LawSnap
Privacy Artificial Intelligence

California Enforcement Targets Fragmented Opt-Outs

Published
Source National Law Review open_in_new
Score
10

Why it matters

Core event: In early 2026, California regulators launched the year's first major CCPA enforcement actions targeting inadequate opt-out mechanisms, with penalties exceeding $4.2 million. These included a $2.75 million settlement with Disney/ABC on February 11, 2026, for fragmented opt-outs across services and devices, and early March fines totaling $1.5 million against Ford ($0.4 million) and PlayOn Sports ($1.1 million) for failing to honor signals like Global Privacy Control (GPC) or Opt-Out Preference Signals (OOPS), imposing barriers, and not ensuring frictionless, account-wide compliance.[1][2][3][5]

Involved parties: California Attorney General Rob Bonta led the Disney settlement; CalPrivacy's Enforcement Division handled Ford and PlayOn cases. Companies faced requirements for risk assessments (mandatory since January 1, 2026, for data sellers/sharers), vendor audits, tracking inventories, and multi-year monitoring with progress reports. Legislation includes CCPA (updated regulations), California's Opt Me Out Act (AB 566, mandating OOPS by January 1, 2027), and Delete Act (enabling DROP platform from January 1, 2026).[1][2][3][4][6]

Context and timeline: CCPA has long required opt-outs from personal data sales/sharing, but 2026 rules demand real-time confirmation, data minimization, and holistic application across ecosystems—not just per-device or partial. Preceding laws like 2024's Delete Act and 2025's Opt Me Out Act addressed fragmented processes; January 1, 2026, introduced risk assessments and DROP. Enforcement signals intensified scrutiny on "dark patterns," ad-tech failures, and deception under UCL.[1][3][4][6][8][9]

Newsworthy now: As California's first 2026 actions (just weeks before April 7 headline), they set precedents for nationwide privacy amid rising AI/ad-tech use, warning businesses of escalating fines, audits, and cross-device expectations—especially timely with OOPS rollout and DROP activation.[1][2][3][5]

Sources

[1] https://www.koleyjessen.com/insights/publications/lessons-for-businesses-from-2026s-first-california-privacy-enforcement-actions
[2] https://www.potomaclaw.com/news-California-Ramps-Up-Enforcement-of-Consumer-Privacy-Opt-Out-Rights-in-2026
[3] https://natlawreview.com/article/california-enforcement-targets-fragmented-opt-outs
[4] https://privacy.ca.gov/2026/01/californias-opt-me-out-act-your-privacy-just-got-easier/
[5] https://www.cyberadviserblog.com/2026/03/a-busy-week-for-calprivacy-regulators-on-the-opt-out-front/
[6] https://www.nelsonmullins.com/insights/alerts/fcc-download/all/show-me-that-you-ve-opted-me-out-new-ccpa-rules-require-businesses-to-prove-compliance
[7] https://www.biometricupdate.com/202601/california-consumer-protection-tool-cuts-off-sale-of-personal-data-at-the-source
[8] https://www.kiteworks.com/cybersecurity-risk-management/ccpa-2026-compliance-guide-california-privacy-requirements/
[9] https://www.mediapost.com/publications/article/394908/california-issues-enforcement-advisory-on-ad-targe.html?hashid=IZA7uSulTnimoAz9RMXvmQ
[10] https://www.coblentzlaw.com/news/california-privacy-enforcement-whats-new-since-our-mid-year-privacy-report/
[11] https://vensure.com/employment-law-updates/california-to-mandate-for-business-opt-out-signals-for-consumers-in-browsers-and-mobile-systems-2/
[12] https://cppa.ca.gov/announcements/2025/20251217.html
[13] https://www.feedzai.com/pressrelease/feedzai-the-knoble-human-trafficking-world-cup/
[14] https://www.bakerlaw.com/insights/california-privacy-in-2026-regulations-enforcement-ai-and-more/
[15] https://www.onetrust.com/blog/the-privacy-operations-gap-what-privacy-leaders-do-differently/
mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.

Also on LawSnap

Litigation

Contracts

Compliance

Legal Intelligence