Menswear Retailer Fine Shows Calif. Privacy Agency 'Looking Beyond Surface Compliance'

The privacy agency said Todd Snyder agreed to pay the fine and change its business practices to resolve allegations, including that it failed to oversee and properly configure technical infrastructure of its privacy portal. That failure led to a 40-day period in which the company failed to process consumer requests to opt out of selling and sharing personal information, the CPPA said.

In addition, the clothing retailer required consumers to submit more information than necessary to process privacy requests, the agency alleged. Also, Todd Snyder inappropriately required consumers to verify their identity before they could opt out, said the agency.

Todd Snyder is based in New York City but has stores in California. The company didn’t comment Tuesday.

“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, the CPPA’s enforcement head. “Using a consent management platform doesn’t get you off the hook for compliance.”

CPPA Executive Director Tom Kemp said the CPPA decision “should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”

The Todd Snyder fine follows fewer than two months after a CPPA enforcement action against Honda (see 2503120037). In that case, the agency similarly found that the car company inappropriately sought user verification and asked for too much personal information, among other issues. At the IAPP Global Privacy Summit last month, Macko said the CPPA is trying to build a broad “foundational precedent” by applying the CCPA “holistically across industries” (see 2504230033).

Consent Banner Glitches

Todd Snyder uses third-party tracking software on its website, including cookies and pixels, that send data about consumers’ online behavior for analytics, cross-context behavioral advertising and other purposes, noted the CPPA order. But despite the company telling consumers they could opt out, “the technical infrastructure told a different story,” it said.

“Behind the scenes, the Website’s opt-out mechanism to enable Consumers to exercise their choices was not properly configured,” the decision said. In late 2023, for 40 days, when consumers clicked a link to set cookie preferences, “a consent banner … appeared to the side of the screen but instantaneously disappeared,” preventing consumers from opting out. In addition, the “same configuration issue” meant that requests from universal opt-out preference signals like the Global Privacy Control weren’t processed, the CPPA said.

“Todd Snyder would have known” if it was monitoring its website, but the company “instead deferred to third-party privacy management tools without knowing their limitations or validating their operation,” the order said. It also “would have known about the issue if the company had taken steps to ensure that its” opt-out mechanism “was properly configured and functioning.”

The CPPA also slapped Todd Snyder for requiring consumers seeking to opt out to first provide their full name, email, country of residence and a photo of the consumer holding an identity document. Government IDs are sensitive information under the CPPA. In addition, some consumer privacy requests require businesses to verify a consumer is who they say they are, while others do not.

The CPPA said the company unlawfully applied a verification standard to opt-out requests and required consumers to submit more information than necessary to exercise that and other privacy rights. “Making matters worse, government identification documents contain highly sensitive information that, if unlawfully accessed, may result in identity theft and financial fraud, or have other serious consequences for Consumers.”

Lawyers Advise Testing

Wiley’s Stewart said the actions against Honda and Todd Snyder show that businesses shouldn’t “assume that offering a cookie banner or a ‘do not sell or share my personal information’ link will safeguard them from investigation by this regulator.”

“Any business subject to the CCPA should take this opportunity to review its opt-out (and other privacy rights) compliance mechanism to ensure its interface complies with the CCPA requirements,” Stewart emailed. “This is especially critical if a business is relying on a third-party platform or other privacy management tool. Businesses should consider ‘default’ features or ‘template’ notices provided by these tools only as a starting point. It is important to map default features or template notices against the CCPA’s requirements (and prohibitions) and especially against the business’ own data collection and use practices.”

Jennifer Sheridan, another privacy attorney, advised CCPA-covered businesses to test and monitor consent-management platforms “to ensure they're operating correctly.” As Macko explained, just having a consent platform isn’t enough, she said.

In addition, businesses should make sure they “have a bifurcated user request system that includes those requests that you can verify identity, such as access, delete, correct privacy rights, and those non-verifiable user requests, including opt-out of the sale or share of personal information that you cannot request verification.” The CPPA sent the same message in its Honda action, she said. Also, “do not ask for information, especially sensitive information like government identification, if the consumer did not need that information to do business with you,” she added.

“Businesses across the country should take note that CCPA will apply to your business if it affects California consumers,” the privacy lawyer said.