Libbie Canter, Lindsey Tonsager, Jayne Ponder, and Natalie Maas of Covington and Burling write:
On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.
As summarized in the consent order, the CPPA alleged the following:
- Despite engaging in activities that Todd Snyder characterized as a “sale” or “sharing” through “automated tracking technologies” installed on its website, the website opt-out mechanism was not properly configured. The CPPA states that Todd Snyder “would have known” that the opt-out did not function correctly, but it “instead deferred to third-party privacy management tools without knowing their limitations or validating their operation.”
- The consumer rights request form required consumers to provide information to validate their identity (e.g., first and last name, email, photograph of the consumer holding their “identity document”) for all requests, including opt-out of sale/sharing requests.
- Todd Snyder allegedly collected more information than required – including government identification – to exercise privacy rights.
Read more at Inside Privacy.