Last week, California Attorney General Rob Bonta, alongside the California Privacy Protection Agency (CPPA) and the Attorneys General of Colorado and Connecticut, announced a joint investigative sweep focused on enforcing consumers’ right to opt out of the sale and sharing of their personal information.
This joint investigative sweep targets businesses that may be failing to honor consumer requests to opt out of the sale of personal information, a right guaranteed under each participating state’s data protection statutes. A central focus of this initiative is compliance with the Global Privacy Control (GPC).
The GPC is an easy-to-use browser setting or extension that automatically signals to websites a consumer’s request to stop selling or sharing their personal information to third parties. It provides consumers with a simple, universal mechanism to exercise their privacy rights, eliminating the need to make individualized opt-out requests on every website they visit. Regulators are emphasizing that businesses cannot ignore or sidestep these GPC signals.
As part of this sweep, the coalition has already sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC, requesting immediate compliance. This action reinforces prior efforts, including the three states’ 2025 Data Privacy Day educational initiatives on GPC and California’s significant $1.2 million settlement with Sephora for GPC compliance violations.
California Attorney General Rob Bonta stated, “California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control”. This collaboration is not new; it follows the establishment of the Consortium of Privacy Regulators in April 2025, a formal group of eight states, including California, Colorado, and Connecticut, dedicated to coordinating privacy law implementation and enforcement.
How This Impacts EIA Members
This multi-state investigation highlights a growing focus on privacy compliance — especially around honoring Global Privacy Control (GPC) signals.
Key Takeaways:
- National Impact: States beyond CA, CO, and CT (including DE, OR, MT, TX, NJ, NH, and MN) also require businesses to honor GPC signals. MD’s law will follow in October 2025.
- Mandatory GPC Compliance: Businesses must detect and honor GPC signals as opt-out requests to stop selling/sharing consumer data. Platforms should be configured to handle this automatically.
- Other Requirements: If you sell/share personal data, you must display a clear “Do Not Sell or Share My Personal Information” link on your site and privacy policy. No account creation can be required for opt-outs.
- Real Enforcement: Regulators have already levied large fines (e.g., Sephora $1.2M, Todd Snyder $345K, Honda $632K). Non-compliance carries serious financial and reputational risk.
- Audit Your Tech Stack: Regularly review third-party tools, cookies, and tracking scripts, and establish a process or governance committee to ensure ongoing compliance.
What EIA Members Should Do Now
Businesses operating in these states, and indeed across the U.S., should take this opportunity to shore up their privacy compliance by testing and verifying that their websites and apps are properly functioning and effectuating consumer opt-out choices, including via GPC signals.
Ensure your privacy policies are up-to-date, clearly outline consumer rights, and provide accessible mechanisms for exercising those rights. This proactive approach will not only help you avoid costly enforcement actions but also build greater trust with your customers in an increasingly privacy-conscious world.
Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.
