Sign in
Create FREE Account

AG Bonta Fines Sling TV $530,000 – Plus the Latest CCPA Penalties You Need to Know

Table of Contents

SLING TV Fine from California AG for $530,000 over data privacy violations

Even more privacy enforcement from California. The most recent enforcement action by Attorney General Rob Bonta was just announced against Sling TV and places that decision side-by-side with other major California privacy actions involving Tractor Supply Company, Healthline Media LLC and American Honda Motor Co.. The goal is to highlight both the detailed obligations emerging from the Sling TV case and the broader enforcement trends under the California Consumer Privacy Act (CCPA) and the California Privacy Protection Agency (CPPA).With a $530,000 fine it showcases that businesses violating California’s privacy law can expect to pay in the range of $500,000 – $1.5 million to California if they are not using privacy software tools like the ones provided by our team here at Captain Compliance.

The Sling TV Case Data Privacy Violation

On October 30, 2025, the California DOJ announced that Sling TV (and its parent entity Dish Media Sales) resolved allegations that it violated the CCPA by failing to provide a “usable and effective” method for California consumers to opt out of the sale of their personal information, and by failing to provide requisite protections for children’s data in the streaming context. Under the settlement, Sling TV agreed to pay a civil penalty of $530,000 and to implement a set of corrective measures. Had Sling been using our Data Subject Request software they would have been able to automate their privacy requirements and save $530,000 in regulatory fines.

Facets of the case according to the AG’s release:

  • The DOJ’s enforcement follows an investigative sweep of streaming services and connected television platforms announced in January 2024. Sling TV was identified as a target because of the ease (or lack thereof) by which consumers could exercise their CCPA rights—especially the “do not sell” right.
  • Sling TV is an internet-based live and on-demand streaming service. Unlike traditional linear TV advertising, Sling’s ad model uses targeted consumer data (such as age, gender, location, income) to personalize ads for viewers—oftentimes without clear user awareness.
  • Even for logged-in customers, Sling TV required users to complete a web-form with name, address, email, and phone number (despite those details already being known) to opt out of the sale or sharing of personal information; and for living-room devices, there was no opt-out mechanism built into the app—users had to visit the website instead. The DOJ flagged that the cookie-preference interface was conflated with the CCPA “do not sell” opt-out, even though turning off cookies did not effectuate a true opt-out of sale/sharing under the law.
  • The settlement mandates four primary corrective obligations:
    • Stop directing consumers seeking to exercise their CCPA “do not sell/sharing” right to generic cookie-preference controls—they must provide a separate, clearly labelled mechanism for the CCPA opt-out.
    • Eliminate the requirement that logged-in customers fill out a web-form with redundant identity data to effectuate the opt-out—this superfluous step deters the exercise of rights.
    • Provide an opt-out mechanism directly within Sling TV’s apps on living-room devices (smart TVs, set-top streaming devices) so users are not forced off the device environment to chase the rights portal.
    • Allow parents to designate one or more user profiles as a “kid’s profile” that by default disallows the sale or sharing of children’s personal information and targeted advertising when minors are likely watching, and provide parents with clear disclosure and tools to protect children’s data.
  • The DOJ emphasized that “Californians have critical privacy rights … every Californian has the right to their online privacy, especially in the comfort of their living room.” The message: streaming and connected-TV services are squarely in the sights of state enforcement.

Sling TV Settlement Could Have Been Averted With Our Opt-Out Software

Like the client we could’ve saved from a $5 million class action lawsuit from a class action stemming from a Electronic Communications Privacy Act violation, we look forward to protecting businesses so they don’t have to pay these big fines. The Sling TV settlement provides a very clear blueprint of what regulators are expecting from digital streaming services: truly accessible opt-out controls (not buried as cookie toggles), equivalent choice mechanisms for children’s profiles, integration across device environments (not just web), and no redundancies or barriers in the user flow for exercising rights. It also signals that targeted advertising models built on rich consumer profiling in the streaming ecosystem attract elevated scrutiny under the CCPA’s sale/sharing and special-sensitive information paradigms.

Recent Headline Grabbing California Privacy Enforcement Actions

Company Date Regulator Penalty Key Allegations
Sling TV (Dish Media Sales LLC) Oct 30 2025 CA DOJ $530,000 Lack of effective opt-out mechanism for sale/sharing; no app-based opt-out; children’s profile protections missing.
Tractor Supply Company Sep 30 2025 CPPA $1.35 million Failed job-applicant privacy notice; ineffective opt-out; outdated privacy policy; contracts lacking third-party protections.
Healthline Media LLC Jul 01 2025 CA AG $1.55 million Tracking technologies on health site; failed opt-out of targeted ads; vendor-oversight gaps for sensitive health-inference data.
American Honda Motor Co. Mar 12 2025 CPPA $632,500 Dark patterns (more clicks to opt-out vs opt-in); excessive verification for opt-out; weak contracts with ad-tech vendors.
The Sling TV action follows other recent California privacy enforcements that show regulators are targeting both design (dark patterns, symmetry of choice) and governance (vendor contracts, sensitive data flows). Three instructive cases: Tractor Supply (CPPA), Healthline (AG), and Honda (CPPA).

Tractor Supply: $1.35M CPPA Settlement and Job-Applicant Data

On September 30, 2025, the California Privacy Protection Agency announced a $1.35 million settlement with Tractor Supply Company. Allegations included failures to provide effective opt-out mechanisms for third-party tracking tech, maintain compliant service-provider agreements, and extend protections to job applicants—an increasingly visible enforcement vector.

Why it matters: CPPA is now using settlements to push operational fixes—technology scanning to inventory trackers, documented governance, and multi-year officer certifications—raising the bar on “prove it” compliance.

Healthline: $1.55M AG Settlement and Health-Related Tracking

On July 1, 2025, AG Bonta announced a $1.55 million settlement with Healthline, at the time the AG’s largest CCPA settlement. The case focused on sharing personal information via tracking technologies for advertising, opt-out failures, and vendor-oversight gaps—especially sensitive given the site’s health-related context.

Why it matters: The AG continues to pursue publishers and platforms where sensitive inferences can arise from browsing behavior—heightening risk for sites operating in health, parenting, and similar categories.

Honda: $632.5K CPPA Order—Dark Patterns and a Consent Tool Configuration

In March 2025, the CPPA issued its first formal CCPA enforcement order—a $632,500 penalty against American Honda Motor Co. The order details multiple violations, including asymmetrical cookie-banner choices (two steps to opt-out vs. a single “Allow All” to opt-in) and hurdles for authorized agents—both categorized as impermissible dark patterns under CCPA/CPRA regulations.

Critically, the CPPA’s public order states that Honda’s cookie consent tool was provided by OneTrust, and that Honda’s configuration of that tool contributed to the asymmetry and resulting violation. (Nothing in the order suggests the vendor, rather than the business, bears liability—but it squarely ties the implementation to the outcome.)

Why it matters: Even “enterprise-grade” consent platforms can enable non-compliant UX if configured poorly. Enforcement is judging the user journey—how many clicks, what’s defaulted, whether choices are genuinely equivalent—not the brand of the tool.

What Sling TV Teaches—Four Practical Lessons

  1. Opt-out must be obvious and low-friction. DOJ/AG actions continue to penalize hidden or cumbersome pathways. If your opt-out “works” only after multiple clicks or logins, you’re inviting scrutiny.
  2. Symmetry of choice is non-negotiable. If opting in is one click, opting out cannot be two. Confirm that your consent tool presents equivalent steps, visual weight, and button prominence.
  3. Contracts & data maps matter. Both AG and CPPA cases emphasize service-provider/contractor terms and tracking-tech inventories. Maintain up-to-date vendor DPAs, clear “sale/share” classifications, and deletion/retention hooks.
  4. Category sensitivity elevates risk. Healthline shows the AG’s sensitivity to health-adjacent browsing data. Streaming services sit at scale with rich inference potential—expect elevated expectations.

What Sling TV Adds to the Enforcement Playbook

While each of the above cases contributes to the increasing maturity of California privacy enforcement, Sling TV expands the playbook in several meaningful ways:

  • Streaming & Connected-TV Focus: Regulators are no longer just screening web publishers and consumer apps—connected-TV and streaming platforms are now under direct scrutiny. The requirement for opt-out inside the app interface is a new frontier.
  • User-flow bar is rising: The DOJ has made it explicit that the customer must not be routed through cookie preferences when seeking the “do not sell/share” right, or forced to fill extraneous forms for already-known customers. The frictionless exercise of rights is increasingly non-negotiable.
  • Children’s-profile mechanisms: Streaming platforms must now proactively provide dedicated parental tooling—not just generic notices—to minimize children’s data use and ad-tracking.
  • Device-agnostic approach: Opt-out and rights-mechanisms must be built into living-room environments (set-top boxes, smart TVs, streaming apps) and not just websites. This aligns with how content is consumed today.

CCPA Compliance Changes

From the Sling TV decision and its companions, a robust checklist emerges. Here are five strengthened actions businesses should adopt to be aligned with regulator expectations:

  • Audit rights-flow across all device contexts: Map where consumers might access your service—web, mobile, smart-TVs, streaming devices—and confirm that the “Do Not Sell or Share” or “Limit Use of Sensitive Information” flows are accessible, clearly labelled, and implemented in each environment. Avoid directing users via cookie-preference banners when the CCPA rights should have a stand-alone path.
  • Eliminate unnecessary friction: The number of clicks, the amount of additional identity-data required, and the detours in user flows matter. If opting out requires login, multiple fields, or separate forms while opting in is one click, you may be creating a regulatoryTarget. The Honda and Sling TV cases both underscore this.
  • Offer symmetric choice interfaces: If users can opt-in with one click, they must be able to opt-out with at most the same number of clicks, equivalent button prominence, and equal visibility. The child-profile default off for data sale and sharing is now an expectation for platforms with children’s use.
  • Vendor & contract governance: Beyond user rights flows, regulators are drilling into service-provider and ad-tech contracts. All disclosures and third-party arrangements must include CCPA-compliant provisions (purpose limitations, audit rights, deletion triggers). Tractor Supply and Honda show this is a recurring enforcement vector. Maintain documented audit trails of vendor inventories, contract reviews, and updates.
  • Document and test regularly: Build a documented evidence-bundle of how your opt-out flows work, audit logs, test scripts across devices, vendor inventories, job-applicant flow reviews (where applicable), and quarterly reviews. Consider engaging UX designers or external reviews to ensure the flow meets usability standards. Regulators are judging the lived user experience, not just the policy.

What Chief Privacy Officers Should Do

From a strategic standpoint, here are overarching implications for privacy programs:

  1. Any device context counts: As seen with Sling TV, regulators expect the entire ecosystem—web, mobile, smart-TV, streaming device—to be rights-enabled. Companies primarily focused on legacy web experiences must catch up.
  2. Opt-out mechanisms are under the microscope: The next frontier is not whether you provide opt-out, but how easy and frictionless it is. The number of steps, visible labelling, and equal treatment with opt-in are all key. If your flow still asks users to go to a buried URL, fill in extra data fields, or route through generic cookie banners, you are at risk.
  3. Children’s data is a heightened zone: Streaming services and platforms with multi-profile capabilities must proactively build default protections for kid-profiles, including limiting ad-targeting and sale/sharing by default, and giving parents clear tools and disclosures. This expectation is formalized in the Sling TV settlement.
  4. Enforcement maturity is accelerating: The CPPA and California AG’s office are moving beyond first-generation web-tracking cases into device ecosystems, job-applicant flows (Tractor Supply), and nuanced UX/design issues (Honda). The size and sophistication of the fines reflect that maturity.
  5. Consent-tools are necessary but not sufficient: Tools like consent-management platforms help—but regulators are reviewing configuration, user flows, and vendor contracts. The Honda case, for example, flagged a major vendor tool mis-configured (excessive verification, dark-pattern opt-out flows). Your tool is only as compliant as your implementation.

The $530,000 Privacy Violation Settlement

The $530,000 settlement with Sling TV underscores that California’s privacy enforcement regime is in full gear—and expanding into new frontiers such as streaming-devices, living-room apps, and children’s profiles. When viewed alongside the recent fines against Tractor Supply, Healthline and Honda, a clear pattern emerges: regulators are focusing on the operational experience of consumers exercising rights, the device-ecosystem reach of services, the symmetry and usability of choice mechanisms, and the contractual and vendor back-end ecosystems supporting data flows.

For businesses operating in California—or serving California residents—the message is unambiguous: you cannot rely on disclosure alone, or opt-out mechanisms buried behind generic cookie controls. You must deliver transparent, low-friction, device-agnostic right-exercise flows; ensure default protections for children; update every vendor contract; document your audits and flows; and test across experiences. Tools such as the solutions we provide here at CaptainCompliance.com can support consent/preference management, vendor inventory audits, device-flow mapping, data subject requests, and regulator-grade evidence logging.

In short: the era of “this is a web-site cookie banner” privacy compliance is over and even when Honda was using OneTrust they still got fined for violations because of default and integration settings. The enforcement lens is now comprehensive, device-wide, choice-flow sensitive and rights-centric. The time to act is now.

Written by: 

Richart Ruddie

Relevant Posts

Recent Posts

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.

Book a Demo

Data Privacy and Compliance from Superheroes

Copyright © 2026 Captain Compliance | Cookie Transparency Powered By 
730 NW 9th St, Fort Lauderdale, FL 33311 | +1 (954) 408-2192 | heroes@captaincompliance.com