On September 9, 2025, the California Privacy Protection Agency (CPPA) announced a joint investigation sweep targeting businesses that may be failing to honor consumers’ opt-out requests submitted via Global Privacy Control (GPC) signals, in coordination with the Attorneys General of California, Colorado, and Connecticut. The CPPA’s announcement underscores a growing trend of multi-jurisdictional collaboration among regulators to enforce consumer data privacy laws.
GPC is a website browser-level specification that allows website visitors to automatically transmit their choice to opt out of the “sale” and “sharing” of personal information and “targeted advertising.” Many state-level comprehensive laws, including those in California, Colorado, and Connecticut, require businesses to detect and process GPC signals as valid opt-out requests. The three-state coalition is contacting businesses suspected of violating this requirement and requesting that those businesses cure noncompliance.
This development reinforces the trend of privacy regulators’ active enforcement, as well as robust cross-state collaboration. For instance, California, Colorado, and Connecticut engaged in joint educational efforts on GPC in January 2025. These three states are also part of the bipartisan Consortium of Privacy Regulators, together with privacy regulators of Delaware, Indiana, New Jersey, and Oregon, which promotes the sharing of enforcement priorities and coordinated investigations.
Inquiries from privacy regulators can trigger significant risks and associated costs as they may seek detailed information about businesses’ privacy practices, including technical configurations and audit trails. Regulators’ focus may also shift if the investigations reveal suspected noncompliance in other areas. Additionally, California, Colorado, and Connecticut regulators may share compliance gaps identified with regulators in other jurisdictions. Therefore, it is critical for businesses that have been subject to this sweep to analyze their data management practices to assess risks and establish strategies.
[View source.]
