Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

California, Colorado and Connecticut Launch Joint Sweep on Global Privacy Control Compliance

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Dana E. Holmstrand Lisa V. Zivkovic

Executive Summary

  • What’s new: On September 9, 2025, the California Privacy Protection Agency (CPPA) and the California Attorney General (AG), along with the AGs of Colorado and Connecticut, announced a joint investigative sweep into whether businesses are properly honoring consumer requests to opt out of the sale of their personal data and targeted advertising conveyed through the Global Privacy Control (GPC).
  • Why it matters: This is the first announcement by members of the eight-state privacy enforcement consortium to put businesses on notice regarding their regulatory enforcement priorities related to noncompliance with the GPC. This sweep reinforces the three state agencies’ efforts to educate businesses on the GPC.
  • What to do next: Companies should consider promptly auditing their systems to ensure detection and honoring of GPC signals and other universal opt-out mechanisms (UOOMs).

__________

Key Points

This coordinated enforcement sweep builds on the “Consortium of Privacy Regulators” announcement earlier this year, which, as we have written, marked a shift toward joint, multistate privacy enforcement. The Consortium of Privacy Regulators is made up of eight privacy regulators in California (the CPPA and California AG), Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon and is intended to facilitate coordinated enforcement and protection of consumer privacy through collaboration.

This enforcement sweep by the California, Colorado and Connecticut AGs focuses on compliance with GPC or UOOM requirements under their respective state privacy laws. State privacy laws in California, Colorado and Connecticut, among others, grant residents of such states the right to request that businesses stop selling or sharing personal data about them for targeted advertising purposes.

In addition to other methods for accepting opt-out requests, such as “Do Not Sell or Share My Personal Information” links, businesses subject to certain state privacy laws are required to recognize a GPC signal or other UOOM as a valid request to opt out of the sale or sharing of personal data (both online and offline). The GPC signal (typically set as a browser extension or browser setting) enables consumers to broadly signal to websites that they are exercising their right to request to opt out of sales and sharing.

This current sweep demonstrates that regulators are monitoring not only formal opt-out links on websites, but also whether businesses recognize and act upon broader opt-out preference signals.

What To Do Now

This enforcement sweep is the first targeted priority undertaken by the multistate privacy enforcement consortium. The Memorandum of Understanding among the members of the Consortium of Privacy Regulators emphasized that the “fundamental similarities” across state privacy laws enable effective, cross-jurisdictional enforcement — suggesting this coordinated enforcement sweep is unlikely to be the last.

With additional coordinated enforcement likely on the horizon, companies operating across U.S. jurisdictions should anticipate additional multistate regulatory scrutiny of the areas where state privacy laws overlap.

In light of this coordinated enforcement sweep, companies should consider taking, or verifying that they have taken, the following steps:

  • Conduct a technical audit of websites and applications to confirm they are detecting and recognizing GPC signals and other UOOMs as a valid request to opt out of the sale of personal data or the sharing of personal data for targeted advertising online and offline.
  • Review existing processes for responding to consumer requests to opt out of the sale or sharing of personal data to confirm that requests receive through GPC signals and other universal opt-out mechanisms are being honored
  • Review and update as needed privacy notices to confirm they accurately describe how the company treats GPC signals and other UOOMs in practice.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP