Another California Privacy Enforcement Action – and The 9th Circuit Makes It Nationwide!

By Mark Sanborn
Senior Product and Regulatory Counsel

On April 16, 2025, the California Privacy Protection Agency (CPPA) issued its second recent enforcement action in 2025 under the California Consumer Privacy Act (CCPA), announcing a $345,178 penalty against national clothing retailer Todd Snyder, Inc. The fine stemmed from the retailer’s failure to properly handle consumer opt-out requests and related violations of California’s privacy laws. This enforcement action is another example of how essential it is for retailers to implement and maintain compliant privacy practices—not only in California but across the country.

In Todd Snyder’s case, the company allegedly used non-compliant verification processes and misconfigured its privacy tools. The message is clear: businesses must ensure their privacy management systems meet all technical, legal, and operational requirements under state and federal law. Notably, the agency stressed that the retailer itself was responsible for the violations, despite the fact that they had engaged a vendor to try and help them comply with the complicated requirements of the CCPA. “Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, head of the Agency’s Enforcement Division.

Background and Allegations

The CPPA is the enforcement agency that was recently established in California solely to enforce the CCPA and other privacy laws. According to the agency, the retailer failed to properly oversee or configure its online privacy portal. As a result, consumer opt-out requests to stop the sale or sharing of personal information were not processed for a 40-day period beginning in late 2023. This alleged breakdown in the company’s privacy infrastructure left consumers without a functional way to exercise their legal rights.

The CPPA also alleged that Todd Snyder imposed unnecessary barriers on consumers by requiring them to verify their identities and provide more information than legally necessary in order to submit opt-out requests. Under the CCPA, the process for opting out must be straightforward and accessible. Adding hurdles—especially ones not required by law—was deemed a violation.

In addition to the financial penalty, Todd Snyder agreed to a series of corrective actions. These include reconfiguring its opt-out systems to ensure they function properly, providing employee training on CCPA requirements, and implementing internal policy changes to support consumer privacy rights. The company must also demonstrate that its privacy infrastructure is functioning correctly going forward. This resolution makes clear that privacy compliance is not a one-time checklist, but an ongoing obligation that involves people, processes, and technology – that can all be verified.

It’s Not Just in California

This enforcement action is a strong reminder that regulators are taking privacy laws seriously – especially, but not solely, in California. In fact, the CCPA recently announced the “Consortium of Privacy Regulators” with regulators from seven other states: California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. This likely signals an effort to expand state and federal privacy regulatory enforcement in these states and beyond.

The 9th Circuit Expands California State Law Jurisdiction Nationwide

On April 21, 2025, the United States Court of Appeals for the Ninth Circuit, sitting en banc, issued a watershed decision that expands personal jurisdiction with respect to online platforms (like websites). In Briskin v. Shopify, the 9th Circuit broke with decades of precedent to allow claims under a California state law to be applied to a retailer with a website that was accessible nationally, but not specifically aimed at California.

In Briskin, plaintiffs alleged that Shopify violated the California wiretapping law called CIPA. (See our Cookie Consent Guide and recent article about CIPA). Shopify is not a California company, and did not aim its services directly at California, but the court found that because its website was accessible in California to California residents, that it was fair and reasonable to subject Shopify to jurisdiction in California with respect to California laws.

Briskin represents a massive shift for all companies with e-commerce sites. Plaintiffs are expected to aggressively push for broader assertions of jurisdiction, especially in privacy and data-collection cases involving online services.

This increased enforcement atmosphere, coupled with a dramatic expansion to a national level, means that all dealers need to ensure they are complying with their state laws, and considering the potential implications of other state laws as well.

What This Means for Dealers

1. Make Sure Your Privacy Tools Actually Work

Retailers must have clear and reliable procedures in place for handling privacy requests, and these systems must be tested regularly to ensure compliance. Importantly, using just any consent management or privacy platform does not automatically guarantee legal compliance. Some widely used platforms, especially those developed outside the auto retail sector, may not fully meet CCPA standards. Some platforms also do not operate as they say they do, such as loading cookies that say they block or having non-functioning consumer request portals. Businesses must perform due diligence to confirm that the tools they use actually work as advertised. As the CCPA put it, “Using a consent management platform doesn’t get you off the hook for compliance.” Just because a tool is popular doesn’t mean it’s compliant.

2. Don’t Over-Verify

Another lesson from this case is the need to minimize the amount of information collected from consumers during the privacy request process. The CPPA found that Todd Snyder asked for more personal data than was necessary to process opt-out requests, which only compounded its violations. Retailers should carefully review their request flows and verification requirements to ensure they are collecting only the data that is truly needed.

Additionally, businesses must avoid imposing identity verification requirements for CCPA opt-out requests unless absolutely necessary. While some level of verification may be appropriate for sensitive actions like data access or deletion, the CCPA generally does not allow it for opt-outs. Creating unnecessary barriers can expose companies to regulatory scrutiny and penalties.

3. Take Ownership of All Websites—Even Third-Party Controlled Ones

Retailers should also take care to audit all websites associated with their business, including those operated by third parties. Even if a vendor manages a subdomain or embeds tools in your site via iframe, your company remains legally responsible for compliance. It’s critical to maintain full visibility and oversight. Aside from the compliance implications, understanding how data is collected and used on your website is simply good business. Your customers’ data is valuable and sensitive—you should be the one in control of it, not a third party.

4. Respect Consumer Privacy Rights Across All States

This isn’t just about California. With 19 states enacting or preparing to enact comprehensive privacy laws, and especially in light of the Shopify case, the stakes are rising nationally.

5. It’s Not Just Regulatory Risk.

Misconfigured or misleading privacy tools don’t just expose Dealers to regulatory penalties—they can also give rise to consumer lawsuits under state unfair or deceptive acts or practices (UDAP) laws. When a business offers opt-out mechanisms that appear functional but fail to process requests as intended, it can mislead consumers and potentially constitute deceptive conduct. This creates legal exposure on two fronts: enforcement by privacy regulators like the CPPA or state attorneys general on the one hand, and civil litigation by consumers or class action firms on the other hand.

In today’s environment, where both regulators and private plaintiffs are actively monitoring corporate privacy practices, retailers must treat functionality and transparency as equally critical components of compliance.

Why Dealers Need Expert Help

Managing privacy compliance is no small task. It requires a nuanced understanding of both legal obligations and the technical systems that support them. With 19 states now having enacted or about to enact comprehensive privacy laws, and with enforcement heating up nationwide, it’s clear that dealers need experienced guidance.

A qualified compliance partner should offer automated privacy management tools, regular testing of privacy portals, employee training, ongoing regulatory monitoring, tailored implementation strategies, and industry knowledge. Ideally, your partner has years of experience working with the CCPA and similar laws, and can provide a proactive, scalable approach that fits your business needs.