ARTICLE
22 September 2025

California, Colorado, And Connecticut Launch Joint Privacy Sweep Over Opt-Out Rights

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
On September 9, the California Privacy Protection Agency (CPPA) and the Attorneys General of California, Colorado, and Connecticut announced a joint enforcement sweep targeting businesses...
United States California Privacy
A.J. Dhaliwal,Mehul Madia, and Maxwell Earp-Thomas
Your Author LinkedIn Connections

On September 9, the California Privacy Protection Agency (CPPA) and the Attorneys General of California, Colorado, and Connecticut announced a joint enforcement sweep targeting businesses that may be failing to honor consumer opt-out requests under state privacy laws. The joint effort centers on the Global Privacy Control (GPC), a browser setting that automatically signals to companies that a consumer does not want their personal information sold or shared.

The sweep underscores increasing state-level enforcement of consumer privacy protections, particularly where businesses fail to recognize or process opt-out signals. Regulators emphasized that refusal to honor GPC requests could amount to violations of state privacy statutes, including laws modeled after the California Consumer Privacy Act. The announcement also follows earlier CPPA enforcement actions and highlights unfair, deceptive, or abusive practices (UDAP) concerns tied to ignoring consumer choices in online tracking and data sharing.

Specifically, the coalition's announcement emphasized that businesses:

  • Must recognize GPC signals as opt-out requests. Companies are required to process GPC submissions as valid consumer opt-outs rather than forcing consumers to make site-by-site requests.
  • Cannot impose obstacles to opting out. State privacy laws require a clear "Do Not Sell or Share My Personal Information" link or equivalent mechanism, without conditioning compliance on account creation or other barriers.

Regulators are contacting suspected noncompliant businesses and directing them to come into compliance immediately, signaling that additional actions may follow.

Putting It Into Practice: The multistate sweep signals that honoring opt-out rights is an active enforcement priority for state privacy regulators, building on the CPPA's recent rulemaking on ADMT, cybersecurity audits, and risk assessments (previously discussed here). Businesses should not only confirm their systems detect and process Global Privacy Control signals, but also review opt-out mechanisms for clarity and accessibility.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Photo of Mehul Madia
Mehul Madia
Photo of Maxwell Earp-Thomas
Maxwell Earp-Thomas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More