CA_StateFlag_1200x600_GettyImages-1435108815

Key point: The California attorney general announced a $2.75 million fine against a company for CCPA violations for failing to honor requests to opt out of the sale or sharing of personal information across all devices and services associated with consumer accounts.

On February 11, 2026, the California attorney general (AG) announced a settlement with a multiplatform entertainment company, resolving alleged California Consumer Privacy Act (CCPA) violations based on gaps in the company’s opt-out procedures. This is the second public CCPA enforcement settlement arising from the California Department of Justice’s 2024 investigative sweep of streaming services. This also is the largest CCPA settlement amount to date, and is roughly five times the amount of the first enforcement action and more than $1 million more than the prior largest settlement by the AG. These actions reflect an escalating enforcement trajectory as the AG and the California Privacy Protection Agency develop a body of precedent that increasingly functions as operational compliance guidance for businesses. Notably, every CCPA enforcement action to date has involved, in some way, the right to opt out and demonstrates that the AG’s expectations for what constitutes compliant opt-out implementation are becoming both more granular and more demanding with each successive action.

In the below article, we provide an overview of the complaint and the settlement terms.

Complaint

According to the complaint, the company “placed its profits over . . . critical consumer privacy rights [by implementing] disjointed opt-out methods that only stopped some of” the company’s “consumer data sales and sharing, rather than halting it completely as the law required.” The sharply worded complaint focused on the asymmetry between the company’s advertising capabilities and its privacy practices. The company had the technical ability to associate consumers with their devices across services for advertising purposes (and promoted this ability to potential advertisers), but claimed technical limitations impaired its ability to apply consumer opt-out requests across devices and services.

The company used the information it collected to target ads to consumers in at least two ways. First, it sold advertising opportunities on its websites and services and targeted ads for its products and services on third-party sites and services. Second, the company allowed advertisers to place ads on its services and websites. The complaint alleges that these activities constitute cross-context behavioral advertising as defined in the CCPA.

Nonetheless, if a consumer exercised their right to opt out, that choice was not effectuated across all devices and services connected to the consumer’s account. For example, if a consumer opted out through a toggle or Global Privacy Control signal, they would be opted out of data sharing with ad-tech partners, but only for the specific service and device the consumer was using, even if they were logged into their account. According to the complaint, a consumer would have to opt out up to 10 times to fully effectuate an opt-out. Further, if a consumer attempted to opt out while using one of the company’s apps, they would be directed to use an opt-out web form that did not actually opt consumers out of selling and sharing personal information on the apps.

The AG also specifically criticized the company’s claim that it could not “provide a comprehensive consumer identity-based opt-out” across all devices because the company was able to associate “devices with specific users for purposes of identity-based advertising.” According to the AG, “if a business can associate a consumer’s devices with the consumer for advertising purposes, it can and must associate those devices with the consumer for purposes of honoring the consumer’s opt-out rights.”

The complaint states two causes of action — one for violations of the CCPA and one for violations of California’s unfair competition law (UCL). With respect to the CCPA, the complaint alleges the following violations:

  • Selling and sharing personal information with third parties after receiving direction from a consumer not to.
  • Failing to treat opt-out preference signals as a valid opt-out request.
  • Failing to provide easy-to-use methods that require minimal steps for submitting opt-out requests.
  • Failing to provide an easy-to-use method for exercising opt-out requests based on the manner in which the business primarily interacts with its customers, on app-based devices.

With respect to violations of the UCL, the complaint advanced a deception theory, alleging that the company engaged in fraudulent acts or practices and deceived consumers through its opt-out methods. This framing is significant because it elevates incomplete CCPA compliance from a technical violation to an affirmative consumer fraud.

Settlement

As noted, the company must pay a $2.75 million fine, which is more than five times larger than the fine imposed in the previous settlement resulting from the streaming services investigative sweep.

In addition to the fine, the settlement’s injunction provisions focus heavily on eliminating the gap between the company’s advertising capabilities and its privacy compliance infrastructure and effectively mandate that the company’s privacy compliance technologies match the sophistication of its advertising competencies. Specifically, the settlement imposes requirements focused on five key themes.

  • Opt-Out Method and Process. Implement a consumer-friendly, easy to use opt-out process that requires minimal steps, including honoring opt-out preference signals and taking the following steps:
    • Cease selling and sharing and cross-context behavioral advertising when a consumer opts out.
    • Apply a consumer’s opt-out choice across all connected services associated with the consumer’s logged-in account.
    • Inform consumers who opt out while not logged in or without an account that they may need to log in or provide minimal personal information to fully effectuate their opt out.
    • Provide an opt-out link within all of the company’s connected services, or clearly direct consumers to the CCPA-compliant notice of the right to opt out of sales/shares.
    • Format and design the opt-out notice on all services so it fits the browser, app, or device without requiring searching or excessive scrolling, hard-to-find links, unlabeled carets, arrows, or other hidden menu icons.
  • Confirmation of Consumers’ Requests. Provide a method for consumers to confirm that their opt-out-of-sales/sharing request has been processed.
  • Choice Architecture. Ensure user choices and user interface designs (UX) do not impair consumer decision-making or choices relating to opting out of sales/sharing. This codifies the AG’s position that dark patterns in the opt-out context are actionable violations.
  • Third-Party Obligations. Notify all third parties when a consumer submits an opt-out request, direct those third parties to comply with the opt-out request, and ensure such third parties use the personal information consistent with CCPA requirements.
  • Children and Minors. Maintain existing protections and controls that ensure personal information of consumers the company has actual knowledge are children or minors is only sold or shared with appropriate authorization. Comparatively this is a narrow provision suggesting that the AG found existing protections of children and minors’ data adequate and chose to focus its enforcement action on alleged failures of the company’s opt-out mechanisms.

The settlement imposes a two-track compliance monitoring structure. Within 60 days of the settlement’s effective date, the company must report to the AG on its progress in updating its sale/share opt-out notice (see Opt-Out Method and Process above) and continue providing progress reports every 60 days until all services comply. This cadence ensures sustained AG visibility during a fairly expedited remediation period.

Within 180 days, and for three years thereafter, the company must implement and maintain a program to assess and monitor the effectiveness of its sale/share opt-out methods — including whether they are consumer-friendly, easy to use, and require minimal steps — as well as its compliance with the settlement’s disclosure and notice requirements. The company must report the results of this review annually to the AG, creating an ongoing accountability mechanism that extends beyond the company’s initial remediation efforts.

This settlement reinforces several themes emerging from the AG’s recent CCPA enforcement activities. Companies that maintain sophisticated data linking capabilities for advertising purposes should expect the AG to hold them to the same standard when it comes to effectuating consumer privacy rights. Lastly, opt-out processes that fragment the consumer experience across services and devices, require multiple steps and do not clearly communicate a consumer’s exercised privacy preferences may draw regulatory scrutiny.