On September 9, 2025, California Attorney General Rob Bonta, in coordination with the California Privacy Protection Agency and the Attorneys General of Colorado and Connecticut, announced a joint investigative sweep focused on businesses that fail to honor consumers’ opt-out requests submitted via Global Privacy Control (GPC) signals.
Why This Matters:
This announcement reinforces regulators’ continued focus on Global Privacy Control (GPC) compliance, building on California’s previous enforcement action—the $1.2 million settlement with Sephora for violations related to GPC signals. This coordinated action underscores the growing trend of multi-state privacy enforcement and heightened scrutiny of compliance with automated opt-out mechanisms under state privacy laws, including the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA).
Key Compliance Requirements:
- Recognize and honor GPC signals as valid opt-out requests. Have a clear understanding of what online tracking technology is deployed on the websites and what technologies are restricted via opt-out choices.
- Provide clear guidance regarding opt-outs and GPC signal rights.
- Where necessary, provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link.
- Avoid requiring consumers to create an account to exercise opt-out rights.
- Establish a routine audit process or a website governance committee to ensure that websites comply with relevant regulatory frameworks, including via vendor diligence.
