California Privacy Protection Agency Announces Joint Investigative Privacy Sweep: CA, CO, and CT Investigate Businesses Refusing to Honor Consumers' Right to Opt-Out of the Sale of Their Personal Information

SACRAMENTO — The California Privacy Protection Agency, alongside the Attorneys General of California, Colorado, and Connecticut, today announced an investigative sweep involving potential noncompliance with the Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer's request to stop selling or sharing their personal information to third parties. As part of the sweep announced today, the coalition is contacting businesses that may not be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requesting that those businesses comply. This sweep reinforces the three states' 2025 Data Privacy Day educational efforts on the GPC.

“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” said Attorney General Bonta. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers' requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers' important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”

“In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable,” said Attorney General Tong.

“Collaboration with our partners in other states is essential to the CPPA's work. We are proud to join this effort to ensure that consumers' opt-out rights are honored, and we will continue working across jurisdictions to protect Californians' privacy,” said Tom Kemp, the CPPA's Executive Director.

Websites can track and amass personal information and behavioral data like pages visited, time spent on pages, clicks, and detailed purchase information to create and share profiles and inferences about consumers. Online interactions generate all kinds of data, even when people think they're not revealing anything. It has been estimated that the average person produces 1.7 MB of data per second or 6,120 MB of data per hour. Reducing one's digital footprint by signaling to businesses to not sell or share one's personal information is a key step in stopping the proliferation of consumer data in the online ecosystem.

YOUR RIGHT TO OPT-OUT IN CALIFORNIA

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.

Consumers interacting with a business online have two options to opt out of the sale of their data:

OPTION 1: Enabling Global Privacy Control

The GPC is an opt-out preference signal (OOPS) that allows users to automatically indicate to the websites they visit that they would like to opt-out of the “sale” and “sharing” of their personal information. The GPC signal is an easy way to opt-out because a consumer does not have to make individualized requests to opt-out on each website they visit. GPC can be downloaded via a browser extension; some browsers offer a GPC setting. Installing GPC is simple and helps ensure your personal information is protected.

Click here for a video to show you how to install GPC.

OPTION 2: Opt-Out One Business at a Time

Businesses that sell or share personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to process your opt-out, but may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business.

If you can't find a business's “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy. If a business's "Do Not Sell or Share My Personal Information" link is not working or difficult to find, you may report the business to the CPPA by visiting cppa.ca.gov/webapplications/complaint.

For more information on the CCPA and opting out, please see here.

The CPPA's Recent Enforcement Actions to Protect Californians

The CPPA continues to actively enforce California's cutting-edge privacy laws. Recent actions include:

• Issuing a decision requiring clothing retailer Todd Snyder to change its business practices and pay a $345,178 fine for CCPA violations.
• Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations — one of the highest fines in the law's history.
• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
• Partnering with the data protection authorities in Korea , France , and the United Kingdom to share information and advance privacy protections for Californians.

In addition, the agency has secured more than half a dozen successful enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act.

About Us

The California Privacy Protection Agency is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act.

Individuals can visit privacy.ca.gov to access helpful and up–to–date information on how to exercise their rights and protect their personal information. In addition, the Agency's website provides important information about CPPA Board Meetings, announcements, and the rulemaking process.