On Tuesday, September 9, 2025, the California Privacy Protection Agency and attorneys general from California, Connecticut, and Colorado announced an investigative sweep targeting businesses' noncompliance with Global Privacy Control, the most widely adopted opt-out preference signal. This follows the same states' joint efforts in January to educate consumers about their right to opt-out of the sale of personal information, as well as several enforcement actions emphasizing the obligation to honor consumer opt outs. Businesses that have not yet prioritized honoring opt-outs transmitted through GPC or other signals are now significantly out of step with regulatory expectations.
Noncompliant businesses should expect violation notice letters sent by these regulators in short order. Letters sent in past investigative sweeps have ranged from the dozens to the hundreds, and often ripen into subsequent enforcement actions. Considering cure periods provided by the privacy laws of all three states sunset long ago, and compliance has long been expected, businesses should anticipate an increased rate of escalation from notice to enforcement.
For businesses uncertain about how to meet the technical and legal requirements for Global Privacy Control, there are readily available resources. The California Attorney General has a dedicated resource page, globalprivacycontrol.org provides an implementation guide, and several browser extensions can test whether a website properly honors the signal.
The importance of honoring opt-out preference signals will only grow in importance as both consumer and businesses continue to adopt the technology. In the coming days, the California legislature is expected to pass AB 566, requiring browsers to provide functionality for the consumer to automatically send an opt-out preference signals.
Interestingly, while the California Consumer Privacy Act and Connecticut Data Privacy Act require businesses to honor consumer opt-outs effectuated through "opt-out preference signals," the Colorado Privacy Act requires businesses to honor opt-outs made through “universal opt-out mechanisms.” The distinction here is subtle but important: California and Connecticut require honoring the signal as an opt out, regardless of the mechanism that sends it, while Colorado requires a signal sent by a specific mechanism -- GPC being the only officially recognized UOOM by the Colorado Attorney General. This difference is playing out in the proposed New Jersey Data Privacy Act regulations expected to be finalized in the coming months.
While the current sweep focuses on GPC, California and Connecticut regulators have authority to investigate failure to honor any opt-out signal. Colorado regulators, in contrast, remain limited to enforcing violations specifically related to GPC.