In a major move signaling the growing power of multi-state cooperation on privacy enforcement, the California Privacy Protection Agency (CPPA), alongside the Attorneys General of California, Colorado, and Connecticut (collectively, the "Coalition"), announced an investigative sweep targeting businesses that fail to honor consumers' requests to stop the sale or sharing of personal information.
The sweep focuses on compliance with the Global Privacy Control (GPC), a browser-based signal that lets consumers automatically opt out of data sales and sharing without having to submit individual requests to every website they visit. The coordinated effort signals a watershed moment in privacy enforcement, underscoring that state regulators are increasingly working together to enforce privacy rights nationwide.
Joint Sweep Focuses on Opt-Out Compliance
This sweep comes on the heels of state-led releases on information giving a background on what the GPC is and reinforces a coordinated 2025 Data Privacy Day educational effort between California, Colorado, and Connecticut on the GPC. By enabling the GPC setting or downloading the browser extension, consumers can send a clear signal to websites that they do not want their personal data sold or shared. Businesses receiving this signal are legally required to honor it under the California Consumer Privacy Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act. The sweep specifically targets potential noncompliance with GPC and requests that targeted businesses comply. California Attorney General Rob Bonta emphasized, "Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request." Connecticut Attorney General William Tong echoed this sentiment, noting that respecting consumer privacy is "non-negotiable."
The sweep highlights two key compliance mechanisms businesses must support for opt-out rights. First, businesses must recognize and honor the GPC signal as an opt-out request across participating websites. Second, businesses must maintain a clear and conspicuous link on their website that allows individuals to submit an opt-out request (e.g., in California, a "Do Not Sell or Share My Personal Information" link).
While California, Colorado, and Connecticut are currently leading this effort, other states—including Texas, Oregon, Maryland, and Minnesota—have privacy laws that require (or will soon require) similar opt-out mechanisms. Businesses that delay implementing these opt-out mechanisms may find themselves an enforcement target as these obligations expand across jurisdictions.
A Developing Trend of Increased Coordination
In releasing statements on this investigative sweep, the Coalition stressed how online behavior generates massive amounts of data every second, from website visits and clicks to purchases and time spent on pages. The statements estimate that the average person produces roughly 1.7 megabytes of data per second, or more than six gigabytes per hour. Because of this incredible volume of data, the Coalition implied that these joint efforts are necessary to protect consumers' information. The CPPA's Executive Director, Tom Kemp, emphasized the importance of collaboration by stating, "We are proud to join this effort to ensure that consumers' opt-out rights are honored, and we will continue working across jurisdictions to protect Californians' privacy."
This initiative builds on prior enforcement actions by the CPPA and state attorneys general, as well as prior cooperative efforts across states, especially by the CPPA. For example, in April 2025, the CPPA announced that it formed a bipartisan Consortium of Privacy Regulators, comprised of the members of the Coalition as well as the privacy regulators of Delaware, Indiana, New Jersey, and Oregon, in order to promote the sharing of enforcement priorities and coordinated investigations. The trend of joint cooperation extends internationally as well. Earlier this year, the CPPA announced a declaration of cooperation with the Personal Information Protection Commission of the Republic of Korea. This international agreement followed the declaration of cooperation that the CPPA signed with the Commission Nationale de l'Informatique et des Libertés of France in June 2024, and CPPA's previous inclusion in the Asia Pacific Privacy Authorities and the Global Privacy Enforcement Network. Overall, these recent developments mark a clear trend toward increased cooperation both nationally and internationally.
Implications and Next Steps
This sweep seeks not only to enforce existing privacy laws but to remind consumers that tools like GPC exist and can make a meaningful difference in controlling personal data. For businesses, it is a wake-up call that multi-state enforcement is here, and that noncompliance could have broader effects than might be evident at first glance. Specifically, regulatory inquiries carry substantial risk and cost, as agencies often request extensive detail about a business' privacy practices, technical systems, and audit records. Investigations can also expand if initial findings point to other areas of noncompliance. Further, regulators in California, Colorado, and Connecticut may share identified compliance gaps with their counterparts in the Consortium of Privacy Regulators and other jurisdictions. For these reasons, businesses should thoroughly evaluate their data management practices and proactively address vulnerabilities.
For next steps on this enforcement sweep, the CPPA is scheduled to hold a public meeting on Friday, September 26, where Michael Macko, the CPPA's Deputy Director of Enforcement, will present the CPPA's annual enforcement update. The discussion will cover the recent investigative sweep and highlight other enforcement actions from the past year, along with a discussion regarding future regulations. Readers can expect a breakdown and analysis of the meeting's most important updates, which we will cover here once released.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
