Security_1200x600_GettyImages-2153383852

Key point: The enforcement action alleges that the retailer failed to provide adequate privacy disclosures to website visitors and job applicants, failed to effectuate opt-out requests, including recognizing the Global Privacy Control signal, and lacked legally compliant data processing agreements with third parties.

On September 30, 2025, the California Privacy Protection Agency (CPPA) announced its latest enforcement for violations of the California Consumer Privacy Act (CCPA). The enforcement action — brought against a nationwide retailer — resulted in a $1.35 million fine and an agreement to implement “broad remedial measures.” The enforcement action follows comments by the CPPA head of enforcement, Michael Macko, at last week’s board meeting that the agency is currently pursuing “hundreds of open investigations.”

Below is an overview of the violations and penalties.

CCPA Violations

The stipulated final order identifies five CCPA violations.

1. Failure to Effectuate Opt-Out Requests

According to the stipulated final order, the retailer’s website uses cookies and similar tracking technologies that constitute sales and shares of personal information under the CCPA. During the relevant time period, the website contained a “Do Not Sell My Personal Information” footer link that directed users to a webform to opt out of the sale of their personal information. However, upon completing that webform, consumers were not, in fact, opted out. The webform also did not inform consumers as to “where or how they could opt-out of [the retailer’s] selling or sharing of their personal information through those technologies.”

2. Failure to Honor Opt-Out Preference Signals

The order provides that the retailer also violated the CCPA by not recognizing the Global Privacy Control signal and not explaining in its privacy policy how opt-out preference signals would be treated. Earlier this month, the CPPA joined the attorneys general of California, Colorado, and Connecticut to announce a joint investigative sweep on this issue.

3. Lack of Proper Data Processing Agreements

The CCPA requires businesses to have contracts in place with data recipients that contain certain provisions depending on the recipient’s role (e.g., third party, service provider, or contractor). The order stated that the retailer did not have contracts in place “with service providers and with third parties, such as advertising technology companies that used consumers’ personal information for cross-context behavioral advertising.”

4. Deficient Privacy Notice

The retailer’s website only contained a California Shine the Light law disclosure and lacked many of the disclosures the CCPA requires. The CPPA also noted that the privacy policy was outdated, having been last updated in November 2021, despite the CCPA requiring annual updates.

5. Deficient Job Applicant Privacy Notice

Finally, the CPPA stated that while the retailer provided job applicants with a CCPA notice, the notice did not inform applicants of their CCPA data subject rights or how to exercise those rights.

Remedial Measures

As noted, the retailer must pay an administrative fine of $1.35 million. The CPPA also made it a point of stating that it “recognizes and credits” the retailer’s significant remediation efforts since learning of the violations. In addition to the administrative fine, the retailer must take numerous remedial actions, including:

  • Modifying methods for consumers to opt out of share/sell requests, including conducting at least quarterly scans of its digital properties, maintaining a full and current inventory of tracking technologies, identifying which tracking technologies constitute sells or shares, and properly effectuating opt outs;
  • Recognizing opt-out preference signals;
  • Ensuring symmetry in choice in its tracking technology management platform and pop-up banner so that the “reject” buttons are symmetrical to the “accept” buttons;
  • Reviewing its privacy policy to comply with the CCPA;
  • Notifying all employees and job applicants by email of updated privacy policy and employee privacy policy and providing them with copies;
  • Training personnel responsible for handling CCPA requests;
  • Modifying its contract management and intake process to ensure all required CCPA contractual terms are in place; and
  • Posting, for a period of five years, the metrics required by CCPA regulation Section 7102 (large data holders).

The stipulated final order also requires the retailer, for a period of four years, to implement and maintain a program to assess and monitor its practice for processing opt-out requests and conduct an annual review of its website tracking technology practices, providing certain information to the CPPA as to same.

Other Matters

Finally, the stipulated final order states that the retailer agrees the CPPA “possesses broad authority to investigate potential violations of the CCPA, including those that occurred before January 1, 2023.” The retailer previously challenged the CPPA’s authority to regulate activities before the agency existed, which resulted in the CPPA filing a subpoena enforcement action, which the agency agreed to discontinue.