The California Privacy Protection Agency (CPPA) has been ramping up enforcement of the California Consumer Privacy Act (CCPA), with a recent $345,178 fine marking a major milestone in privacy compliance.
In May 2025, menswear retailer Todd Snyder became the first company in the retail sector to be fined by the CPPA for CCPA violations. The enforcement action, which followed a settlement agreement with the agency, has set a new benchmark for privacy expectations, not just in the US, but for all businesses with customers in California.
This fine follows a string of actions from California’s consumer privacy regulator, including enforcement against Honda and several data brokers. But the Todd Snyder case offers particularly valuable lessons for companies across sectors that rely on third-party vendors or handle privacy requests at scale.
What went wrong?
According to the CPPA settlement report, Todd Snyder failed in several key areas of CCPA compliance:
- A 40-day lapse in processing opt-out requests due to a misconfigured third-party privacy portal from vendor Clarip.
- Over-collection of personal data, including photographs of users holding ID documents, contrary to the CCPA’s data minimisation requirements.
- Unnecessary identity verification for opt-out requests, which the CCPA explicitly does not require.
- Lack of employee training, prompting a commitment from Todd Snyder to roll out a formal compliance training programme.
Each of these failings offers critical takeaways for organisations working to maintain CCPA compliance.
What are the lessons here for privacy and compliance teams?
1. Test and monitor your privacy portals
Todd Snyder’s main failing stemmed from poor vendor oversight. A technical error in their privacy portal meant that opt-out requests went unprocessed for over a month.
What you should do:
- Regularly audit your privacy tools to ensure they’re functioning as intended.
- Don’t rely solely on vendor assurances; maintain internal ownership and accountability.
- Establish contingency plans to cover staff absences or vendor issues.
2. Respect the data minimisation principle
Asking users to upload ID photographs for basic privacy requests is an overreach. The CCPA requires businesses to limit personal data collection to what is “reasonably necessary.”
What you should do:
- Tailor verification processes to the type of request: not all require ID.
- Eliminate any collection steps that don’t serve a clear, proportional purpose.
- Remember: unnecessary friction increases regulatory risk and damages trust.
3. Know which requests require verification
The CCPA distinguishes between types of consumer requests. Only certain requests, like access or deletion, require identity verification. Opt-out requests do not.
What you should do:
- Ensure your privacy team clearly understands which request types need verification.
- Review your current verification process to check for any unnecessary barriers.
- Make sure your policies and user interfaces reflect these distinctions.
4. Train your team proactively
As part of the settlement, Todd Snyder committed to CCPA compliance training for staff. It’s a reminder that even with good policies in place, compliance falls apart without informed people.
What you should do:
- Roll out regular training on CCPA and consumer privacy rights for relevant employees.
- Ensure staff know how to handle requests correctly and understand the risks of non-compliance.
- Make privacy awareness a company-wide responsibility, not just a legal or IT issue.
The first CCPA enforcement in retail — but not the last
This is the first CPPA fine levied against a retailer, and one of the most significant CCPA enforcement actions to date. It signals that California is now fully operational when it comes to privacy enforcement, and no sector is off-limits.
For UK companies with California-based users or operations, the message is clear: CCPA compliance is not optional. The CPPA has teeth, and the fines are real.
How VinciWorks can help
Our California Privacy Rights Act course covers everything your team needs to know about handling consumer data under California law.
