Search for:
Cybersecurity, Data and Tech

United States: Retailer fined for cookie consent misconfigurations and excessive opt-out hurdles

By , , and 3 Mins Read

In brief

On May 6, 2025, the California Privacy Protection Agency (CPPA) announced an enforcement action against clothing designer Todd Snyder, Inc. to pay a fine of USD 345,178 and adopt new practices to resolve violations of the California Consumer Privacy Act (CCPA). The CPPA alleged that the retailer violated the CCPA by: (i) imposing excessive hurdles for consumer requests to opt out of third-party tracking technologies; (ii) failing to honor these requests because of misconfigurations; and (iii) failing to monitor its consent management platform.

In depth

The CPPA’s enforcement action identified the following CCPA violations by Todd Snyder:

  1. Failure to oversee and properly configure the technical infrastructure of its privacy portal; this resulted in retailer’s failure to process consumer requests to opt out of the sale or sharing of personal information for 40 days. For example, for 40 days in 2023, the site was misconfigured so that when consumers clicked on the “Cookie Preference Center” link, a consent banner would appear on the screen but then immediately disappear. This meant that consumers could not opt-out through the banner. The site also did not recognize Global Privacy Control (GPC) signals.
  2. Imposition of requirements for consumers to verify their identity before the retailer processed opt-outs, which resulted in consumers being asked to submit information beyond what was necessary to process the request. The CPPA stated that, “[b]y requiring consumers to submit government identification to exercise Verifiable Consumer Requests. . . [the retailer] unlawfully required consumers to provide more information than necessary to exercise their CCPA rights.” Having consumers submit “sensitive personal information” increasingly discourages them from submitting CCPA requests.

In addition to paying a USD 345,178 fine, the CPPA provided that Todd Snyder must:

  1. Develop, implement, and maintain procedures to identify any disclosures of personal information that constitute sales or shares to ensure that it appropriately processes opt-out requests.
  2. Establish, implement, and maintain policies and procedures to monitor the effectiveness and functionality of its methods for submitting opt-out requests. Todd Snyder may not require additional verification from consumers for opt-out requests nor require consumers to provide more information than necessary to process opt-out requests.
  3. Recognize opt-out preference signals.
  4. Develop, implement, and maintain procedures to ensure personnel handling personal information are informed of the business’ requirements under the CCPA.
  5. Maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of personal information.

What’s next

The CPPA’s order makes clear that companies must monitor processes in place for consumers to exercise rights, including regular review to ensure third-party tools are working as intended. Ultimately, any issues with these tools are the liability of the companies that utilize them. Companies should actively monitor their cookie and consent management tools as follows:

  1. Audit websites, cookie banners, preference centers, and consent management tools periodically to ensure they are functioning properly.
  2. Inspect how vendors’ consent management and privacy tools are configured and maintained.

Companies should also carefully review what information is requested as part of verification/authentication of consumer opt-out requests and ensure it is not more than what is needed.

Categories:
Tags:
Author

Cynthia Cole is an Intellectual Property Partner in Baker McKenzie's Palo Alto office, as well as a former CEO and General Counsel. Before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in digital transformation, data privacy, and cybersecurity strategy. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields. She acts as outside general counsel to a number of executive teams and boards of directors.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Throughout her early career, Rachel served in multiple in-house legal and compliance roles, including chief compliance officer and chief privacy officer, and has provided guidance and training to multinational companies globally. She also served as a foreign service officer with the U.S. Department of State, and is recognized by the International Association of Privacy Professionals as a Privacy Law Specialist and a Certified Information Privacy Professional.

Author

Mercedes graduated from Maryland Carey Law and along with her J.D. she was also the recipient of the International Association of Privacy Professionals Westin Scholar Award. During law school, Mercedes interned at the White House Office of Science and Technology. She was invited by the White House Office of the National Cyber Director to speak at its inaugural "Women in Cyber" global event.

Author

Marwan Othman is an Associate in Baker McKenize, Riyadh office.

Related Posts