Alerts2.17.26
California Enforcement Targets Fragmented Opt-Outs
Highlights
- On Feb. 11, 2026, the California Attorney General announced a $2.75 million settlement — the largest California Consumer Privacy Act (CCPA) settlement to date — against a major consumer digital media/streaming company. The settlement resolved allegations that its opt-out implementation under the CCPA was incomplete, disjointed, and misleading, resulting in ongoing sale/sharing for targeted advertising even after consumers attempted to opt out.
- The settlement is reportedly part of a broader investigative sweep of streaming services’ opt-out practices, signaling continued enforcement focus on cross-context behavioral advertising pipelines.
- The complaint’s central theory is straightforward: The company allegedly built robust cross-device identity linking to maximize targeted advertising value but did not use that same identity resolution to ensure that an opt-out request (via a webform, in-app toggle, or Global Privacy Control (GPC)) propagated across brands, systems, and devices, as required.
- The enforcement action suggests that regulators expect opt-outs to “follow the identity graph.” If a business uses account-based or cross-device identity resolution to enhance advertising value, it must use that same infrastructure to ensure opt-out requests fully propagate across brands, devices, vendors, and data flows; partial suppression will be treated as noncompliance.
The pleading emphasizes that any opt-out mechanism must stop all sale/sharing, not merely one portion of the business’s advertising ecosystem. It also underscores that opt-outs must be easy, minimal-step, and implemented in the channel where the business primarily interacts with consumers (including app-based environments).
Keep Up to Date in a Changing World
Do you want to receive more valuable insights directly in your inbox? Visit our subscription center and let us know what you’re interested in learning more about.
