On September 9, 2025, the California Privacy Protection Agency (“CPPA”) announced a multi-state investigation into businesses that fail to honor consumer opt-out requests. As our readers are aware, the CPPA protects the privacy rights of Californians by implementing and enforcing the California Consumer Privacy Act (“CCPA”). The large-scale privacy investigation will be conducted with assistance of the Attorneys General of California, Colorado, and Connecticut.
What is the Focus of the Opt-Out Investigation?
Among other privacy protections, the CCPA requires that online businesses offer consumers two methods to opt out of the sale/sharing of their data:
- Global Privacy Control (“GPC”) – The GPC allows users to automatically signal to websites that they would like to opt-out of the “sale” and “sharing” of their personal information. This “stop selling or sharing switch” is available on some internet browsers, like Mozilla Firefox, or downloadable as a browser extension.
- Opt out one business at a time – Businesses that sell or share personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website. This link must allow consumers to submit opt-out requests and cannot require consumers to create an account before submitting requests.
The focus of the investigative sweep concerns option 1: GPC. The coalition of states will be contacting businesses that they believe may not be processing consumer opt-out requests submitted via GPC and directing them to comply.
Businesses Must Honor Opt-Out Requests
Violating the CCPA can result in significant penalties. The statute permits state authorities to seek fines of up to $7,500 per intentional violation and $2,500 per unintentional violation. Note that the total fine is uncapped. Businesses must honor consumer opt out requests, whether they are submitted globally or individually, lest they risk incurring significant monetary penalties.
Now is the time to ensure that your business is complying with consumer opt out requests. As California Attorney General Rob Bonta stated, “California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”
Hire experienced counsel to review your consumer data privacy compliance practices and procedures to reduce risk. The attorneys at Klein Moynihan Turco have significant experience in defending businesses against regulatory actions involving state privacy laws and assisting them with compliance so that future claims may be prevented.
If you require assistance with California privacy law compliance or related regulatory defense, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney advertising
Photo by Hannah Wei on Unsplash
Similar Blog Posts:
KMT’s David Klein Quoted in Adweek: Google, Pinterest Look to Limit California’s Privacy Laws
California Rules that Websites are Not Places of Public Accommodation under ADA
