is responsible for the functionality of such platforms. Michael Macko, head of the CPPA’s Enforcement Division, stated in a press release, “Using a consent management platform doesn’t get you off the hook for compliance [. . .] the buck stops with the businesses.” Your company cannot rely on its third-party privacy management platform for compliance and expect no accountability in the event of non-compliance; you must conduct due diligence and validate that the operation is functioning and compliant with CCPA requirements.

This is likely only the start of the CPPA’s enforcement sweep. The time is now—assess your CCPA compliance program and processes, and ensure they are up to par.