CPPA Orders Clothing Retailer Todd Snyder to Pay Six–Figure Fine, Overhaul Privacy Practices

News:

SACRAMENTO, CA — The California Privacy Protection Agency (CPPA) Board has issued a decision requiring national clothing retailer Todd Snyder, Inc., to change its business practices and pay a $345,178 fine to resolve allegations that it violated the California Consumer Privacy Act (CCPA).

The CPPA’s Enforcement Division alleged that Todd Snyder violated Californians’ privacy rights by:

  • Failing to oversee and configure properly the technical infrastructure of its privacy portal, resulting in a failure to process consumer requests to opt out of the sale or sharing of personal information for 40 days;
  • Requiring consumers to submit more information than necessary to process their privacy requests; and
  • Requiring consumers to verify their identity before they could opt–out of the sale or sharing of their personal information.

To resolve the allegations, Todd Snyder agreed to pay a $345,178 fine. The company will also change its business practices, including properly configuring its mechanisms for submitting and managing opt–out preferences and providing CCPA compliance training for its employees. The allegations about improper verification echo a CPPA Enforcement Advisory issued last year, warning businesses against collecting excessive information from consumers asserting their privacy rights.

“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, head of the Agency’s Enforcement Division. “Using a consent management platform doesn’t get you off the hook for compliance.”

The Board’s decision underscores the importance of Californians’ opt–out rights. Some businesses collect and repurpose vast amounts of personal information through every interaction with consumers. Businesses can then use and share consumers’ personal data in dangerous ways that Californians might not expect. This can include information about reproductive health, immigration status, financial condition, employment, political activity, military service, religion, and ethnic identity.

“Opt–out rights are one way for Californians to assert control over their personal information and protect themselves from real harms,” said Tom Kemp, the CPPA’s Executive Director. “The board’s decision should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”

The CPPA’s Recent Enforcement Actions to Protect Californians

The CPPA continues to actively enforce California’s cutting–edge privacy laws. Recent actions include:

  • Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations — the second–highest fine in the law’s history.
  • Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
  • Bringing an enforcement action against National Public Data, Inc., the Florida–based data broker responsible for a data breach that exposed millions of Americans’ Social Security numbers and personal information.
  • Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
  • Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

These activities followed nearly a half–dozen enforcement actions brought against unregistered data brokers late last year, and an investigative sweep of data broker compliance with the Delete Act.

About Us

The California Privacy Protection Agency is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act.

Californians can visit privacy.ca.gov to access helpful and up–to–date information on how to exercise their rights and protect their personal information. In addition, the Agency's website provides important information about CPPA board meetings, announcements, and the rulemaking process.