Prefer to listen while you’re on the go? We’ve created an audio version of this Client Advisory that you can play anytime, anywhere.
The California Privacy Protection Agency (“CPPA”), along with the Attorneys General of California, Colorado, and Connecticut, announced a coordinated investigative sweep on September 9, 2025, targeting businesses that fail to honor consumer opt-out requests submitted through Global Privacy Control (“GPC”). This marks a significant escalation in multi-state privacy enforcement and signals that state regulators are prioritizing automated opt-out mechanisms as a critical compliance area.
What is Global Privacy Control?
Global Privacy Control is a browser setting or extension that automatically signals to websites that consumers want to opt out of the sale or sharing of their personal information. Unlike manual opt-out processes that require consumers to submit individual requests to each business, GPC provides a streamlined, automated approach to exercising privacy rights across multiple websites.
Under California’s Consumer Privacy Act (“CCPA”), businesses must recognize and honor GPC signals as valid opt-out requests. Similar requirements exist under Colorado’s Privacy Act and Connecticut’s Data Privacy Act.
The Enforcement Action
This coordinated sweep represents several concerning trends for businesses:
- Multi-State Collaboration: The joint action demonstrates growing coordination between state privacy regulators, amplifying enforcement reach and potential penalties across jurisdictions.
- Automated Compliance Focus: Regulators are specifically targeting failures to process automated opt-out signals, indicating this will be a priority enforcement area going forward.
- Proactive Investigations: Rather than waiting for consumer complaints, regulators are actively identifying potentially non-compliant businesses and demanding immediate corrective action.
Immediate Action Items for Businesses
Given the proactive nature of this enforcement sweep, we recommend that businesses subject to state privacy laws:
- Verify that your website can detect and process GPC signals
- Test GPC functionality across all web properties and digital touchpoints
- Ensure GPC requests are processed within the same timeframe as manual opt-out requests
- Confirm your privacy policy accurately describes GPC recognition and processing
- Verify that required “Do Not Sell or Share My Personal Information” links are prominently displayed on your website
- Ensure privacy policy language complies with requirements in all applicable jurisdictions
Compliance Risks and Penalties
Businesses that fail to honor GPC requests face multiple enforcement risks:
- California: Fines up to $7,500 per violation under the CCPA
- Colorado: Penalties up to $20,000 per violation under the Colorado Privacy Act
- Connecticut: Fines up to $5,000 per violation under the Connecticut Data Privacy Act
- Reputational damage from public enforcement actions
- Class action litigation risk from affected consumers
We Can Help
Our privacy and data security team can assist in reviewing and revising your privacy policies to ensure compliance with GPC requirements across all applicable jurisdictions, including clear disclosures about automated opt-out processing. In addition, our team can assess your business operations across different states and develop comprehensive compliance strategies that address varying requirements while minimizing operational complexity. Should your business receive inquiry letters from state regulators, we can guide your response strategy and help negotiate favorable resolution terms.
Please contact Susan Duarte (sfd@commlawgroup.com) or your relationship partner to discuss your specific compliance needs and develop a comprehensive strategy for addressing GPC requirements and broader privacy law obligations.