Skip to Content
Client Payment

Events In the News

Joint Enforcement Efforts for Consumer Opt Out Requests

on Monday, 27 October 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On September 9, 2025, the California Privacy Protection Agency (“CPPA”) and the Attorneys General of California, Colorado, and Connecticut announced a joint enforcement sweep that centers on the Global Privacy Control (“GPC”), a browser setting that automatically signals to companies that a consumer does not want their personal information sold or shared.  Under each state’s respective consumer data privacy law (collectively, the “Acts”), consumers have the right to opt out of the sale or sharing of their personal information, including for purposes of targeted advertising.  Subject to a few narrow exceptions, businesses that previously received a consumer request to opt out must honor such the request unless the consumer later provides authorization for such activities.

The joint enforcement sweep appears to focus on two key processes that businesses must support for when receiving opt requests.  First, businesses must recognize and honor the GPC signal as an opt out request across participating websites (rather than requiring requests site by site).  Second, businesses must maintain a clear “Do Not Sell or Share My Personal Information” link or equivalent on their website that allows consumers to submit opt out requests. 

This joint enforcement effort builds on prior enforcement actions by the CPPA and state attorneys general, as well as prior cooperative efforts across states, especially by the CPPA.  For example, earlier this year the CPPA announced that it formed a Consortium of Privacy Regulators, comprised of privacy regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, with the stated intent of promoting the sharing of enforcement priorities and coordinated investigations. 

Given the Consortium, it is believed that regulators in California, Colorado, and Connecticut will share identified compliance deficiencies with their Consortium counterparts, as well as with regulators in other jurisdictions. Because of that, businesses should thoroughly review their current opt out mechanisms and procedures and addresses any identified vulnerabilities.

Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design