The California Privacy Protection Agency recently imposed a $345,178 fine on national clothing retailer Todd Snyder for violations of the California Consumer Privacy Act (CCPA). Richart Ruddie of Captain Compliance takes a closer look at the retailer’s agreement with the California agency and what it means for teams across other sectors.
California’s consumer privacy enforcer has been busy in recent months, reaching a settlement with Honda over violations of the California Consumer Privacy Act (CCPA) and announcing enforcement actions against multiple data brokers. In early May, the California Privacy Protection Agency (CPPA) announced it had reached a settlement with menswear brand Todd Snyder, the first against a retailer. The company agreed to pay a fine of more than $345,000 to resolve the allegations.
A deep dive of the agency’s agreement with Todd Snyder reveals multiple important lessons for compliance teams across sectors.
Ensure functionality of privacy portals
According to the agency, Todd Snyder experienced a 40-day lapse in processing consumer opt-out requests due to a misconfigured privacy portal provided by a third-party vendor, Clarip.
Lessons learned:
- Regularly test and verify that your privacy portals and opt-out mechanisms function correctly and remain user-friendly.
- Conduct active oversight of third-party vendors through ongoing evaluations rather than solely relying on vendor assurances.
- Assign clear ownership and contingency plans for privacy requests to mitigate disruptions from staffing changes.
Avoid over-collection of personal information
The company also required consumers to submit more information than necessary, the agency said, including photographs of themselves holding identification documents, contravening the CCPA’s data minimization principle.
Lessons learned:
- Conduct thorough reviews of your data collection practices during privacy requests, ensuring you collect only essential information.
- Eliminate unnecessary or excessive verification steps to simplify the privacy request process for consumers, reinforcing a positive user experience.
Differentiate verification requirements based on request type
Todd Snyder required identity verification for opt-out requests, the agency said, despite the CCPA explicitly stating this is unnecessary.
Lessons learned:
- Develop clear internal guidelines distinguishing types of requests that necessitate verification (e.g., access or deletion) from those that do not (e.g., opt-out requests).
- Simplify and streamline your verification process, ensuring it aligns strictly with regulatory requirements and consumer expectations.
Implement comprehensive employee training
As part of the settlement, Todd Snyder agreed to provide CCPA compliance training for its employees. Regular and thorough training programs are vital to ensure that staff understand their roles in upholding consumer privacy rights and are equipped to handle privacy-related requests appropriately.
Lessons learned:
- Regularly deliver detailed training programs covering CCPA requirements and proper handling of consumer privacy requests.
- Ensure training is proactive, rather than reactive to enforcement actions, fostering a culture of privacy awareness and compliance across your organization.
Richart Ruddie is founder and CEO of Captain Compliance, a data privacy software company. 
