Senior Content Marketing Manager II
May 8, 2025•2 min read
On May 6, 2025, the California Privacy Protection Agency (CPPA) fined national luxury clothing retailer Todd Snyder $345,178 for violating the California Consumer Privacy Act (CCPA). You can read the full release here.
The enforcement decision underscores the critical importance of implementing functional, transparent, and compliant consumer privacy practices—particularly around opt-out mechanisms and identity verification.
Keep reading to learn why the CPPA took action, plus key takeaways for other businesses in this space.
The CPPA’s Enforcement Division investigated Todd Snyder’s data privacy practices and found multiple CCPA compliance failures, primarily focused on the company's technical handling of consumer privacy requests.
Todd Snyder failed to correctly configure its privacy request portal, causing consumer opt-out requests to go unprocessed for over 40 days. This failure violated a core consumer right under the CCPA—the ability to stop the sale or sharing of their personal data.
The retailer required consumers to provide more personal information than necessary in order to exercise their privacy rights. This goes against key CCPA principles, specifically around data minimization and the right to control personal data without facing unnecessary hurdles.
The company required consumers to verify their identity even for opt-out requests—an approach the CPPA explicitly cautions against in a recent enforcement advisory. Under the CCPA, opt-out mechanisms must be simple and not contingent on identity verification unless absolutely necessary.
In addition to paying the $345,178 fine, Todd Snyder has agreed to:
The CPPA used this enforcement decision to send a clear signal—businesses are fully accountable for the privacy platforms they implement. According to Michael Macko, head of the Agency’s Enforcement Division:
"Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them. Using a consent management platform doesn’t get you off the hook for compliance."
The Todd Snyder case is a timely reminder that intent isn't enough when it comes to privacy—execution matters. Here are a few key action items to consider:
If your organization is grappling with the same challenges faced by Todd Snyder, Transcend can help you move from reactive compliance to proactive privacy operations with scalable, automated solutions.
Transcend Consent Management replaces outdated consent banners and fragmented tools with a unified, enterprise-ready consent management platform. It ensures end-to-end coverage—capturing consent signals across all domains, devices, and applications, and syncing them downstream across your entire data ecosystem. You won’t just be collecting consent, you’ll be honoring it everywhere it matters.
Manual or semi-automated privacy workflows leave room for delay, inconsistency, and error. Transcend DSR Automation offers fully automated fulfillment of data subject requests—whether consumers are opting out, deleting their data, or requesting access. Requests are handled across your entire tech stack without human bottlenecks, ensuring you meet deadlines and reduce compliance risk.
Whether you're preparing for an audit or just need confidence in your compliance posture, Transcend provides detailed logging, consent records, and operational reports. Track every privacy interaction, monitor trends, and maintain a comprehensive record of compliance actions—backed by enterprise-grade scalability.
Whether you’re configuring a consent management platform or fulfilling data subject requests (DSRs), having the right tools in place is essential. Transcend’s automated platform for consent and DSR fulfillment makes it easy to maintain compliance, reduce manual workload, and stay ahead of enforcement actions.
Reach out today to learn how Transcend supports confident compliance with CCPA.
Contact usSenior Content Marketing Manager II