California Privacy Enforcement: What’s New Since Our Mid-Year Privacy Report

By Scott Hall and Phillip Wiese

This update is intended as a follow-up to the Coblentz 2025 Mid-Year Privacy Report’s discussion of California privacy enforcement themes.

Since our 2025 mid-year privacy report highlighted the CPPA’s (now CalPrivacy’s) early enforcement playbook (Honda and Todd Snyder) and the California Attorney General’s landmark Healthline settlement, California regulators have kept up the pace into early 2026. Recent enforcement matters confirm that regulators are less interested in “paper compliance” than whether consumer choices actually work across real-world tech stacks, devices, and vendors. They also show expanding attention to (1) streaming/CTV ecosystems, (2) mobile apps (including youth data), (3) job applicant/employee-related data, and (4) data broker obligations under the Delete Act.

Below is a brief summary of new enforcement actions and an analysis of enforcement themes.

Recent Enforcement Actions and Developments

• Disney: “Account-wide” opt-outs across services and devices are expected and required.
  

  In February 2026, the California Attorney General announced a $2.75 million settlement with Disney entities tied to Disney’s streaming ecosystem. The core allegation was functional—namely, that consumers would try to opt out through toggles, a webform, or Global Privacy Control (GPC), but those signals allegedly did not fully propagate across the “bundle” of services and devices tied to the consumer’s account—leaving gaps where sale/sharing continued. This is the clearest statement yet (in enforcement posture) that if a business can link devices/services to a consumer for advertising or measurement, regulators expect it to be able to link those same devices/services to the consumer’s privacy elections—and to do so comprehensively.

• PlayOn Sports: CalPrivacy tackles opt-out mechanisms in high school sports website.
  

  In March 2026, CalPrivacy announced a $1.10 million decision against PlayOn Sports, a media company that sells digital tickets to certain high school events, including football games, theater performances, and school dances. According to CalPrivacy, high school students were required to agree to the use of tracking technology and collection of personal information without a meaningful way to opt out of that data collection in order to use the website. This enforcement action represented CalPrivacy’s first foray into enforcing the CCPA expressly on behalf of minors, describing the high school students as a “uniquely vulnerable population.”

• Ford Motor Co.: Opt-out requests need not be verified.
  

  In March 2026, CalPrivacy also announced a $375,000 decision against Ford Motor Company, finding that the automaker created “unnecessary friction” by improperly processing consumer requests to opt out of the sale or sharing of personal information. In particular, Ford used a standardized form for all CCPA requests, including the right to opt-out, and then required consumers to respond to a follow-up email to verify their identity. While companies can require verification for certain CCPA requests, including the rights to know, correct, and delete, the CCPA does not provide a similar verification process for opting out of data selling or sharing. Companies may consider utilizing different workstreams for opt-out requests and other CCPA-related requests to avoid this issue.

• Tractor Supply Co.: Opt-out mechanisms must work properly.
  

  In September 2025, CalPrivacy announced a $1.35 million decision against rural lifestyle retailer Tractor Supply Company after a single consumer reported the Tractor Supply privacy practices to the agency. CalPrivacy determined that Tractor Supply violated the CCPA in numerous ways. Critically, the CalPrivacy decision stated that Tractor Supply had a webform that did not in practice allow consumers to opt out of the sale or sharing of personal information. According to CalPrivacy, consumers could fill out a webform purporting to allow them to opt out of data sharing/selling, but Tractor Supply took no action to effectuate those requests. Additionally, CalPrivacy stated that Tractor Supply lacked CCPA-compliant contracts with service providers and other third parties, and that Tractor Supply did not provide all requisite notices under the CCPA, including to job applicants. As a result of these issues, Tractor Supply received the largest fine levied to date by CalPrivacy.

• Jam City: Don’t forget about mobile app opt-outs and under-16 protections.
  

  In November 2025, the AG announced a $1.4 million settlement with a mobile app gaming company. The AG’s announcement emphasized two points: (1) if personal information is sold/shared through mobile apps, consumers need compliant opt-out methods in-app, and (2) the CCPA’s heightened protections for consumers under 16 (affirmative opt-in for sale/sharing) are an active enforcement area. This builds directly on the mid-year theme that enforcement is moving from websites into the app ecosystem and is increasingly focused on whether the consumer experience is simple and effective.

• CalPrivacy (CPPA): Delete Act/data broker enforcement.
  

  In January 2026, CalPrivacy announced enforcement actions against a marketing firm and a technology firm for each failing to register as a data broker. CalPrivacy claimed that that the marketing firm was selling personal information about individuals with certain health conditions for targeting advertising and emphasized that simply packaging personal information into “custom audiences” or value-added products does not avoid data broker obligations. This connects to the broader enforcement theme that regulators are looking through form to function: if the business model involves the buying or selling of consumers’ personal information, it must comply with the CCPA and the Delete Act.

Privacy Enforcement Themes to Keep Top of Mind

• Regulators expect “functional” opt-outs, including end-to-end propagation across vendors, devices, and services. These latest enforcement actions make clear that the regulators expect companies to create a straightforward and streamlined consumer opt-out process. If, for example, a consumer opts out of data sharing/selling, that request must be fulfilled across the company’s entire ecosystem unless the consumer specifically limits the request. The company cannot unilaterally exempt certain verticals or parts of the business. Additionally, the opt-out methods must meaningfully allow consumers to opt out of data sharing/selling. Webforms, Global Privacy Controls, and other opt-out methods must be checked regularly to ensure functionality. The regulators have been quick to act where those methods do not work as expected.
• Regulators expect low-friction user experience—and will treat friction as a compliance risk. Both CalPrivacy and the AG have focused on the specific opt-out mechanisms for data collection or data selling/sharing, targeting companies that appear to have made it difficult or impossible to opt out of data sharing/selling and still use mobile apps. For example, the regulators have looked unfavorably on cookie banners that cover critical website functions and that must be accepted before the consumer can use the website. This is especially the case where the user must accept cookies, rather than choosing whether to accept or reject cookies. And on the topic of cookie banners, companies should consider evaluating their cookie banners to ensure symmetry of choice for both allowing and rejecting cookies.
• Youth and sensitive-context data remain high priority. CalPrivacy noted in its announcement of the PlayOn decision that students are “uniquely vulnerable,” and any websites they use should not “fuel advertising and commercial surveillance” at the expense of enhancing their educational opportunities. Similarly, the AG has cracked down on companies allegedly selling children’s information as well as disseminating sensitive consumer health information. Companies should consider reviewing their data collection practices to determine whether they collect, share or sell these types of data, and if so, evaluate whether proper disclosures are in place.

Your Key Next Steps

• Audit your opt-out functionality across all web, mobile, and platform integrations and ensure a consistent and defensible approach. The opt-out process should be straightforward and streamlined.
• Inventory service provider / contractor / third-party contracts for required restrictions and flow-down obligations—especially in advertising and analytics. The regulators continue to monitor the adequacy of the contracts governing these relationships.
• Reassess youth and student-data touchpoints, including age-gating logic, opt-in mechanisms, SDK behavior, retention, and security controls.
• Evaluate data broker status (including “custom audience” and profiling services) and confirm registration/fees where required. Additionally, prepare for an influx of delete request and opt-out platform (DROP) requests. DROP was released to the public in January, and data brokers must begin deleting data within 90 days, starting August 1, 2026.
• Don’t forget about applicant/HR privacy. Because employees and job applicants are covered by the CCPA, take time to review or revise notices and rights processes for those individuals.