The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.
Not Just Tools – Working Tools
The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.
The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.
Although the company relied on third-party compliance tools, the enforcement action made clear that having those tools in place is not enough. When a consent mechanism malfunctions or creates friction for consumers attempting to exercise their rights, the company – not the vendor – is accountable.
The Vendor Defense Doesn’t Work
A central theme of the CPPA’s enforcement action is that businesses cannot outsource responsibility. While Todd Snyder used a vendor to manage parts of its compliance program, the CPPA emphasized that it’s the business, not the vendor, that will be held accountable when things go wrong. The agency explicitly noted that relying on a third party “without knowing their limitations or validating their operation” is not a defense.
This message raises the bar for privacy governance. Businesses need to go beyond implementation and actively test how vendor tools function in real-world conditions. Technical configuration matters. Monitoring matters. And when a system breaks or doesn’t operate as expected, companies must detect and fix it quickly.
A Shift Toward Operational Audits
This decision also marks a shift in how the CPPA approaches enforcement. In the early days of the CCPA, much of the focus was on written policies and disclosures. Now, enforcement is more hands-on. Regulators are acting like users – submitting rights requests, testing site functionality, and keeping track of whether and how companies respond. That means businesses need to maintain end-to-end visibility and ownership of the entire consumer rights process.
Even well-intentioned features can lead to violations if they’re implemented carelessly. A marketing team’s redesign might accidentally break a consent banner, or an IT update might change how opt-outs are tracked. Without routine quality assurance and ongoing audits, these kinds of issues can quietly persist for weeks, as they did with Todd Snyder.
Looking Ahead
As part of the stipulated resolution, Todd Snyder agreed to overhaul its CCPA compliance program within 90 days. That includes properly configuring its opt-out mechanisms, implementing new internal procedures, and providing CCPA-specific training to employees. The company must also document these changes and demonstrate compliance to the CPPA, signaling that post-order monitoring is likely to follow.
More broadly, the decision confirms that the CPPA is prepared to use its enforcement powers to address not just egregious violations, but operational breakdowns, like a non-functioning website banner, that interfere with consumer rights. It also reinforces that privacy enforcement is no longer confined to data brokers or tech companies. Retailers, hospitality providers, manufacturers, and any consumer-facing business collecting Californians’ personal information should expect scrutiny.
Now is the time for businesses to move beyond policy drafting and focus on how their compliance tools actually perform. That means:
- Reassessing vendor relationships and validating how consent management and privacy tools are configured and maintained;
- Avoiding the collection of unnecessary or sensitive personal data when processing rights requests;
- Conducting periodic quality checks on consumer-facing interfaces; and
- Establishing clear internal accountability for honoring consumer privacy rights in a timely and effective manner.
The CPPA’s message is clear: businesses can no longer treat CCPA compliance as a static exercise. Functionality, oversight, and continuous improvement are the new baseline.
