Privacy_1200x600_GettyImages-1400779382

Key point: The California AG’s fifth CCPA-related enforcement action focuses on the CCPA’s right to opt out of sales/shares and on children’s privacy provisions and, with respect to the right to opt out, it should trigger businesses to reevaluate their procedures, especially as it relates to the treatment of account holders and mobile apps.

On October 30, 2025, the California attorney general (AG) announced a settlement with a streaming services provider[1] over violations of the California Consumer Privacy Act (CCPA). Pursuant to the proposed final judgment and permanent injunction, the company will pay a $530,000 fine and implement several injunctive relief requirements. According to the press release, the settlement arose from a 2024 investigative sweep of streaming services.

The complaint alleges two CCPA violations: (1) failure to provide easy-to-execute methods for consumers to opt out of the selling and sharing of their personal information; and (2) failure to provide sufficient privacy protections for children. Given that these are distinct issues, we will address them in two separate articles. This first article provides a brief background of the enforcement action, an analysis of the right to opt-out violations, and a summary of the injunctive relief requirements. The next article will analyze the children’s privacy violations.

Background

This is the fifth CCPA-related public enforcement action brought by the California AG’s office. The office has previously entered into settlements with a makeup retailer, food delivery service, gaming platform, and health website publisher. In addition, the California Privacy Protection Agency has entered three CCPA-related settlements (not including data broker registration settlements). Every action has, in some way, involved the selling or sharing of personal information. Of the eight CCPA-related enforcement actions to date, the current enforcement carries a comparatively low, though not insignificant, fine ($530,000) but imposes substantive and complex injunctive obligations on the company.

Opt Out of Selling/Sharing Violations

The violations of the CCPA’s right to opt out focus on four issues:

  1. The company’s “Your Privacy Choices” link only allowed consumers to opt out of tracking technology sales and not all sales the company engaged in.
  2. The method for consumers to opt out of non-cookie sales/shares was difficult to operate and confusing.
  3. Some consumers were required to supply unnecessary information to opt out. (Consumers who were logged into their accounts were required to fill out a webform even though the company could identify the consumers sufficiently to process their requests).
  4. The company did not offer consumers a viable way to opt out of data sales or sharing by or through the company’s mobile app.

The first and second issues are intertwined; the complaint faults the company for not providing a single, clear method for consumers to opt out of cookie-related sales/shares and non-cookie-related sales. According to the complaint, the company used a “Your Privacy Choices” link that “directed consumers to cookie preferences,” which only allowed consumers to opt out of cookie-related sales/shares. It did not operate as an opt out of non-cookie-related sales/shares.

The company offered a separate method to opt out of other types of sales but consumers “had to locate a link embedded in text that directed them to a separate opt-out page.” (The complaint does not state where that link was provided or in what text it appeared.) Once consumers landed on the separate opt-out page, the complaint alleges that the page had a deceptive user interface because it implied the right to opt out only applied to cookie choices and consumers had to “find and click an unlabeled caret to reveal the opt-out webform.” The complaint alleges that this interface “likely deterred consumers from completing their CCPA opt-out request.” Finally, even if consumers made it through these steps and submitted a request through the webform, they were presented with text that questioned and required consumers to confirm their decision.

As to the third issue, the complaint states that “logged-in customers were unnecessarily burdened with this same multistep opt-out process.” According to the complaint, the company could identify these logged-in individuals without requiring them to provide additional information and therefore should not have directed them to fill out a webform.

Finally, for the fourth issue, consumers who wished to opt out while using the company’s mobile app could not do so within the app. Rather, they had to use a different device to go to a “55-character non-obvious URL.” However, once at that URL, consumers only could opt out of cookie-related sales/shares on the company’s website. Opting out through this method did not opt consumers out of sales/shares on the app.

The complaint alleges that these issues violated the CCPA in four ways:

  1. Failing to provide methods for submitting requests to opt out of sales/sharing that are easy for consumers to execute and require minimal steps;
  2. Failing to provide easy-to-read and understandable disclosures to consumers, including by using confusing or deceptive elements and adding additional steps and unnecessary burden or friction by combining the CCPA opt out with cookie choices in a confusing manner;
  3. Requiring a logged-in consumer submitting an opt-out request to provide more information than necessary; and
  4. Failing to provide an easy-to-use method for submitting opt-out requests in the way the business primarily interacts with its customers on app-based devices.

The complaint also alleges that these constituted violations of California’s Unfair Competition Law (UCL), including directing consumers to cookie choices that incorrectly purported to allow them to opt out of all sales/shares.

Injunctive Relief

The proposed final judgment and permanent injunction separates the injunctive relief provisions into three sections: (1) consumers’ right to opt out of sales or sharing of personal information; (2) special rules regarding children and minors; and (3) compliance program. We discuss the first and third parts in this article and will discuss the second part in the next article.

Right to Opt Out of Sales/Shares

The injunctive relief provisions relating to the right to opt out of sales/shares generally fall into four categories: (1) disclosures, (2) opt-out methods for account and non-account holders; (3) app opt-outs, and (4) dark patterns. We discuss each of these in turn.

1. Disclosures

The proposed final judgment and permanent injunction contains three injunctive relief provisions relating to disclosures.

First, the company is generally required to comply with the CCPA’s provisions relating to notifying consumers of their right to opt out of sales/shares.

Second, the company is required to provide clear and conspicuous notice to consumers that the company collects personal information about consumers from third parties, that it sells or shares consumer’s personal information, and that it conducts cross-context behavioral advertising using personal information the company obtains from third parties. The proposed final judgment and permanent injunction defines clear and conspicuous notice to mean that “a required disclosure is easily noticeable and easily understandable by ordinary people.”

Finally, the company must provide a link on its homepages “titled ‘Do Not Sell or Share My Personal Information,’ or, if used, an alternative opt-out link titled ‘Your Privacy Choices’ or ‘Your California Privacy Choices’ with the opt-out icon” that complies with the CCPA. For mobile apps, the link must appear on the app’s introductory page, footer, within the app’s settings menu, and/or another easy-to-find location. Clicking on the link must either immediately effectuate an opt out or direct the consumer to the notice of right to opt out of sales/sharing.

2. Opt-Out Methods for Account and Non-Account Holders

The company is also required to provide a consumer-friendly opt-out system. For consumers who are logged in to their accounts, the company must provide “a toggle or other opt-out method that is easy to execute, requires minimal steps, and does not require” the consumer to provide unnecessary information to effectuate the request. The company also is required to effectuate a logged-in consumer’s opt-out request account-wide across all devices and browsers.

For consumers who are not logged in or do not have an account, the company is required to tell consumers that it may be necessary for them to log into their account or provide additional information to have their opt-out choice fully implemented. For non-account holders or consumers who do not want to log in, the company must treat the opt-out requests as a request for that browser or device and any profile that the company associates with that browser or device, including pseudonymous profiles.

3. App Opt-Outs

When consumers use the company’s app, the company must provide an easy-to-use method “such as a simple toggle” to effectuate an opt-out request instead of requiring a second device. However, if that is not technically practicable, the company must simplify the in-app opt-out method as much as possible such as by providing a QR code that captures the consumer’s log-in information and effectuates the opt-out request across device or browsers or directs the consumer to the notice of right to opt out of sales/sharing.

4. Dark Patterns

The final proposed judgment and permanent injunction prohibits the company from using dark patterns in relation to the right to opt out. For example, if the company offers choices to consumers relating to cookie preferences or direct email preferences, it cannot use language or choice architecture that is likely to confuse consumers as to how to make an opt-out request. The company also cannot use hard-to-find links for making opt-out requests. Further, the company cannot use confirmation questions or screens that require consumers to take additional steps to exercise their right or attempt to dissuade them from exercising their right. Finally, the company cannot direct consumers to ineffective opt-out choices (e.g., directing app users to a website opt-out that does not impact the app).

Compliance Program

The proposed final judgment requires the company to create a compliance program within six months (180 days) of the date judgment is entered. The program must remain in effect for three years and the company must provide an annual report to the California AG. However, the report and other shared information will be treated as confidential and exempt from disclosure under state freedom of information act laws.

The program must assess and monitor:

  1. Opt-Out Methods. Whether the company provides opt-out methods for selling and sharing that are consumer-friendly, easy to execute, require minimal steps and which, as appropriate, fully implement a consumer’s opt-out choice account-wide on each platform and device used to access the company’s app.
  2. Disclosures. Whether the company provides the required disclosures under the proposed final judgment and permanent injunction.
  3. Children’s Data. Whether the company is “making reasonable efforts” to comply with the proposed final judgment and permanent injunction’s special rules regarding children’s privacy.

The proposed final judgment and permanent injunction does not otherwise specify how the company must conduct the compliance program.

[1] The complaint was brought against two related entities. For the purposes of this article, we will collectively refer to them as the company.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David guides clients as they navigate the complexities of privacy and cyber law. His straightforward advice and thorough approach are a benefit to clients as they confront their toughest challenges.

Read more about David StaussDavid's Linkedin Profile
Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.

Read more about Laura Hamady
Show more Show less
Photo of Shelby Dolen Shelby Dolen

Shelby develops and implements comprehensive privacy programs that are tailored to the specific needs of each client, helping them to remain compliant as privacy laws continue to evolve at the state, federal, and international levels. She is well versed in all U.S. state…

Shelby develops and implements comprehensive privacy programs that are tailored to the specific needs of each client, helping them to remain compliant as privacy laws continue to evolve at the state, federal, and international levels. She is well versed in all U.S. state privacy laws, laws governing social media and children’s data, AI laws and regulations, and international data privacy laws, including the GDPR.

Read more about Shelby Dolen
Show more Show less
Photo of Marlaina Pinto Marlaina Pinto

Marlaina advises clients on a broad range of privacy and data protection matters, drawing on experience in marketing technology. She provides strategic counsel on consumer data use and regulatory obligations under both U.S. state privacy laws and international data privacy laws, such as…

Marlaina advises clients on a broad range of privacy and data protection matters, drawing on experience in marketing technology. She provides strategic counsel on consumer data use and regulatory obligations under both U.S. state privacy laws and international data privacy laws, such as the GDPR.

Read more about Marlaina Pinto
Show more Show less
Photo of TK Lively TK Lively

TK advises clients on privacy and information security matters, including U.S. state consumer privacy laws, biometric privacy regulations, data broker registration, health information privacy, and international frameworks.

Read more about TK LivelyTK's Linkedin Profile
Related Posts
Security_1200x600_GettyImages-2153383852
CPPA Announces $1.35M Enforcement Action
October 1, 2025
CA_StateFlag_1200x600_GettyImages-933465968
California Privacy Protection Agency Announces Multistate Sweep Targeting GPC Compliance
September 12, 2025
IoT_1200x600_GettyImages-1661051950
The Balancing Act: Tracking Technology Trends and Risk Mitigation Techniques
September 11, 2025