CA's Todd Snyder CCPA Fine: Third-Party Opt-Out Pitfalls
California's $345K settlement with Todd Snyder for delaying opt-outs via unmonitored third-party tools warns sites to vet privacy vendors and streamline consumer rights requests under CCPA.[2]
The $345K Warning: How Todd Snyder's CCPA Missteps Should Change Your Privacy Strategy
In May 2025, the California Privacy Protection Agency (CPPA) issued a $345,178 fine against Todd Snyder, Inc., a national clothing retailer, for systematic failures in handling consumer opt-out requests under the California Consumer Privacy Act (CCPA).1 2 On the surface, this looks like another privacy enforcement action. But dig deeper, and you'll find a cautionary tale about vendor management, technical oversight, and the non-delegable responsibility of compliance.
The case reveals a critical vulnerability that affects e-commerce sites across the country: the assumption that outsourcing privacy infrastructure absolves you of accountability. It doesn't. The CPPA's decision sends an unmistakable message: the buck stops with the business using the privacy tool, not the vendor providing it.
What Went Wrong: The Technical and Procedural Failures
Todd Snyder's violations centered on three interconnected problems that prevented consumers from exercising their CCPA rights.
The Vanishing Consent Banner
First, the company's consent banner—the interface where consumers could opt out of the sale or sharing of their personal data—was improperly configured and would instantaneously disappear after appearing.3 For 40 days, this technical malfunction made it functionally impossible for users to submit opt-out requests through the website's primary mechanism.1 4 Consumers would click to access privacy preferences, see the banner flash, and then watch it vanish before they could interact with it.
Excessive Identity Verification Requirements
Second, Todd Snyder required consumers attempting to opt out to verify their identity by providing their name, email, country of residence, and a photograph of themselves holding official government identification documents like a driver's license.3 This created a multi-layered barrier that went far beyond what the CCPA permits.
Under California law, opt-out requests do not require identity verification unless absolutely necessary to prevent fraud or abuse.1 5 By contrast, Todd Snyder required less identification information when consumers made a purchase—a clear inconsistency that the CPPA flagged as particularly problematic.3 The requirement to submit government ID photos also introduced unnecessary data minimization concerns, as consumers might reasonably fear identity theft when uploading sensitive personal information.3
Third-Party Vendor Mismanagement
Third, Todd Snyder delegated management of its website and privacy infrastructure to a third party without adequate oversight or validation.3 1 The CPPA's investigation revealed that the company "deferred to third-party privacy management tools without knowing their limitations or validating their operation."1 In other words, Todd Snyder implemented a consent management platform but never verified that it actually worked.
Michael Macko, head of the CPPA's Enforcement Division, crystallized this accountability gap: "Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them."5 Using a third-party tool is not a compliance pass; it's a compliance responsibility that requires active management.
The Regulatory Framework: What CCPA Actually Requires
To understand why these failures matter, it's worth reviewing the relevant CCPA obligations.
The Right to Opt Out (Cal. Civ. Code § 1798.120)
California consumers have the right to direct a business not to sell or share their personal information. Businesses must honor these requests and cannot discriminate against consumers for exercising the right. The law explicitly states that businesses cannot require consumers to create an account, provide a government ID, or verify their identity as a condition of submitting an opt-out request—unless verification is necessary to prevent fraud.
Data Minimization and Verification Standards (Cal. Code Regs. § 999.308)
The CPPA's implementing regulations clarify that when a business does require verification, it must use the least intrusive method reasonably available. The regulations also emphasize that businesses cannot require more information to process a privacy request than they require for a commercial transaction.
Vendor Accountability
While the CCPA doesn't explicitly mention "third-party vendors," the statute and regulations make clear that businesses are responsible for ensuring their service providers comply with the law. The CPPA has issued enforcement advisories warning against excessive verification and demanding that businesses actively monitor their privacy infrastructure.
Key Takeaways: What This Means for Your Business
1. Audit Your Privacy Vendor Before Implementation
Don't assume your consent management platform (CMP) or privacy management tool works correctly. Before deploying it:
- Request a technical audit or security assessment from the vendor
- Test the opt-out mechanism yourself across devices and browsers
- Verify that the tool respects opt-out preference signals, including the Global Privacy Control (GPC) standard6
- Confirm that the tool's data collection practices align with CCPA requirements
- Establish a service agreement that includes compliance obligations and indemnification clauses
2. Implement Ongoing Monitoring and Testing
The CPPA emphasized that Todd Snyder "would have known that consumers could not exercise their CCPA rights if the company had been monitoring its website."1 This means:
- Conduct quarterly or semi-annual testing of your opt-out mechanisms
- Monitor user submissions and processing times for privacy requests
- Set up alerts for failed opt-out submissions or unusual patterns
- Document your testing procedures and results for regulatory review
3. Simplify Your Verification Process
If you must verify identity before processing opt-out requests (which should be rare), use the least intrusive method available:
- Email verification is generally sufficient
- Phone verification is acceptable but more burdensome
- Requiring government ID photos is excessive and creates unnecessary data exposure
- Never require more information to opt out than you require to complete a sale
4. Provide CCPA Compliance Training
The settlement requires Todd Snyder to provide CCPA compliance training for its employees.2 This isn't just a punishment—it's a best practice. Ensure that your legal, product, engineering, and customer service teams understand:
- What constitutes a "sale" or "sharing" of personal information under CCPA
- How to process opt-out requests correctly
- Verification standards and limitations
- The company's obligations to monitor third-party vendors
5. Document Your Compliance Program
The CPPA and other regulators expect businesses to maintain written policies and procedures. Your documentation should cover:
- Privacy request handling procedures (intake, verification, processing, confirmation)
- Vendor selection and monitoring criteria
- Technical testing protocols
- Employee training records
- Data retention and deletion procedures
The Broader Context: CPPA Enforcement Trends
The Todd Snyder fine is the CPPA's second enforcement action under the CCPA and reflects the agency's emerging enforcement priorities.7 Earlier in 2025, the CPPA also settled with Honda for similar opt-out and vendor management failures. These cases suggest the CPPA is focusing on:
- Vendor oversight and accountability — Businesses can't hide behind third-party tools
- Verification overreach — Excessive identity verification barriers violate CCPA principles
- Data minimization — Collecting more information than necessary, even for compliance purposes, is problematic
- Technical functionality — Privacy tools must actually work; broken implementations are violations
This enforcement trajectory matters because it signals where regulators will focus resources in 2026 and beyond. If your business relies on third-party privacy infrastructure, now is the time to audit and strengthen your vendor management practices.
Conclusion: Compliance Is Not Delegable
The Todd Snyder case offers a clear lesson: outsourcing your privacy infrastructure does not outsource your compliance responsibility. Whether you use a consent management platform, a privacy request portal, or any other third-party tool, you remain accountable for ensuring it complies with the CCPA and actually works as intended.
The company paid $345,178 in fines, agreed to overhaul its privacy practices, and committed to ongoing compliance monitoring.1 2 But the real cost extends beyond the settlement: reputational damage, operational disruption, and the need to rebuild consumer trust.
The good news is that these failures were preventable. By implementing robust vendor selection criteria, conducting regular technical testing, simplifying verification requirements, and training your team on CCPA obligations, you can avoid the Todd Snyder trap. Privacy compliance requires active management—not just at implementation, but continuously throughout your business operations.
The CPPA is watching, and the next enforcement action could be against your competitor—or your company. The time to strengthen your privacy practices is now.