CPPA and AGs Launch Coordinated Investigation Into Corporate Global Privacy Control Failures

The California Privacy Protection Agency (CPPA) is collaborating with the Attorneys General of California, Colorado, and Connecticut in a joint investigation into businesses they think may not be complying with consumers’ rights to opt out of the sale of their personal information using a Universal Opt-Out Mechanism, the most popular of which is the Global Privacy Control (GPC). The joint investigation underscores a strong nationwide commitment to enforcing privacy laws and to educating consumers about their rights under the California Consumer Privacy Act (CCPA) and similar statutes.

The joint investigation aims to ensure that businesses honor GPC opt-out requests, which are designed to protect consumer privacy. The GPC is an opt-out preference signal attached to a website visitor’s browser (or through an extension to that browser) that automatically informs websites of a consumer’s desire to stop the sale or sharing of personal information to third parties, eliminating the need for individual opt-out requests on each website. The CCPA and eight other state statutes require website owners to recognize GPCs in certain circumstances. Consumers also have the option to manually opt out on a per-business basis through clear “Do Not Sell or Share My Personal Information” links on websites, which must be accessible without the user having to create an account. Regulators from the states involved in the investigation have issued letters to several companies they believe may not process GPC signals in compliance with applicable laws.

In California specifically, the CPPA has been active in enforcing privacy rights, having fined companies such as Todd Snyder and American Honda Motor Co. for CCPA violations. California has collaborated with other states and international data protection authorities to enforce privacy laws and educate the public on these laws and related developments, including the launch of the Consortium of Privacy Regulators. California’s coordinated approach highlights its commitment to ensuring that individuals can easily and effectively enforce their privacy rights. In light of this, and with the increase in class action litigation (and one-off demand letters) alleging wiretapping violations regarding the use of online tracking technologies or other privacy law violations (like California’s Shine the Light law), companies risk enforcement or litigation if tracking technologies are not effectively overseen.

Accordingly, companies should take the opportunity (before being caught up in an investigation or litigation) to audit their privacy rights request process to (1) ensure the process for verifying individuals’ identities does not ask for information not necessary to comply with individuals’ requests, (2) ensure they have an easy and streamlined process for effectuating privacy rights, (3) understand how they are using tracking technologies and ensure consent is being gathered, (4) ensure their online tracking technology software is operating as intended, including by recognizing GPC signals, and (5) ensure the appropriate contracts are in place with online tracking technology vendors.

If you have any questions about this Blog post, please contact the authors or their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.