Fashion Retailer Faces Privacy Fine & Business Overhaul After CPPA Ruling

Key Takeaways

• Todd Snyder Fined: The California Privacy Protection Agency (CPPA) fined Todd Snyder, Inc. $345,178 for violating the California Consumer Privacy Act (CCPA).
• Privacy Portal Failures: The retailer failed to properly configure its privacy portal, preventing consumers from opting out of data sharing for 40 days.
• Excessive Data Requests: Consumers were asked for more personal information than necessary to process privacy requests.
• Identity Verification Issues: Todd Snyder required consumers to verify their identity unnecessarily before opting out of data sharing.
• Corrective Actions: Todd Snyder will pay the fine and improve its privacy practices, including better opt-out processes and CCPA compliance training for employees.

Deep Dive

It’s not every day a fashion brand gets caught up in the tangled web of data privacy violations, but here we are. Todd Snyder, the well-known clothing retailer, has been slapped with a $345,178 fine by the California Privacy Protection Agency (CPPA) after failing to meet the standards set by the California Consumer Privacy Act (CCPA).

The company was accused of multiple privacy missteps, including technical failures, asking consumers for too much personal information, and making it unnecessarily difficult for people to opt out of the sale or sharing of their personal data.

Let’s break it down:

• Privacy Portal Failures: Todd Snyder's privacy portal wasn't working properly for 40 days, preventing consumers from exercising their right to opt out of the sale or sharing of their data.
• Too Much Information: Consumers were asked to provide more data than needed to complete their privacy requests, which is a big no-no under the CCPA.
• Identity Verification Overkill: The retailer also required consumers to verify their identity just to opt-out of data sharing, when it wasn’t necessary.

In response to the ruling, Todd Snyder has agreed to pay the fine and change how they manage privacy requests. They’ll be tightening up their opt-out processes and giving staff proper training on CCPA compliance. If this all sounds familiar, it's because the CPPA has already made it clear that businesses can’t ask for excessive information from consumers who just want to protect their privacy.

Michael Macko, head of the CPPA’s Enforcement Division, was clear, “Using a consent management platform doesn’t get you off the hook for compliance. It's up to the businesses to make sure everything works as it should.”

Californians' privacy rights are no joke. The ability to opt-out of data sharing is critical, especially as businesses collect all sorts of personal information, everything from health and financial data to details about political views and religious beliefs. It's about giving people back control over their personal information and protecting them from potential harm.

Tom Kemp, Executive Director of the CPPA, explained it well, “Opt-out rights give Californians the power to take control over their personal data and keep it from being misused. Our Enforcement Division is taking a close look at what businesses are doing to respect these rights.”

The CPPA isn’t just making waves in California. They’re working with privacy regulators across the globe, collaborating with authorities in the UK, France, and Korea to protect Californians’ data worldwide. And they’ve also launched the Consortium of Privacy Regulators, a new initiative to help enforce privacy laws across the U.S.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.