The California Privacy Protection Agency spent 2024 and most of 2025 building its enforcement infrastructure. In 2026, it is using it.
The first quarter of 2026 produced a wave of enforcement decisions from both the CPPA and the California Attorney General against companies across industries — retail, automotive, media, youth sports — with fines totaling several million dollars and remediation orders that required fundamental changes to how those companies handled consumer privacy choices.
The pattern across these cases is not about exotic compliance failures. It is about the gap between what companies say they do and what their technology actually does. The CPPA is testing opt-out mechanisms in real browsers, on real devices, across real advertising and analytics vendor stacks. When the mechanism fails the technical test, the fine follows.
The Enforcement Record: Q1 2026
Disney and ABC — $2.75 Million
On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with Disney and ABC — the largest CCPA enforcement settlement to date.
The Disney case originated from an enforcement sweep the AG’s office conducted in January 2024, targeting streaming services and connected television (CTV) platforms for potential CCPA violations. Disney and ABC’s streaming properties were among the targets.
The violations: Disney’s streaming platforms and ABC’s digital properties used tracking technologies — primarily third-party advertising pixels and SDKs — to collect personal information from users and share it with advertising partners, analytics companies, and social media platforms. That sharing constituted a “sale” or “sharing” of personal information under CCPA, triggering opt-out rights.
The CCPA opt-out mechanism on Disney’s properties was found to be non-compliant: consumers who exercised their opt-out rights were not actually opted out of the downstream data flows to advertising vendors embedded in the streaming platform. The technical architecture — third-party SDKs that transmitted data to advertising networks — continued operating after the opt-out signal was recorded, because the opt-out affected the first-party data layer but not the SDK-level data transmissions.
This is the central technical compliance failure in the Disney case: a disconnect between what the privacy preference center recorded and what the advertising technology stack actually did.
Tractor Supply Company — $1.35 Million
The nation’s largest rural lifestyle retailer was required to pay a $1.35 million fine and implement remediation measures for CCPA violations.
Tractor Supply’s violations followed a similar pattern: the company’s website used advertising tracking technologies that shared customer data with third-party ad networks, without providing a compliant opt-out mechanism for that sharing. The company’s privacy choices interface did not translate into actual opt-out signals to the downstream recipients of the data.
PlayOn Sports — $1.1 Million
On March 3, 2026, the CPPA Board issued a decision requiring PlayOn Sports — a youth sports media platform — to pay $1.1 million and change its practices.
The PlayOn case was notable for two reasons. First, it involved a youth-oriented platform, adding a layer of heightened scrutiny given the CCPA’s enhanced protections for consumers under 16 and the broader regulatory attention to children’s data. Second, the CPPA’s investigation found that PlayOn collected personal information using tracking technologies and shared it with advertising, social media, and analytics partners specifically to provide targeted advertising — without giving consumers an effective mechanism to opt out of that sharing.
The “effective” standard matters. PlayOn had an opt-out mechanism, but the CPPA found it was not effective: it did not reach all of the downstream third parties receiving the consumer’s data, and the mechanism itself was not operationally integrated with the advertising platform in a way that would have given the opt-out signal its intended effect.
American Honda Motor Co. — $632,500
American Honda was required to pay $632,500 and change its data handling practices for CCPA violations. The Honda case followed the same structural pattern: tracking technologies embedded in Honda’s digital properties sharing consumer data without compliant opt-out.
Ford Motor Company — $375,000
The Ford case introduced a specific finding that is not yet widely understood as an enforceable legal standard: unnecessary friction.
The CPPA found that Ford created “unnecessary friction” in its privacy opt-out process — making it unreasonably difficult for consumers to exercise their opt-out rights compared to the ease of the consent pathway. The specific friction elements were not fully detailed in public-facing documents, but the CPPA’s reasoning reflects the principle that CCPA’s right to opt-out must be as accessible as the initial data collection or consent — burying opt-outs behind multiple pages, requiring account logins, or imposing confirmation steps that are not required for consent all create the kind of friction the CPPA is prepared to fine.
Todd Snyder — $345,178
The clothing retailer was required to pay $345,178 for CCPA opt-out and consumer notice failures, continuing the pattern of the Q1 2026 enforcement wave.
The Enforcement Themes
Across these cases, several consistent patterns emerge.
1. “Paper Compliance” Does Not Protect You
Every company in the Q1 2026 enforcement wave had a privacy policy. Most had opt-out mechanisms. None of that protected them from enforcement.
The CPPA is not conducting document reviews — it is conducting technical inspections of whether the documented compliance obligations are actually working in the production environment. The Disney case is the clearest illustration: an opt-out mechanism that recorded the consumer’s preference in a privacy center but failed to propagate that preference to the third-party advertising SDKs operating in the same browser session is not a compliant opt-out mechanism.
Building a privacy preference center and publishing a compliant-sounding privacy policy satisfies neither the letter nor the spirit of CCPA. The mechanism must actually work.
2. Connected TV and Streaming Ecosystems Are Under Scrutiny
The Disney enforcement action was the product of a targeted CTV sweep by the AG’s office. The investigation focus on streaming platforms was deliberate: CTV has emerged as one of the most data-intensive advertising environments, with third-party tracking embedded at the platform level and reaching consumers who may not be aware of its scale.
Organizations operating streaming or CTV properties — including media companies, smart TV manufacturers, OTT streaming services, and ad-supported app developers — should treat the Disney action as a direct signal. The AG’s office has demonstrated both the capability and the willingness to investigate this ecosystem specifically.
3. Auto Industry Data Practices Are a Specific Target
Two automotive manufacturers — Ford and Honda — appeared in the Q1 2026 enforcement wave. This is not coincidental. The auto industry has emerged as a focus of state and federal privacy enforcement because modern connected vehicles collect an extraordinary volume of data — location, driving behavior, biometrics, voice recordings, charging patterns — and the consumer consent and opt-out frameworks for that data are frequently underdeveloped.
The California AG’s office has broader investigations in the automotive sector beyond the Ford and Honda actions. Auto manufacturers, fleet operators, and automotive technology companies should expect continued enforcement attention.
4. “Unnecessary Friction” Is Now an Enforcement Category
The Ford case’s “unnecessary friction” finding is legally significant beyond the specific fine amount. It establishes that creating an asymmetric experience — easy to consent, hard to opt out — is a CCPA violation.
The practical compliance implication: measure the consumer experience of your opt-out pathway the same way your marketing team measures conversion on the consent pathway. Count the clicks, the pages, the form fields, the authentication requirements. If opting out requires materially more effort than the original consent or data collection experience, you have an unnecessary friction exposure.
5. Youth Platforms Face Heightened Risk
The PlayOn Sports enforcement action reinforces what has been a consistent regulatory priority: platforms that serve or are accessible to consumers under 16 face enhanced CCPA obligations and enhanced regulatory attention. The combination of advertising tracking technology and youth-oriented content was specifically flagged in the PlayOn findings.
Organizations serving youth audiences need to treat the CPPA’s heightened scrutiny as a planning assumption. Opt-out mechanisms need to be tested more rigorously, third-party advertising technology needs to be audited for CCPA compliance before deployment, and the data flows to advertising and analytics partners need to be mapped and controlled.
The Broader California Enforcement Landscape
Beyond the CPPA’s direct enforcement actions, 2026 has seen expansion on several fronts.
Data Broker Enforcement Under the Delete Act. The California Privacy Protection Agency has also been conducting enforcement sweeps against data brokers who failed to register with the Data Broker Registry required by California’s Delete Act. The Delete Act created a centralized “one-stop” deletion mechanism allowing California consumers to delete their data from all registered data brokers simultaneously. Brokers who failed to register — and thus failed to integrate with the deletion mechanism — are subject to $200 per day fines for each day of non-registration.
CPPA Rulemaking on Automated Decision-Making. The CPPA finalized rules on automated decision-making technology in late 2025, creating opt-out rights for automated decisions in consequential contexts including employment, education, and financial services. These rules are operative in 2026 and will likely produce additional enforcement actions as the agency begins monitoring compliance.
AG Enforcement Running Parallel. The California Attorney General’s enforcement authority under CCPA runs parallel to the CPPA — both can enforce, and neither is constrained by the other’s enforcement actions. The Disney settlement was an AG action; the PlayOn Sports and Ford decisions were CPPA actions. Organizations facing California privacy compliance questions need to account for both enforcement authorities.
What to Fix Before the Next Investigation
The Q1 2026 enforcement wave provides an unusually clear roadmap for what California regulators will find and fine. The following are the priority remediation areas:
Audit your actual opt-out signal propagation. Test whether your opt-out mechanism actually reaches all third parties in your advertising and analytics stack — not just the first-party consent management platform. Use browser developer tools to inspect outbound requests before and after opt-out, and confirm that data flows to advertising networks cease when the opt-out is exercised.
Map all third-party SDKs and tracking technologies. For each SDK integrated in your web or app properties, document: what data it collects, where it sends that data, and whether your opt-out mechanism integrates with that SDK’s opt-out API. SDKs that are not connected to your consent management platform are opt-out gaps.
Measure friction in your opt-out UX. Walk through your opt-out process as a consumer. Count the steps. Compare to the consent process. If there is asymmetry, address it before an investigator does.
Audit CTV and streaming properties specifically. If your organization operates streaming properties with embedded advertising technology, treat them as a specific enforcement risk category and audit them separately from web properties.
Confirm compliance for youth-accessible properties. For any property accessible to or directed at consumers under 16, implement the enhanced CCPA protections — opt-in for sharing data with third parties, opt-out mechanisms that function at the SDK level, and restricted advertising technology deployment.
The CPPA’s Q1 2026 enforcement wave is not an anomaly — it is the enforcement agency operating at the pace and scale it was created to achieve. The fines, the findings, and the remediation orders will continue. Organizations that have built privacy compliance programs on the assumption that enforcement was theoretical have now seen several well-resourced companies learn otherwise.
For context on the full multi-state privacy enforcement landscape, see our analysis of 20 states now enforcing consumer privacy laws.
Sources: California Attorney General Press Release (Disney/ABC Settlement, February 11, 2026); CPPA Decision (PlayOn Sports, March 3, 2026); CPPA Decision (Ford Motor Company, 2026); CPPA Decision (American Honda Motor Co., 2026); CPPA Announcement (Tractor Supply Company); California Privacy Protection Agency (Data Broker Enforcement Sweep, January 8, 2026); Troutman Privacy; Koley Jessen (Lessons for Businesses From 2026’s First California Privacy Enforcement Actions); Potomac Law (California Ramps Up Enforcement of Consumer Privacy Opt-Out Rights in 2026). This article is provided for informational purposes only and does not constitute legal advice.
