No Opt-Out for State Data Privacy Compliance: California, Colorado and Connecticut Keep Data Privacy Enforcement Pressure on with Joint Enforcement Sweep

On September 9, 2025, the California Privacy Protection Agency (“CPPA”), along with California Attorney General Rob Bonta, Colorado Attorney General Phil Weiser, and Connecticut Attorney General William Tong, (collectively the “Coalition”) announced a joint investigative sweep (the “Sweep”) into businesses refusing to honor consumers' requests to opt-out of the sale of their personal information submitted via Global Privacy Controls (“GPCs”). This Sweep is another action in a growing trend of multi-state cooperation in data privacy enforcement activities. Given the continued lack of a federal data privacy law, state cooperation and enforcement activities are expected to continue.

Per the California Consumer Privacy act, the Colorado Privacy Act, and the Connecticut Data Privacy Act (the “Statutes”), consumers have the right to opt out of the sale or sharing of their personal information, including for purposes of targeted advertising. With some exceptions, a business who has previously received a request to opt out must honor such a request unless the consumer later provides authorization for such activities.

In this particular case, the Sweep focuses on one mechanism for a consumer to opt-out, the Global Privacy Control or GPC. GPCs are designed to automate this process and submit a consumer’s request to opt out through the use of a browser setting or extension. Thus, a consumer may easily request to stop selling or sharing their personal information to third parties. With GPCs enabled, a consumer visiting a website would theoretically not need to navigate through a cookie banner or a separate privacy-specific webpage to exercise its opt out rights. Per the Statutes, businesses subject to the obligations are required to honor such opt out requests submitted via GPCs.

As part of the Sweep announcement, California Attorney General Bonta indicated that the Coalition has identified and sent letters to businesses “refusing to honor consumers’ requests to stop selling their personal data [via GPCs] and have asked them to immediately come into compliance with the law.” Though the Coalition has not yet announced a timeline for enforcement following the letters to non-compliant businesses, Connecticut Attorney General Tong stresses that the Sweep is intended to put “violators on notice today that respecting consumer privacy is non-negotiable.” The Sweep followed the three states’ 2025 Data Privacy Day educational efforts on the GPC.

Those who have followed privacy enforcement trends in the past will recognize that the Sweep is not the first time regulators have focused on GPC compliance. In fact, the first ever CCPA enforcement was brought against Sephora due, in part, to its failure to process user requests to opt out of sale via user-enabled GPCs. However, the Sweep does mark the first time that regulators in different states have come together in an effort to improve GPC compliance and may indicate that the Coalition may conduct similar sweeps in the future. Given the emphasis placed on GPC compliance during the 2025 Data Privacy Day, it is important for companies to stay informed of state agency activities of and notices as one avenue of insight into potential enforcement priorities.

Crowell supports its clients through data privacy compliance reviews regarding the various state privacy laws, as well as responding to state agency notices. We will continue to monitor the development of the Sweep and provide updates when further information is released. Please reach out if you have any questions or would like to discuss your compliance related questions.