In a coordinated move earlier this month, regulators in California, Colorado, and Connecticut launched a joint privacy sweep, signaling a continued focus on state privacy law compliance, particularly with regard to honoring consumer opt-out requests and the tools offered to consumers to make those requests.
The regulators made clear that at the center of the scrutiny is the Global Privacy Control (GPC) and other opt-out signals, tools that allow consumers to automatically opt out of data sales and targeted advertising in certain states. California, Colorado, and Connecticut all explicitly require companies to recognize and process these signals, as do some other states.
This latest joint enforcement effort underscores a broader trend: states are increasing cooperation in scrutinizing companies’ compliance with opt-out mechanisms and the broader laws. Earlier this year, seven state privacy regulators (from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon) announced a formal collaboration to coordinate investigations into consumer privacy practices.
Regulators are closely examining whether opt-out tools function as intended and as described to consumers. Companies should proactively review and update their compliance strategies and technical setups as needed.
California Cases: Clear Signals on Opt-Out Expectations
California regulators have already been active in individual enforcement efforts centered on opt-out requirements in the California Consumer Privacy Act, with two recent actions offering clear signals of continued emphasis.
- Todd Snyder Enforcement Action (May 2025). Fashion retailer Todd Snyder was fined $345,000 by the California Privacy Protection Agency for, among other items, alleged violations, including consumer opt-out rights and data request handling. Please read our prior summary for additional information on the enforcement action.
- Healthline Settlement (July 2025). Health-focused digital publisher Healthline Media LLC was fined $1.55 million by the California attorney general for alleged violations of continued targeted advertising after consumers opted out via any of the three offered tools. Please read our prior summary for additional information on the enforcement action.
Why This Matters: Opt-Out Compliance as a Core Compliance Feature
Regulators are treating opt-out mechanisms and notice requirements as a core compliance feature for state consumer privacy laws. Accordingly, state regulators are not just issuing guidance; they are issuing fines.
Companies should work to ensure that opt-out tools and consumer requests are honored, and that their technical tools and vendors are not a source of legal risk. As enforcement expands beyond this initial group of states,