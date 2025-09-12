The California Privacy Protection Agency ("CPPA"), along with the Attorneys General of California, Colorado, and Connecticut, announced a coordinated investigative sweep on September 9, 2025, targeting businesses that fail to honor consumer opt-out requests submitted through Global Privacy Control ("GPC"). This marks a significant escalation in multi-state privacy enforcement and signals that state regulators are prioritizing automated opt-out mechanisms as a critical compliance area.

What is Global Privacy Control?

Global Privacy Control is a browser setting or extension that automatically signals to websites that consumers want to opt out of the sale or sharing of their personal information. Unlike manual opt-out processes that require consumers to submit individual requests to each business, GPC provides a streamlined, automated approach to exercising privacy rights across multiple websites.

Under California's Consumer Privacy Act ("CCPA"), businesses must recognize and honor GPC signals as valid opt-out requests. Similar requirements exist under Colorado's Privacy Act and Connecticut's Data Privacy Act.

The Enforcement Action

This coordinated sweep represents several concerning trends for businesses:

Multi-State Collaboration: The joint action demonstrates growing coordination between state privacy regulators, amplifying enforcement reach and potential penalties across jurisdictions.

Automated Compliance Focus: Regulators are specifically targeting failures to process automated opt-out signals, indicating this will be a priority enforcement area going forward.

Proactive Investigations: Rather than waiting for consumer complaints, regulators are actively identifying potentially non-compliant businesses and demanding immediate corrective action.

Immediate Action Items for Businesses

Given the proactive nature of this enforcement sweep, we recommend that businesses subject to state privacy laws:

Verify that your website can detect and process GPC signals

Test GPC functionality across all web properties and digital touchpoints

Ensure GPC requests are processed within the same timeframe as manual opt-out requests

Confirm your privacy policy accurately describes GPC recognition and processing

Verify that required "Do Not Sell or Share My Personal Information" links are prominently displayed on your website

Ensure privacy policy language complies with requirements in all applicable jurisdictions

Compliance Risks and Penalties

Businesses that fail to honor GPC requests face multiple enforcement risks:

California: Fines up to $7,500 per violation under the CCPA

Colorado: Penalties up to $20,000 per violation under the Colorado Privacy Act

Connecticut: Fines up to $5,000 per violation under the Connecticut Data Privacy Act

Reputational damage from public enforcement actions

Class action litigation risk from affected consumers

We Can Help

