Attorney General Bonta Announces Joint Investigative Privacy Sweep: CO, CT, and CA Investigate Businesses Refusing to Honor Consumers’ Right to Opt-Out of the Sale of Their Personal Information

Coordinated state effort signals nationwide, robust enforcement of important privacy right 

OAKLAND — California Attorney General Rob Bonta, alongside the California Privacy Protection Agency and the attorneys general of Colorado and Connecticut, today announced an investigative sweep involving potential noncompliance with the Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties. As part of the sweep announced today, the coalition sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requested that those businesses come into immediate compliance. This sweep reinforces the three states’ 2025 Data Privacy Day educational efforts on the GPC and California’s prior $1.2 million settlement  with Sephora regarding GPC compliance.

“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” said Attorney General Rob Bonta. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”

“In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable,” said Attorney General William Tong. 

“Collaboration with our partners in other states is essential to the CPPA’s work. We are proud to join this effort to ensure that consumers’ opt-out rights are honored, and we will continue working across jurisdictions to protect Californians’ privacy,” said Tom Kemp, the CPPA’s Executive Director.  

Data comes from nearly everywhere online, even when people think they’re not revealing anything. It has been estimated that the average person produces 1.7 MB of data per second or 6,120 MB of data per hour. Websites can track and amass personal information and behavioral data like pages visited, time spent on pages, clicks, and detailed purchase information to create and share profiles and inferences about consumers. Apps and other software can collect and transmit personal information as well, including sensitive personal information like a user’s precise geolocation. Preventing third parties from receiving this information is a key step to protecting private information and stopping the proliferation of consumer data in the online ecosystem.

YOUR RIGHT TO OPT-OUT IN CALIFORNIA

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.  

Consumers interacting with a business online have two options to opt out of the sale of their data:

OPTION 1: Enabling Global Privacy Control 

The GPC is a signal that allows users to automatically indicate to the websites they visit that they would like to opt-out of the “sale” and “sharing” of their personal information. The GPC signal is an easy way to opt-out because a consumer does not have to make individualized requests to opt-out on each website they visit. GPC can be downloaded via a browser extension; some browsers offer a GPC setting. Installing GPC is simple and ensures your personal is protected. 

Click here for a video to show you how to install GPC.

OPTION 2: Opt-Out One Business at a Time 

Businesses that sell personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to process your opt-out, but may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business.

If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy. If a business’s "Do Not Sell My Personal Information" link is not working or difficult to find, you may report the business to our office by visiting oag.ca.gov/report. 

For more information on the CCPA and opting out, please see here. For a tutorial on installing GPC, please see here.