Last month, the Enforcement Division of the California Privacy Protection Agency (“the Privacy Police”) and Todd Snyder, Inc. (“Snyder”) resolved the investigation into Snyder’s website’s opt-out methods from November 1, 2023 to December 31, 2024 that allegedly violated the California Consumer Privacy Act (“CCPA”).
Snyder, a New York based men’s clothing retailer, operated retail stores and a website. The website utilized third party tracking software to help it with analytics and cross-context behavioral advertising. While Snyder told consumers that they could opt-out, the Privacy Police claimed that the website was not properly configured to actually allow customers to opt out. One issue was that the website’s “consent banner” would appear and then instantaneously disappear preventing consumers from opting out. In addition, when a consumer was able to reach the opt-out option, the Privacy Police claimed that Snyder was culpable of requiring an improper verification standard to persons who wished to opt out. Snyder required all consumers attempting to opt-out to verify the person’s name, email, country of residence and submit a photograph of the consumer holding official identity documents, like a driver’s license.
The Privacy Police criticized Snyder for:
- Allowing a third-party to manage Snyder’s website without adequate supervision by Snyder;
- Forcing consumers who wished to opt-out of sale/sharing to provide verification as such requests do not require verification under the CCPA;
- Requiring more identification information to opt-out than Snyder required when consumers made a purchase; and
- Requiring consumers to provide government identification documents with Sensitive Personal Information (“SPI”) which might decrease opt-out requests due to concerns about identity theft.
Take Aways
Snyder did not admit to liability for any violation of the CCPA and the full scope of the Privacy Police’s investigation and extent of potential penalties is not published in the Stipulation. The expedited resolution in the first four months of 2025 demonstrates that Snyder must have concluded that an expedited settlement, including payment of over $345,000 in fines and providing the Privacy Police with confirmation that it has developed new procedures to handle SPI and procedures to monitor third parties to ensure compliance with CCPA was the most efficient way to dispose of the investigation, legal fees and risks of greater penalties.
The Privacy Police monitor California and out-of-state corporations, alike. Any business that operates a website that shares or sells consumer information for 100,000 or more consumers should review their policies and opt out procedures to ensure compliance with the CCPA. Owners of commercial websites will be held responsible for monitoring consumer Opt-Out requirements, even if they believe that they have delegated such monitoring to third party vendors. Finally, ensure that the opt-out requirements comply with the CCPA and do not require unnecessary verification information or copies of government documents that contain personal identifying information.
Conclusion
The CCPA signifies a major advancement in consumer privacy protection, necessitating businesses to adopt proactive measures to ensure compliance.
