State regulators are increasingly treating consumers’ rights to opt out of targeted advertising and the sale of personal information as a central test of corporate privacy compliance, with enforcement efforts now focused not only on whether opt-out tools exist, but whether companies actually honor them across their digital operations.
A new client alert from law firm Taft says regulators in multiple states are intensifying scrutiny of businesses’ handling of universal opt-out mechanisms such as the Global Privacy Control (GPC), a browser-based tool that allows consumers to automatically communicate privacy preferences without filing separate requests with individual companies.
The alert reflects a broader maturation of state privacy regimes as states move from education and implementation phases into more aggressive enforcement. According to Taft, “state privacy regulators continue to focus on consumers’ rights to opt out of the sale of personal information and targeted advertising, signaling that this issue remains a top enforcement priority across the United States.”
Most comprehensive state privacy statutes now require companies to give consumers the ability to opt out of both targeted advertising and the sale of personal data. Increasingly, those laws also mandate that businesses recognize universal preference signals transmitted automatically through browsers or other tools.
Taft said regulators are now concentrating on whether companies are consistently detecting and applying those signals across advertising, analytics and data-sharing systems, especially where multiple platforms or affiliated services are involved. The firm noted that enforcement agencies are no longer satisfied with merely having a privacy notice or opt-out link in place.
That tougher stance became especially visible in September 2025, when regulators in California, Colorado and Connecticut announced a coordinated investigative sweep focused specifically on universal opt-out compliance. The multistate effort examined whether businesses were properly “detecting, processing, and honoring opt-out preference signals across their digital properties.”
According to the alert, the participating attorneys general emphasized that universal opt-out mechanisms are critical because they allow consumers to exercise privacy rights “easily and effectively.” Regulators warned that continuing targeted advertising or data sales after receiving valid opt-out signals could constitute violations of state privacy laws.
Related: Ireland Opens Privacy Probe Into Shein Over Data Transfers to China
Taft said the coordinated investigation also demonstrated growing cross-jurisdictional cooperation among state regulators, enabling agencies to share expertise and amplify enforcement pressure in areas of common concern.
California has emerged as one of the most active enforcement jurisdictions under the California Consumer Privacy Act. The alert pointed to a recent enforcement action against Disney involving its Disney+, Hulu and ESPN+ streaming services. California regulators alleged that while Disney linked consumer devices and data for advertising purposes, it failed to apply those same linkages when processing consumer opt-out requests.
According to Taft, the California Privacy Protection Agency concluded that Disney did not adequately honor consumer privacy preferences across the services, resulting in a $2.75 million settlement.
Connecticut regulators are also signaling sustained attention to the issue. Taft cited the Connecticut attorney general’s 2025 Data Privacy Act enforcement report, which identified universal opt-out preference signals as a primary enforcement priority. The report indicated regulators are closely reviewing whether businesses honor opt-out signals consistently and in accordance with statutory requirements.
For businesses operating nationally, the alert underscores the growing complexity of complying with a patchwork of state privacy laws that increasingly share common expectations around opt-out rights.
Taft recommended several steps companies should take immediately to reduce enforcement risk. Businesses should ensure they can properly detect universal opt-out signals such as GPC; consistently apply those signals across advertising and data-sharing workflows; align internal teams, vendors and technologies to halt processing once an opt-out is received; and regularly test and audit opt-out functionality to verify ongoing compliance.
The alert suggests regulators are increasingly viewing failures in technical implementation — rather than deficiencies in privacy disclosures alone — as the core compliance issue. As state privacy enforcement accelerates, businesses may face heightened scrutiny over whether their advertising technology infrastructure actually carries out the consumer rights promised under state law.
