The recent announcement by the states of California, Colorado and Connecticut that they are working together to carry out a joint investigative sweep has raised eyebrows across the privacy world. Last week, California Attorney General Rob Bonta, the California Privacy Protection Agency (CPPA), and the attorneys general of Colorado and Connecticut announced that they are working together to investigate businesses that refuse to honor consumers’ right to opt out of the sale or sharing of their personal data. The sweep aims especially at companies that are not processing opt-out requests made via the Global Privacy Control tool (GPC), even though it is required by law in each of the three states involved.
The GPC is a browser setting or installable extension that allows consumers to automatically opt out of the sale or sharing of their data with third parties. California AG Bonta’s press release makes clear that regulators strongly suspect that many businesses are ignoring these opt outs and thus failing to adhere to the law. As part of the sweep, regulators have already sent letters to companies that appear not to be in compliance, demanding that they come into immediate compliance. The states have not publicly named any of the targets of the sweep as of yet.
California AG Bonta also emphasized that regulators expect businesses to move quickly to align their practices with legal requirements, whether or not they are the businesses that have been notified of their noncompliance explicitly.
As many companies likely already know, California is no stranger to consumer data protections. The state has already secured settlements involving GPC and/or opt-out compliance against Sephora, DoorDash, Healthline, Honda and Todd Snyder, Inc., with the fines cumulatively in the millions of dollars. However, what really stands out in this new sweep is the cross-state cooperation. Colorado and Connecticut have their own privacy laws, which mirror California’s in many ways, including recognizing browser-based opt-out signals like GPC. The coordinated effort sends a strong message that enforcement of these issues is no longer just a California quirk, especially given that 19 other states now have similar consumer data protection laws. Thus, this cross-state cooperation likely is not an anomaly and should be considered the new norm. Going forward, businesses should be aware of the effect this will have on their operations, especially when conducting business in these privacy-focused states.
Many businesses assume that having a conspicuous privacy policy or a cookie notice is sufficient. However, even when companies think they are being transparent, data collection often happens before notice is given. Tracking tools may collect personal data the moment someone arrives at the website, so consumers may not have a real opportunity to opt out before collection begins, thus rendering the privacy policy and cookie notice moot. The laws often treat things like device identifiers, IP addresses or user behavior data as personal information, even where companies take efforts to anonymize the data in good faith, making it all the more important that businesses act deliberately to avoid collecting any personal data when the business sells or shares that information and the consumer has elected to opt out via GPC or otherwise.
For many companies, this sweep should serve as a clear warning that compliance with opt outs and consumer data protections have become a paramount legal requirement and enforcement priority across the country, so businesses need to take affirmative steps to process and document consumer requests to opt out of the sale and sharing of their personal information, lest they become the target of enforcement and the subject of a future press release by a consortium of attorneys general.
