California is continuing to raise the bar on privacy compliance and their privacy regulators are making one thing clear: offering consumers the ability to opt out of data collection or sharing is not enough — those rights must be easy to exercise.

In recent enforcement actions, the California Privacy Protection Agency (CPPA) fined companies including Ford Motor Company Disney and PlayOn Sports for privacy violations tied to how consumer rights were implemented. In Ford’s case specifically, the issue wasn’t that an opt-out mechanism didn’t exist. Instead, regulators determined that the company added unnecessary steps that created “friction” for users attempting to opt out.

For ecommerce businesses, this marks an important shift in enforcement priorities. Regulators are increasingly examining the technical design and user experience of privacy workflows, not just the presence of privacy policies or compliance checkboxes.

As CPPA enforcement ramps up, businesses need to ensure their privacy controls are clear, accessible, and free from unnecessary barriers.

The Ford Case: When Extra Steps Become “Friction”

In March 2026, the CPPA announced a settlement with Ford Motor Company, fining the company more than $375,000. The core issue centered on the company’s opt-out process for the sale or sharing of personal data. Consumers attempting to exercise their privacy rights were required to verify their request through email confirmation before the opt-out would take effect.

While verification might seem reasonable from a security perspective, regulators determined the additional step created unnecessary friction that made the process harder for consumers than the law allows. Under California privacy rules, businesses cannot require consumers to take extra steps that delay or discourage them from exercising their rights, unless those steps are strictly necessary.

In this case, the CPPA concluded that requiring email verification to opt out of data sharing was not necessary and therefore violated the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The message from regulators signals that if the opt-out process becomes overly complicated, it may be treated as noncompliant.

PlayOn Sports: When the Opt-Out Doesn’t Exist

In a separate enforcement action also in March 2026, the CPPA fined PlayOn Sports, a youth sports streaming platform, $1.1 million for a range of privacy violations.

Regulators identified issues such as the company failing to provide a clear way for consumers to opt out of the sale or sharing of personal information and that privacy rights workflows were incomplete or improperly implemented. The company also collected data related to children and minors, raising additional compliance concerns.

This enforcement action demonstrates another key point for businesses: both missing privacy controls and poorly implemented ones can trigger regulatory scrutiny.

Disney: When Opt-Out Choices Don’t Work as Expected

In February 2026, another enforcement action involving The Walt Disney Company highlights how regulators are examining whether privacy controls actually function as intended.

California Attorney General Rob Bonta announced a $2.75 million settlement with Disney over alleged CCPA violations tied to consumer opt-out rights. Regulators found that Disney’s systems allowed certain personal data to continue flowing to advertising partners even after users attempted to limit data sharing.

The case reinforces that providing an opt-out option isn’t enough if the underlying systems fail to properly honor those choices. Privacy controls must be clear, functional, and effective—not just present on paper.

What Counts as “Too Much Friction”?

The CPPA has increasingly emphasized the concept of “friction” in privacy rights workflows. In simple terms, friction refers to any unnecessary step that makes it harder for consumers to exercise their rights.

Examples of friction regulators may consider problematic include:

• Requiring account creation to submit an opt-out request
• Adding multiple confirmation steps that delay requests
• Requiring identity verification when it isn’t necessary
• Making consumers navigate multiple pages or menus to find the opt-out option
• Providing confusing or misleading instructions

In many cases, these practices can also fall under the category of “dark patterns.”

What Are Dark Patterns?

Dark patterns are layout and design choices that manipulate users into making decisions they might not otherwise make.

Within the context of privacy regulations, dark patterns can include:

• Making the opt-in option prominent and easy, while hiding the opt-out
• Using confusing language that discourages users from opting out
• Creating complex workflows that push consumers toward accepting tracking

California regulations specifically prohibit user interfaces that substantially impair or subvert a consumer’s ability to exercise their privacy rights. For ecommerce companies, this means privacy choices must be presented clearly and neutrally.

What a CPPA-Compliant Opt-Out Should Look Like

While the regulations do not prescribe a single technical implementation, regulators have outlined several principles businesses should follow.

A compliant opt-out process should generally be:

Easy to find
Consumers should be able to locate the opt-out option quickly—typically through a visible “Do Not Sell or Share My Personal Information” link or similar mechanism.

Simple to complete
The process should require minimal steps and should not involve unnecessary verification.

Immediate or prompt
Once submitted, the opt-out should take effect without delays caused by unnecessary confirmations.

How This Connects to EIA’s Previous Coverage

These enforcement actions build on several developments we’ve previously covered at the Ecommerce Innovation Alliance.

In recent months, California has expanded its privacy framework through initiatives such as:

• The launch of California’s DROP tool, which allows consumers to request deletion of personal data held by data brokers.
• Legislation like Senate Bill 923, strengthening consumer data deletion rights.
• Efforts like the Opt Me Out Act to standardize universal opt-out mechanisms, allowing users to automatically signal privacy preferences across websites.

Together, these initiatives point toward a broader regulatory direction: privacy rights must be practical and easy for consumers to exercise.

Businesses that treat privacy compliance as a purely legal checkbox may find themselves exposed as regulators increasingly evaluate the technical implementation and user experience of privacy tools.

Looking Ahead

For ecommerce brands and online retailers, these developments highlight a growing compliance challenge. Many ecommerce sites rely on advertising and tracking technologies, customer analytics tools, third-party marketing platforms and data sharing with partners and service providers. These activities often trigger obligations under California’s privacy laws.

The recent CPPA enforcement actions signal that regulators are moving beyond theoretical compliance and focusing on how privacy rights work in practice. For ecommerce businesses, the takeaway is that privacy tools must be functional, accessible, and frictionless.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business. 

Ecommerce Innovation Alliance provides members with analysis of litigation and regulatory developments affecting online commerce and digital marketing. This post is for informational purposes only and does not constitute legal advice.