Multi-State Privacy Enforcement Sweep: What Businesses Need to Know
- Erin Locker
- |
- September 30, 2025
Regulators have recently made it clear that Global Privacy Control (GPC) compliance is no longer optional. On September 9, the California Privacy Protection Agency (CPPA), along with the Attorneys General of California, Colorado, and Connecticut, announced a coordinated enforcement sweep targeting companies that fail to honor GPC opt-out requests.
GPC is a browser setting or extension that automatically transmits a user’s request to stop the sale or sharing of personal data for purposes of targeted/cross-context behavioral advertising. Under comprehensive privacy laws in California, Colorado, and Connecticut, companies subject to the laws must treat the signal as a valid opt-out request. Regulators emphasized that honoring these signals is “non-negotiable” under modern privacy laws. Businesses that ignore GPC face potential enforcement actions and fines or civil penalties.
This sweep is part of a broader trend: regulators across the country are increasing collaboration. The action follows the formation of a multi-state “Consortium of Privacy Regulators” and reflects growing national alignment on enforcing consumer privacy rights. For businesses, this means GPC will be an ongoing compliance priority.
Below are some of the key points that businesses should know.
- GPC Opt-Out Is Legally Required
In California, Colorado, and Connecticut, companies must recognize and honor GPC signals as valid consumer opt-outs from data sales and targeted advertising. Regulators have already sent investigative letters to businesses that appear out of compliance, warning that failure to act could trigger enforcement. - National Collaboration Is Expanding
Multi-state sweeps are the new normal. Other states, including Texas, Oregon, Maryland, and Minnesota, have enacted laws requiring recognition of universal opt-out signals. Further collaboration among states in enforcement campaigns may be on the horizon. - Regulators Are Setting the Tone
Authorities want consumer opt-outs to be easy and automatic. GPC provides a one-step mechanism that eliminates the need for users to search for “Do Not Sell/Share” links on every website. By prioritizing GPC enforcement, regulators are making clear that frictionless consumer control is a baseline expectation.
Practical Takeaways for Businesses
Companies subject to comprehensive state privacy laws in the United States should review any websites and other online services they offer for compliance with GPC signals. Many consent management platforms (CMPs) offer settings to recognize GPC signals.
Businesses that take steps now to align systems, policies, and vendors with universal opt-out requirements will be better positioned to avoid costly enforcement and keep pace with rapidly evolving state privacy laws.
If you need assistance navigating the data privacy landscape and legislation or if you have any questions, please reach out to KO partner Erin Locker.
Erin Locker is a commercial partner whose practice focuses on privacy, cybersecurity and data protection. She helps companies at every stage navigate the rapidly evolving landscape of global privacy regulation and develop strategic approaches to compliance. Erin counsels clients on a range of data privacy and protection issues involving product design and development, digital marketing and advertising, compliance programs, and data licensing transactions.
