The California Privacy Protection Agency (CPPA) has announced a joint investigative sweep with the Attorneys General of California, Colorado, and Connecticut into business compliance with the Global Privacy Control (GPC).
The coordinated effort will target businesses suspected of failing to process consumer opt-out requests submitted via GPC, as required by law in the three states. The coalition is contacting businesses and requesting that they come into compliance.
Global Privacy Control (GPC) and privacy law
GPC is a browser setting or extension that automatically signals a user’s request to opt out of the sale or sharing of their personal information with third parties. It’s designed as an easy-to-use mechanism that removes the need for consumers to make individual opt-out requests on every website they visit.
Under the California Consumer Privacy Act (CCPA), businesses must treat GPC signals as valid requests to opt out of the “sale or sharing of personal information”. Privacy laws in Colorado and Connecticut have similar requirements for honoring universal opt-out signals relating to data sales and targeted advertising.
The regulators’ announcement explains how consumers can exercise their right to opt-out online in California, providing two main options:
- Enabling Global Privacy Control: A user can enable the GPC signal in their browser or via an extension. This automatically communicates their opt-out preference to every website they visit.
- Manual opt-out: Businesses that sell or share personal information must provide a clear and conspicuous link on their website, titled “Do Not Sell or Share My Personal Information,” allowing consumers to submit an opt-out request directly.
The sweep signals a new phase of multi-state collaboration on privacy enforcement and reinforces the regulators’ focus on honoring universal opt-out mechanisms.
Attorneys General comment on the sweep
California Attorney General Rob Bonta said, “Californians have the important right to opt-out and take back control of their personal data—and businesses have an obligation to honor this request.”
In Connecticut, Attorney General William Tong noted that while many businesses have been diligent, “we are putting violators on notice today that respecting consumer privacy is non-negotiable.”
The CPPA’s Executive Director Tom Kemp added, “Collaboration with our partners in other states is essential to the CPPA’s work…we will continue working across jurisdictions to protect Californians’ privacy.”
State privacy enforcement action to date
The joint sweep follows previous enforcement actions by the CPPA that have highlighted the importance of technical compliance with opt-out rights. It also builds on the three states’ 2025 Data Privacy Day educational efforts concerning the GPC.
This action is part of a broader pattern of robust enforcement from the CPPA, which has recently taken action against several other companies for CCPA violations. Recent actions noted by the agency include:
- A decision requiring clothing retailer Todd Snyder to change its business practices and pay a $345,178 fine.
- A decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine.
- A settlement with data broker Background Alert, requiring it to shut down or pay a steep fine.
More than half a dozen enforcement actions against unregistered data brokers following an investigative sweep related to the Delete Act.
The coordinated investigation demonstrates a unified approach to enforcing consumer privacy rights. It places businesses on notice that compliance with technical requirements like honoring GPC is a significant priority and that interstate cooperation could be a key feature of the US privacy landscape.
You might also like to read:
