Fashion retailer Todd Snyder is facing a number of alleged violations affecting consumer opt-out rights and data request handling, resulting in a $345,178 fine. On May 1st, the company was ordered by the California Privacy Protection Agency (CCPA) to undergo extensive adjustments to its privacy policy as a result of these findings.
Failure to Comply with Regulations
Improper Opt-Out Configuration: For a 40-day period beginning in November 2023, Todd Snyder violated consumer opt-out requests due to a misconfigured cookie consent banner. Consumers were told they could use the cookie preference center to opt-out of device-based sharing or sales of personal information, but when consumers clicked on the link, the consent banner appeared and then disappeared, making it impossible for consumers to submit opt-out requests. If Todd Snyder had monitored the website rather than deferring to a third-party privacy management tool, the company would have been aware of the malfunction in the site and corrected it accordingly, states The California Privacy Protection Agency .
Verification of Privacy Requests: Before submitting an opt-out request for the sale or sharing of personal information, Todd Snyder had customers verify their identities. The CCPA explicitly forbids companies from requesting information for opt-out requests and only allows identity verification for requests pertaining to the access, correction, or deletion of personal data.
Requiring More Information Than Necessary for Consumer Requests: Consumers were required to submit government-issued identification before they could make verifiable consumer requests, though under the CCPA it is deemed unlawful for companies to ask for more information than is reasonably necessary to verify requests.
Todd Snyder Settlement Terms
Along with the $345,178 fine, Todd Snyder must complete a number of actions to show adherence to CCPA requirements. Todd Snyder must (i) ensure the opt-out request procedures comply with CCPA rules, (ii) put in place policies to recognize and handle opt-out requests, and (iii) refrain from asking for more information than is required. Additionally, the company must set up technical safeguards to monitor the new opt-out methods and adhere to opt-out preference signals.
Keep Your Company CCPA Compliant
To avoid facing the CCPA violations that Todd Snyder experienced, ensure your website’s cookie consent tools and opt-out processes work effectively. Opt-out requests should not require identity verification, and the collection of personal information required for other requests must be limited to only that which is necessary. When using third party platforms, consult with professionals and conduct regular audits of privacy tools. If you would like guidance on consent management platforms and other privacy technologies, feel free to contact us at datarep@h4t.io.
