The California Privacy Protection Agency (CPPA) has ordered online clothing retailer Todd Snyder to pay $345,178 within 30 days, and remedy its practices and train up staff within 90 days for violating the California Consumer Privacy Act’s (CCPA) privacy rights requirements.
The Violations
Like many online companies, Todd Snyder uses third party tracking software that discloses Californians’ personal information to advertising networks. Under CCPA, California residents have the right to opt out of these disclosures and the CCPA regulations provide enforceable clarity on how companies provide these rights.
Cookie Banner Issues
On its website, Todd Snyder had a cookie banner that was not working properly, disappearing when a consumer clicked on it. The CPPA noted in its decision that if Todd Snyder was monitoring its website instead of relying on third party privacy management tools it would have known this was not working as intended. The incorrect configuration also led to the inability for the site to recognize universal opt-out mechanisms.
Privacy Portal Issues
Within the company’s privacy notice, a link to a Privacy Portal brought consumers to a webform enabling them to exercise all of their CCPA rights. However, the form required a photo of the consumer holding government-issued identification in order to verify their identity to exercise any of these rights.
Under CCPA, companies are prohibited from requiring consumers to verify themselves to exercise opt-out rights. Additionally, the CPPA has published an enforcement authority underscoring this prohibition.
Compounding the issue, CCPA requires businesses to use data minimization principles in verification, preferably matching data it holds with information provided by the consumer. The CPPA’s decision says that requiring a government ID to access privacy rights is an over collection, and treating all privacy rights the same in relation to verification is not a good practice.
Notably, the decision states, “Consumer often refrain from submitting CCPA Requests that require such documentation due to privacy concerns and the potential for identity theft.”
The Lessons Learned
Regulators are in enforcement mode. Nineteen state consumer privacy laws are on the books in the US, and the agencies responsible for enforcing them are sending messages to businesses that there are no more excuses for not doing privacy rights well.
Businesses are responsible for implementing appropriate and compliant privacy rights submission methods and maintaining them. Too often we see businesses install a cookie consent banner and think of it as a silver bullet to compliance. All these systems require the knowledge and expertise of an experienced team to implement, maintain, and consistently test their effectiveness.
What Should Companies Do?
- Regularly audit your cookie compliance tools to ensure they are functioning properly—don’t rely solely on outsourced vendors or privacy software vendors.
- Only require verification for specific request types: access, deletion, correction, and data portability—not for opt-out of sale/share requests.
- When verifying identity, request only relevant and minimal data points—government-issued IDs are rarely appropriate or necessary.
How Red Clover Advisors Can Help
Navigating data privacy laws across the U.S. and the world can be tricky, even for large companies with dedicated data privacy teams. Red Clover Advisors helps businesses build and maintain privacy programs that meet all compliance requirements, improve customer trust, and support your business’s operations and profit model.
- Help you analyze your cookie management with cookie audits, consent implementation, governance programs.
- Run a privacy rights process audit to ensure you have the correct workflow in place.
- Stay ahead of the privacy curve with articles, podcasts, and free guides on data privacy, from AI to state law variations.
Have questions? We’re here to help. Contact us to schedule a free consultation and learn how our team can take your business to the next level.