Regulators Launch Coordinated Enforcement Sweep on Website Opt-Out Mechanisms

On September 9, 2025, California Attorney General Rob Bonta, together with the California Privacy Protection Agency and the Attorneys General of Colorado and Connecticut, announced a joint enforcement sweep targeting businesses that fail to honor the Global Privacy Control (GPC). Regulators sent and will continue to send warning letters to companies that appear not to be processing consumer requests to opt out of data sales and targeted advertising, signaling heightened scrutiny and a coordinated, nationwide approach to enforcement.

What Is the GPC and Why It Matters

The GPC is a browser setting or extension that automatically communicates a consumer’s request to opt out of the “sale” or “sharing” of their personal information. Under laws in California, Colorado, Connecticut, and a growing list of other states (Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas), businesses are required to honor this signal.

In practice, the GPC means that if a consumer has the setting enabled, your website must block or suppress cookies, pixels, and other tracking technologies that involve data sales or targeted advertising. Examples of technologies commonly used for targeted advertising include Meta Pixel, Google Ads and DoubleClick/Google Marketing Platform, TikTok Pixel, and Microsoft/Bing Ads UET Tag, among others. If these tools remain active when a consumer sends a GPC signal, your company may be out of compliance.

As detailed in Coblentz’s 2025 Mid-Year Privacy Report, enforcement attention to GPC sits against the backdrop of a growing wave of privacy litigation. Plaintiffs are testing whether modern tracking technologies (such as pixels, session-replay tools, and chat integrations) can be shoehorned into legacy statutes like the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA). Courts have issued conflicting rulings, and California has even advanced legislation (SB 690) to rein in expansive CIPA theories. The takeaway from this is that regulators view GPC as a clear compliance obligation, while plaintiffs’ lawyers are probing the same ecosystem of cookies and pixels from a different angle. Companies that shore up GPC compliance are addressing not only a regulatory expectation but also reducing exposure to lawsuits.

Compliance Steps to Take Now

Check GPC compliance with your web development/IT team: Confirm your website and cookie management tools detect and honor the GPC signal.
Review tracking technologies: Revisit how cookies, pixels, and other technologies are classified, and keep in mind that U.S. “sale” and “targeted advertising” rules do not always map to EU-style categories.
Test suppression: Verify that enabling GPC suppresses cookies and pixels used for sales or targeted ads.
Validate across states: Test the signal to ensure compliance not only in California but also in the other states requiring GPC recognition.

If your company uses third-party advertising or analytics tools like Meta Pixel, Google Ads, or DoubleClick, regulators expect you to be honoring GPC signals today. With this coordinated enforcement sweep underway, now is the time to test, document, and shore up compliance across all applicable jurisdictions.

Please reach out to the Coblentz team for further information or assistance.