Todd Snyder Fined Over $345K for CCPA Violations: A Wake-Up Call for E-Commerce Brands

On May 6, 2025, the California Privacy Protection Agency (CPPA) fined national luxury clothing retailer Todd Snyder $345,178 for violating the California Consumer Privacy Act (CCPA). You can read the full release here.

The enforcement decision underscores the critical importance of implementing functional, transparent, and compliant consumer privacy practices—particularly around opt-out mechanisms and identity verification.

Keep reading to learn why the CPPA took action, plus key takeaways for other businesses in this space.

Why did the CPPA fine Todd Snyder?

The CPPA’s Enforcement Division investigated Todd Snyder’s data privacy practices and found multiple CCPA compliance failures, primarily focused on the company's technical handling of consumer privacy requests.

1. Broken opt-out mechanism

Todd Snyder failed to correctly configure its privacy request portal, causing consumer opt-out requests to go unprocessed for over 40 days. This failure violated a core consumer right under the CCPA—the ability to stop the sale or sharing of their personal data.

2. Excessive collection of personal information

The retailer required consumers to provide more personal information than necessary in order to exercise their privacy rights. This goes against key CCPA principles, specifically around data minimization and the right to control personal data without facing unnecessary hurdles.

3. Unjustified identity verification requirements

The company required consumers to verify their identity even for opt-out requests—an approach the CPPA explicitly cautions against in a recent enforcement advisory. Under the CCPA, opt-out mechanisms must be simple and not contingent on identity verification unless absolutely necessary.

What happens next?

In addition to paying the $345,178 fine, Todd Snyder has agreed to:

• Reconfigure its privacy request systems to ensure they function correctly
• Revise identity verification requirements for opt-outs
• Provide CCPA compliance training to employees

The CPPA used this enforcement decision to send a clear signal—businesses are fully accountable for the privacy platforms they implement. According to Michael Macko, head of the Agency’s Enforcement Division:

Lessons for brands and retailers

The Todd Snyder case is a timely reminder that intent isn't enough when it comes to privacy—execution matters. Here are a few key action items to consider:

• Audit your privacy tools regularly to ensure they’re functioning as expected
• Limit data collection to only what’s necessary to fulfill consumer privacy requests
• Make opt-out processes frictionless—especially for requests not requiring identity verification
• Train employees to understand and implement CCPA requirements properly

How Transcend can help

If your organization is grappling with the same challenges faced by Todd Snyder, Transcend can help you move from reactive compliance to proactive privacy operations with scalable, automated solutions.

1. Comprehensive consent coverage

Transcend Consent Management replaces outdated consent banners and fragmented tools with a unified, enterprise-ready consent management platform. It ensures end-to-end coverage—capturing consent signals across all domains, devices, and applications, and syncing them downstream across your entire data ecosystem. You won’t just be collecting consent, you’ll be honoring it everywhere it matters.

2. Truly automated data subject request fulfillment

Manual or semi-automated privacy workflows leave room for delay, inconsistency, and error. Transcend DSR Automation offers fully automated fulfillment of data subject requests—whether consumers are opting out, deleting their data, or requesting access. Requests are handled across your entire tech stack without human bottlenecks, ensuring you meet deadlines and reduce compliance risk.

3. Visibility and reporting at scale

Whether you're preparing for an audit or just need confidence in your compliance posture, Transcend provides detailed logging, consent records, and operational reports. Track every privacy interaction, monitor trends, and maintain a comprehensive record of compliance actions—backed by enterprise-grade scalability.

Need help ensuring CCPA compliance?

Whether you’re configuring a consent management platform or fulfilling data subject requests (DSRs), having the right tools in place is essential. Transcend’s automated platform for consent and DSR fulfillment makes it easy to maintain compliance, reduce manual workload, and stay ahead of enforcement actions.