On May 6, 2025, the California Privacy Protection Agency (CPPA) issued a $345,178 enforcement action against fashion retailer Todd Snyder, Inc. for non-compliance with the California Consumer Privacy Act (CCPA). The ruling serves as a critical reminder for organizations: privacy compliance can’t be outsourced, automated blindly, or deprioritized.
Read on to explore the key violations at the center of the enforcement, identify the underlying gaps in the company’s privacy practices, and how BigID’s next-gen data privacy, security, compliance, and AI data management platform equips organizations with the tools needed to detect, manage, and mitigate compliance risk — before regulators intervene.
A Compliance Wake-Up Call
While the industry often focuses on data breaches, this enforcement action was different — it centered on operational failures and a lack of oversight around CCPA-mandated data rights. The CPPA’s findings were unambiguous: relying solely on third-party tools does not absolve companies of responsibility.
The Todd Snyder case emphasizes several critical areas where companies must demonstrate diligence to remain compliant and avoid costly enforcement actions. Organizations must ensure their privacy rights workflows are fully functional, allowing consumers to easily exercise their rights without unnecessary delays. Additionally, data minimization is essential—especially to reduce your attack surface—never collect more data than absolutely necessary.
Proper adherence to opt-out signals, such as Global Privacy Control (GPC), is a growing enforcement focus. Companies must maintain clear oversight of third-party vendor tools and consent management platforms, rather than relying on them blindly. Additionally, powerful internal governance—supported by employee training and well-managed contractual obligations—is key to operationalizing privacy policies. Each of these areas presents not only a regulatory obligation but also an opportunity to build operational excellence, particularly in highly regulated industries like retail, finance, and healthcare.
Proactive Privacy Matters
When it comes to privacy compliance, reactive fixes aren’t enough. The recent Todd Snyder enforcement action highlights how easily missteps in privacy workflows can lead to significant fines and reputational damage. From misconfigured opt-out tools to excessive identity verification demands, even small oversights can violate consumer rights under laws like the CCPA. Organizations need to build privacy programs that are not only compliant by design but resilient in practice — intelligently automated and rigorously validated.
1. Monitor and Validate Privacy Rights Workflows:
Todd Snyder failed to process opt-out requests for 40 days due to misconfigured privacy tools — and didn’t notice the failure. Consumer rights under CCPA include timely and accurate handling of opt-out, access, and deletion requests. Failure to detect system errors exposes businesses to regulatory enforcement and reputational harm.
How BigID Helps: BigID’s holistic privacy dashboard automates the end-to-end lifecycle of privacy rights requests, with real-time validation to ensure all workflows operate as intended. Within BigID, you can centrally manage and support multiple custom privacy portals and aggregate all data rights requests.
2. Limit Data Collection in Verification Processes:
Consumers were required to upload a photo of themselves holding an identity document — an excessive step for an opt-out request. The CCPA explicitly requires businesses to collect only the minimum amount of data necessary to verify and fulfill requests. Overcollection increases both compliance and security risk.
How BigID Helps: BigID supports context-aware verification workflows that confirm individual identity to validate requests using qualified identification, risk-based access, and data minimization throughout the entire privacy lifecycle.
3. Respect and Respond to Opt-Out Preference Signals:
The retailer failed to recognize and act on global opt-out signals such as the Global Privacy Control (GPC) — a requirement under CCPA regulations. Consumers don’t need to fill out a form to opt out when browsers can now send opt-out signals automatically. Ignoring them is a direct violation of California law.
How BigID Helps: Automatically capture, manage, and sync all consumer consent, cookies, and privacy preferences across channels, systems, and applications. With BigID, you can establish consent and opt-outs for ad targeting, email, direct marketing, and personal and sensitive data processing to achieve compliance.
Compliance Is Not Optional — It’s Operational
The Todd Snyder enforcement action is a stark reminder that privacy compliance is active, ongoing, and essential. Organizations must validate their processes, reduce risk through automation, and take direct ownership over every component of their privacy operations.
As the industry-leading platform for data privacy, security, compliance, and AI data management—BigID is purpose-built to help organizations do exactly that. BigID helps organizations discover, manage, and protect sensitive and personal data, across any environment, cloud, or ecosystem to achieve regulatory compliance.
Ready to close your compliance gaps? Book a 1:1 demo with our privacy experts today.
