State privacy regulators continue to focus on consumers’ rights to opt out of the sale of personal information and targeted advertising, signaling that this issue remains a top enforcement priority across the United States.
As comprehensive state privacy laws mature, regulators are increasingly emphasizing not just the existence of opt‑out mechanisms, but whether businesses are properly honoring them in practice, particularly when those signals are conveyed through universal opt‑out tools such as the Global Privacy Control.
Opt‑Out Rights Are a Core Feature of State Privacy Laws
Most state consumer privacy laws require businesses to provide individuals with the right to opt out of certain data processing activities, including the sale of personal information and the use of personal data for targeted advertising. These obligations are now common across state privacy frameworks.
Many of these laws require businesses to recognize and honor universal opt‑out preference signals. Tools such as the Global Privacy Control allow consumers to exercise their opt‑out rights automatically through browsers, without having to submit individual requests to each business they interact with.
Joint Enforcement Activity Highlights Growing Scrutiny
In September 2025, regulators in California, Colorado, and Connecticut reinforced the importance of these obligations by announcing a joint investigative privacy sweep focused on universal opt‑out compliance. The coordinated effort examined whether businesses were properly detecting, processing, and honoring opt‑out preference signals across their digital properties.
The announcement emphasized that universal opt‑out mechanisms play a critical role in ensuring consumers can easily and effectively exercise their rights. The participating attorneys general noted that failures to recognize or implement these signals may constitute violations of state privacy laws, particularly where companies continue targeted advertising or data sales despite receiving valid opt‑out signals. This multistate action reflects a broader trend toward cross jurisdictional coordination, allowing regulators to share expertise and amplify enforcement impact in areas of shared concern.
California Continues to Enforce Preference Signal Obligations
California, in particular, has continued to announce various enforcement actions under the California Consumer Privacy Act (CCPA) that underscore the importance of properly processing opt-out signals.
For example, earlier this year, California announced an enforcement action against Disney, which included allegations related to failures in adequately honoring consumer privacy preferences, such as opt‑out signals across its Disney+, Hulu, and ESPN+ streaming services. Despite linking consumer devices and data for targeting consumers with ads, the California Privacy Protection Agency found that Disney failed to link those same devices and data when it came to complying with consumers’ exercise of their opt-out rights. This resulted in a $2.75 million settlement.
Connecticut Signals Continued Focus on Universal Opt‑Outs
Connecticut regulators have echoed this enforcement emphasis. In its 2025 Data Privacy Act enforcement report, the Connecticut Office of the Attorney General explicitly identified universal opt‑out preference signals as a primary area of regulatory focus. The report indicates that enforcement staff are closely reviewing whether businesses honor opt‑out signals consistently and in accordance with statutory requirements.
Takeaways for Businesses
Taken together, recent regulatory actions demonstrate that states are moving beyond education and into sustained enforcement around opt‑out rights and targeted advertising. Businesses subject to state privacy laws should evaluate whether they:
- Properly detect universal opt‑out signals, such as the Global Privacy Control;
- Consistently apply those signals across advertising and data sharing workflows;
- Align internal teams, vendors, and technologies to prevent continued processing after an opt‑out is received; and
- Regularly test and audit opt‑out functionality to ensure ongoing compliance.
If you have questions about universal opt-out mechanisms or consumers’ right to opt out of targeted advertising, Taft’s Privacy, Security & AI attorneys are available to assist. As always, please sign up to receive emails of our latest posts here on Privacy and Data Security Insights, and follow us on LinkedIn for the latest in privacy, security and artificial intelligence legal news.