The California Attorney General has announced its second CCPA enforcement settlement arising from its 2024 investigative sweep of streaming services — and this one is record-breaking.
The $2.75 million fine against an unnamed multiplatform entertainment company is the largest CCPA settlement in the law’s history, more than five times the size of the previous streaming-sweep action and over $1 million more than any prior AG settlement. The complaint cuts to the heart of a pattern California regulators have made their primary enforcement target: failing to honor consumers’ right to opt out.
This is not an isolated action. It is the latest installment in an escalating enforcement trajectory that every business collecting and sharing California consumer data should be paying close attention to.
What the Company Did Wrong
The complaint paints a sharp picture of asymmetry. The company had the technical sophistication to link consumers across devices and services for advertising purposes — and actively promoted that capability to potential advertisers. But when a consumer exercised their CCPA right to opt out of data sales and sharing, that same capability suddenly disappeared.
In practice, a consumer would have had to opt out up to 10 separate times to fully stop the company from selling or sharing their data across all devices and services connected to their account. If they tried to opt out through a mobile app, they were redirected to a web form — one that didn’t actually opt them out on the app itself.
The AG’s complaint named four specific CCPA violations:
- Selling and sharing personal information after receiving an opt-out — continuing to transact consumer data even after receiving a valid direction to stop.2. Failing to treat opt-out preference signals (OOPS) as valid opt-out requests — not honoring Global Privacy Control and similar browser-based signals as the law requires.3. Failing to provide easy-to-use methods requiring minimal steps — creating a fragmented, multi-step process that effectively discouraged consumers from completing an opt-out.4. Failing to provide an opt-out method appropriate to the company’s primary interaction channel — specifically, failing app-based users by routing them to a web form that didn’t work.
The AG’s framing here matters. The complaint did not just allege technical CCPA violations — it also brought a claim under California’s Unfair Competition Law (UCL), arguing the company’s broken opt-out process constituted consumer fraud. That elevation from compliance failure to affirmative deception is a significant signal of where enforcement is heading.
The AG stated directly: “if a business can associate a consumer’s devices with the consumer for advertising purposes, it can and must associate those devices with the consumer for purposes of honoring the consumer’s opt-out rights.”
What the Settlement Requires
Beyond the $2.75 million fine, the injunction provisions are detailed and demanding. They effectively require the company’s privacy compliance infrastructure to match the sophistication of its advertising infrastructure — a principle that will reverberate across the industry.
Key remediation requirements include:
Opt-Out Process: The company must implement a consumer-friendly, easy-to-use opt-out process requiring minimal steps. This includes honoring OOPS signals, ceasing all data sales and sharing upon opt-out, and applying that choice across all connected services on the consumer’s logged-in account — not just the device or service where the request was made.
Confirmation: The company must provide consumers with a way to verify their opt-out request was actually processed.
User Interface Design: Choice architecture and UX design cannot impair consumer decision-making. Dark patterns in the opt-out context are now explicitly codified as actionable violations.
Third Parties: Upon receiving an opt-out, the company must notify all third parties and direct them to comply.
Children: Existing protections for minors must be maintained. Notably, the AG found these adequate — suggesting enforcement scrutiny here was secondary to the opt-out failures.
Reporting timeline: The company must report progress on updating its opt-out procedures to the AG within 60 days, and continue reporting every 60 days until all services are compliant. Within 180 days — and for three consecutive years thereafter — the company must maintain a formal program to assess opt-out effectiveness and report results to the AG annually.
That three-year accountability window is not window dressing. It means the AG will have ongoing visibility into whether remediation actually sticks.
Why This Matters Beyond the Headlines
Every CCPA enforcement action to date has involved the right to opt out. This settlement makes that pattern impossible to ignore. The AG is not chasing obscure technical edge cases — it is methodically building precedent around the most fundamental consumer right in the law, and it is raising the stakes each time.
For compliance teams, the practical takeaways are unambiguous:
Your opt-out must work everywhere, not just somewhere. Logged-in users who opt out on one device must have that choice reflected across every device and service tied to their account. Piecemeal opt-outs are not opt-outs.
GPC is not optional. Failing to honor opt-out preference signals like Global Privacy Control is a named violation — a point California has been reinforcing through coordinated multi-state sweeps. See our coverage of CalPrivacy’s 2025 enforcement blitz and the joint GPC investigative sweep.
The UCL framing changes your risk calculus. When broken opt-outs become consumer fraud under state unfair competition law, the exposure is no longer confined to CCPA civil penalties — it opens the door to broader litigation and reputational harm.
Dark patterns are now explicitly on the table. If your opt-out is buried, confusing, requires more steps than your opt-in, or routes users to a form that doesn’t actually work, you are not compliant. Honda’s $632,500 fine was partly the result of exactly this kind of asymmetry — making opt-out harder than opt-in.
If you can identify users for ads, you can identify them for opt-outs. The AG is not accepting “technical limitations” as an excuse when the same technical capabilities are deployed to generate revenue.
The Broader Enforcement Trajectory
This settlement doesn’t exist in a vacuum. It is part of a systematic and escalating enforcement campaign. California regulators levied their then-record $1.55M fine against Healthline Media in July 2025 for opt-out failures and misuse of consumer health data. Tractor Supply faced a $1.35M penalty for ineffective opt-out mechanisms. The AG and CPPA are building a body of enforcement precedent that is increasingly operational in nature — not just defining what the law says, but dictating exactly how compliance must be implemented.
The $2.75M figure today will not be the record for long. Businesses that rely on behavioral advertising, cross-device targeting, or third-party data sharing should treat this settlement as a compliance blueprint, not just a news story.
Practical Action Items
If your organization operates in California and engages in the sale, sharing, or cross-context behavioral advertising of personal information, now is the time to audit:
- Does your opt-out work on every device and every service tied to a consumer account?- Are you honoring GPC signals as valid opt-out requests — everywhere, not just on desktop?- Does your opt-out UX require more steps than your opt-in?- Are app-based users able to complete an opt-out from within the app?- Do you notify and bind third parties when a consumer opts out?- Can consumers confirm their opt-out was actually processed?
For a foundational overview of CCPA rights and obligations, see our CCPA guide and our comprehensive U.S. state privacy law comparison.
The California AG has made its position clear: a technically broken opt-out isn’t a compliance gap — it’s consumer fraud. Build accordingly.
ComplianceHub.wiki covers privacy law enforcement, CCPA/CPRA compliance, and cybersecurity regulatory developments. Follow us for ongoing coverage of the California AG’s streaming services enforcement sweep and the CPPA’s expanding investigative activity.