Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.

On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).

UOOMs and OOPS

UOOMs refer to a range of tools that simplify the process for a consumer to exercise their privacy preferences across multiple online platforms, services, and browsers by sending a standardized signal to the website through the consumer’s browser. States recognize different tools and occasionally use different terms to describe these UOOMs (e.g., global opt-outs, standardized opt-outs, privacy preference tools, etc.). California and Colorado explicitly require companies to recognize and honor signals from one of the most popular tools, the Global Privacy Control (GPC). Connecticut, on the other hand, requires companies to honor consumer privacy preferences through any UOOM tool, so long as the mechanism is similar to other UOOM tools required by any other state or federal regulatory framework.

The GPC technical specifications were developed in 2020. GPC functions as a ‘stop selling or sharing my data switch’ that is the technological equivalent to a do-not-call list for telemarketers. When individuals use certain browsers like DuckDuckGo, or browser extensions, like Privacy Badger, they send the GPC signal to all websites they visit. By default, businesses are then required to opt the user out of online sales/shares/targeted advertising. This is in lieu of users having to exercise their opt-out rights at every website they visit.

The Regulatory Framework

The California Consumer Privacy Act (CCPA) was the first privacy law to require websites to honor consumer privacy preferences communicated to the company through UOOM signals. By 2021, the California AG’s office — then the primary CCPA enforcement authority — updated its CCPA FAQs to state that businesses must recognize the GPC signal as an OOPS. Then, in August 2022, the California AG brought the first CCPA enforcement action against Sephora for alleged violations of the CCPA’s “Do Not Sell” provision by ignoring GPC signals and failing to offer any opt-out mechanisms. 

In June 2023, the Colorado AG’s office followed California’s lead and engaged in a stakeholder process to identify UOOMs acceptable under the requirements of the Colorado Privacy Act (CPA) and determined that GPC was the only recognized UOOM.

Colorado became the second state to require companies to honor UOOM opt-outs in July 2024. The Connecticut AG’s office followed suit, updating its Connecticut Data Privacy Act (CTDPA) FAQs to state that controllers must recognize GPC as a valid UOOM under that state’s law.

Twelve of the 19 state consumer data privacy laws now require covered entities to recognize UOOMs, although the requirement in some state laws — like Oregon and Delaware — is not yet in effect. Regulators recognize that these mechanisms are an important tool for consumers to exercise privacy rights and increasingly require companies to honor them.  

The Investigative Sweep

As is relevant to this investigative sweep, the CCPA’s regulations require businesses to recognize opt-out preference signals from consumer browsers and treat them as requests to opt out of the sale or sharing of personal information. Similarly, the CPA mandates that businesses processing personal data for “targeted advertising” must allow consumers to opt out via a “user-selected universal opt-out mechanism.” The CTDPA aligns with the CPA’s requirements.

The joint sweep by California, Colorado, and Connecticut is intended to ensure companies are honoring GPC. Regulators from those states have already issued letters to companies that are not in compliance, and noncompliance may result in significant financial exposure. Further, as we discussed in our recent article, changes to the CCPA’s regulations will soon require companies to affirmatively disclose to users that the website recognizes the user’s GPC signal.

The announcement of this joint sweep is part of a trend by state regulators collaborating to address privacy issues arising from the use of digital technologies. Although California regulators have been at the forefront of regulating privacy issues, other states, including Colorado and Connecticut, are joining in by collaborating on the sharing of information, technology, knowledge, and resources to regulate how companies collect, process, and share consumer information. This trend is also highlighted by the AGs from seven states who formed a collaborative privacy enforcement group last April, the “Consortium of Privacy Regulators.” The consortium includes California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. This initiative is aimed at addressing existing and anticipated gaps in federal privacy enforcement and is evidence of continuing collaboration among and between state AGs who seek to protect the privacy of their constituents.

Troutman Pepper Locke State Attorneys General Team

	Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
	Clay Friedman – Co-leader Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation.
	Chris Carlson Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies.
	Lauren Fincher Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes.
	Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education.
	Michael Yaghi Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
	Samuel E. “Gene” Fishel Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests.
	Jay Myers Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs.
	Jessica Birdsong Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology.
	Blake R. Christopher Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
	Nick Gouverneur Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy.
	Troy Homesley Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals.
	Natalia Jacobo Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters.
	Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting.
	Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
	Lane Page Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.
	Dascher Pasco Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities.
	Kyara Rivera Rivera Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review.
	Trey Smith Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues.
	Daniel Waltz Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals.
	Cole White Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general.
	Stephanie Kozol Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department.