States Crack Down on Mishandled Data Opt-Outs, Signal Enforcement Shift
State privacy regulators are ramping up enforcement on opt-out rights violations across the U.S.
Why it matters: Legal and compliance teams face new scrutiny as regulators prioritize whether businesses efficiently honor consumers’ data opt-out requests. Noncompliance—intentional or not—now brings increased enforcement risk, operational impact, and public fines.
- California, Colorado, and Connecticut attorneys general launched a joint privacy sweep in September 2025 targeting businesses ignoring opt-out signals.
- CalPrivacy fined Ford $375,703 in March 2026 for adding friction to the consumer opt-out process, violating the CCPA.
- Twelve states now require businesses to honor opt-out preference signals like Global Privacy Control (GPC).
- California’s Delete Request and Opt-out Platform (DROP), effective January 1, 2026, allows residents to opt out of data sales in a single step.
Enforcement priorities are shifting as state privacy laws mature, with regulators scrutinizing not only if opt-out provisions exist but how businesses process requests for data sale and targeted advertising opt-outs. In a September 2025 joint sweep, attorneys general from California, Colorado, and Connecticut focused on websites ignoring consumer opt-outs submitted via Global Privacy Control (GPC) signals.
- As of April 2026, twelve states mandate honoring GPC and similar opt-out signals, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
- The consequences of noncompliance are tangible. On March 5, 2026, the California Privacy Protection Agency (CalPrivacy) fined Ford Motor Company $375,703 for requiring unnecessary email verification to process opt-outs—a move regulators concluded discouraged the exercise of privacy rights.
- Michael Macko, CalPrivacy’s Head of Enforcement, underscored the principle: “Opting out is supposed to be easy. Just as unnecessary steps in the checkout process can discourage consumers from completing a purchase, unnecessary steps in the opt-out process can discourage consumers from exercising their privacy rights.”
California is also rolling out the Delete Request and Opt-out Platform (DROP) in 2026, letting residents submit a single deletion request to all registered data brokers. Over 155,000 deletion requests were already submitted soon after launch.
By the numbers:
- $375,703 — Fine levied against Ford for CCPA opt-out violations
- 12 — U.S. states now mandate opt-out preference signal recognition, including GPC
- 155,000+ — Deletion requests filed through California's DROP platform shortly after rollout
Yes, but: The outcomes of the joint investigative privacy sweep and details on business adaptations to these requirements remain unclear.
What's next: DROP goes into effect in California January 1, 2026, setting a new operational benchmark for data brokers.