Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Home
    • Insights
    • California Privacy Protection Agency Intensifies Enforcement: Recent Enforcement Actions and Trends
      May 27, 2025

      California Privacy Protection Agency Intensifies Enforcement: Recent Enforcement Actions and Trends

      Authors:
      Generate PDF
      Share

      The California Privacy Protection Agency (CPPA) has intensified its enforcement activities in 2025, bringing enforcement actions under both the California Consumer Privacy Act (CCPA) and the California Delete Act in the last few months. The recent enforcement actions against Todd Snyder, Inc. and Jerico Pictures, Inc.—and other actions by the agency—reflect a strong commitment to holding businesses accountable for violations of these laws, and highlight the CPPA’s priorities in protecting consumer rights and ensuring data broker accountability.

      Enforcement Trends and Priorities

      The CPPA’s recent enforcement actions highlight several emerging regulatory priorities:

      • Focus on Honoring Opt-Out Requests: The CPPA has penalized businesses for failing to properly process and honor consumer opt-out of sale/sharing requests, including those submitted via cookie banners and opt-out preference signals such as Global Privacy Control (GPC).
      • Crackdown on Dark Patterns: In September 2024, the CPPA issued an enforcement advisory targeting “dark patterns,” user-interface designs that impair or subvert consumer autonomy.
      • Emphasis on Data Minimization: An April 2024 enforcement advisory emphasized data minimization as a foundational principle of the CCPA. The agency noted that some businesses collect excessive personal information when processing consumer requests, which may lead to enforcement actions.  
      • Scrutiny of Data Broker Compliance Under the Delete Act: After launching investigative sweeps to ensure data brokers comply with registration requirements under the Delete Act, the agency penalized a company for failing to register and pay an annual fee as required by the Delete Act. Noncompliance can result in administrative fines, including penalties of $200 per day.

      Case Analyses

      Todd Snyder, Inc.

      In May 2025, the CPPA ordered a national clothing retailer, Todd Snyder, Inc., to change its business practices and imposed a $345,178 fine for multiple CCPA violations, including:

      • Failing to properly configure its privacy portal and cookie banner, resulting in a 40-day delay in processing consumer opt-out requests. 
      • Requiring consumers to submit more personal information than necessary to process their privacy requests.
      • Requiring consumers to verify their identity before they could opt-out of the sale/sharing of their personal information.

      The CPPA found that Todd Snyder lacked adequate oversight of the third-party cookie tools on its website. For 40 days in late 2023, the site’s opt-out mechanisms were not properly configured to process consumer requests to opt-out of the sale or sharing of their personal information. Specifically, when consumers clicked a link to manage their preferences, a cookie consent banner appeared but then disappeared instantaneously or failed to work properly, resulting in consumers being unable to exercise their right to opt out. The site also ignored opt-out preference signals, such as GPC.

      The CPPA also highlighted failures with Todd Snyder’s data privacy request procedures. Todd Snyder directed consumers to submit a “Data Request Form” for all data privacy requests, requiring consumers to provide their name, country of residence, and a photograph of the consumer holding their “identity document.” This information was requested regardless of the request type, including for requests to opt out of sale/sharing. This violated the CCPA in two ways: (i) applying a verification standard to opt-out of sale/sharing requests (which do not require verification under the statute) and (ii) requiring more personal information than necessary—including sensitive information, like a driver’s license, state identification card, or passport number—to verify a consumer’s identity.

      Under the order, Todd Snyder must implement and maintain specific methods for submitting requests to opt out of sale/sharing—including refraining from requiring consumers making a request to opt out of sale/sharing to provide more information than necessary to process the request, ensuring that the company’s methods for submitting requests to opt-out of sale/sharing comply with the CCPA—and ensuring that it honors opt-out preference signals for known consumers.

      Jerico Pictures, Inc.

      In February 2025, the CPPA brought an enforcement action against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker. The CPPA alleged that the company failed to register and pay an annual fee as required under the Delete Act. Instead, the company registered 230 days late, and only after being contacted by the CPPA’s Enforcement Division. The CPPA sought a $46,000 fine against the company for its violations. This enforcement action comes after the CPPA previously filed a claim against the company in October 2024 in the U.S. Bankruptcy Court for the Southern District of Florida alleging that the company owed the agency an administrative fine related to its failure to register as a data broker in California.
      Since October 2024, the CPPA has also taken action against five additional data brokers, resulting in settlements.

      Key Takeaways

      • Proactive Compliance is Crucial: Staying ahead of regulatory requirements is essential to avoid costly fines and reputational damage.
      • User Interface Design Should Support Consumer Choice: The use of dark patterns—designs that mislead or manipulate users—can trigger enforcement actions. User interfaces should clearly and easily enable consumers to exercise their privacy rights.
      • Don’t Outsource Compliance: Businesses should regularly monitor and validate their third-party privacy management tools to ensure they are working as expected. A business cannot simply defer to their third-party tools without understanding their limitations or validating their operation.
      • Data Minimization is a Core Expectation: Businesses should collect only the minimum personal information necessary to fulfill a specific purpose, particularly when processing consumer data privacy requests.
      • Timely Data Broker Registration is Mandatory: Data brokers must comply with registration deadlines under the Delete Act to avoid daily penalties and enforcement scrutiny.

      The CPPA’s recent enforcement actions underscore its ongoing commitment enforcing California’s data privacy laws. Businesses should regularly evaluate and update their compliance strategies, focusing on user-centric design, data minimization, and transparent data practices to align with evolving regulatory expectations.

      Authors

      Related Content

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2025 Mayer Brown

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Mayer Brown Hong Kong LLP operates in temporary association with Johnson Stokes & Master (“JSM”). More information about the individual Mayer Brown Practices, PKWN and the association between Mayer Brown Hong Kong LLP and JSM (including how information may be shared) can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.