California, Colorado, Connecticut targetting businesses that don't honor opt-out requests
of ConsumerAffairs- California Attorney General Rob Bonta leads investigation with Colorado and Connecticut targeting businesses that fail to honor Global Privacy Control (GPC) opt-out requests
- The enforcement sweep follows California's $1.2 million settlement with Sephora and reinforces consumers' rights to stop companies from selling their personal data
- Coalition sends compliance letters to violating businesses as part of broader effort to protect privacy rights across state lines
California Attorney General Rob Bonta has announced a coordinated investigative sweep targeting businesses that appear to be violating consumer privacy laws by failing to process opt-out requests submitted through Global Privacy Control technology.
The multi-state enforcement action, conducted alongside the California Privacy Protection Agency and attorneys general from Colorado and Connecticut, focuses on companies that do not appear to be honoring consumer requests to stop selling or sharing personal information to third parties through the GPC system.
What is Global Privacy Control?
Global Privacy Control is a browser setting or extension that automatically signals to websites a consumer's preference to opt out of having their personal information sold or shared with third parties. The technology eliminates the need for consumers to manually submit individual opt-out requests to each website they visit.
"Californians have the important right to opt-out and take back control of their personal data and businesses have an obligation to honor this request," Bonta said in a statement. "Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers' requests to stop selling their personal data and have asked them to immediately come into compliance with the law."
Growing data collection concerns
The enforcement action comes amid growing concerns about data collection practices online. According to estimates cited by the attorney general's office, the average person produces 1.7 megabytes of data per second, or 6,120 megabytes per hour, as websites track pages visited, time spent browsing, clicks, and purchase information to build detailed consumer profiles.
Apps and software can collect even more sensitive information, including precise geolocation data, creating comprehensive profiles that are often shared with third parties without explicit consumer consent.
Legal framework and consumer rights
Under the California Consumer Privacy Act, businesses cannot sell or share personal information after receiving an opt-out request, with some exceptions. Companies must wait at least 12 months before asking consumers to opt back into data sharing arrangements.
California consumers have two primary options for opting out of data sales:
Global Privacy Control: Users can enable GPC through browser extensions or built-in browser settings to automatically signal opt-out preferences to all websites they visit.
Individual Business Requests: Consumers can use "Do Not Sell or Share My Personal Information" links that businesses are required to display prominently on their websites.
Connecticut Attorney General William Tong emphasized the collaborative nature of the enforcement effort. "While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable," Tong said.
Enforcement history
The current sweep builds on California's previous enforcement actions, including a $1.2 million settlement with cosmetics retailer Sephora for GPC compliance violations. The action also reinforces educational efforts launched on Data Privacy Day 2025 to inform consumers about their rights under privacy protection laws.
Tom Kemp, executive director of the California Privacy Protection Agency, highlighted the importance of interstate cooperation in privacy enforcement. "Collaboration with our partners in other states is essential to the CPPA's work. We are proud to join this effort to ensure that consumers' opt-out rights are honored, and we will continue working across jurisdictions to protect Californians' privacy."
The coalition has requested immediate compliance from businesses identified in the sweep and indicated that privacy rights enforcement will remain a priority across the participating states. Consumers who encounter businesses with non-functional or hard-to-find opt-out links can report violations to the California Attorney General's office through oag.ca.gov/report.
Posted: 2025-09-09 19:18:06
