For years, the United States privacy enforcement landscape was characterized more by its gaps than its reach. Federal sectoral law — HIPAA, GLBA, COPPA, FCRA — covered defined categories of data and defined categories of actors, leaving vast stretches of commercial data processing subject to little more than the FTC’s elastic interpretation of unfair and deceptive practices. State attorneys general had consumer protection authority but limited privacy-specific tools. The result was a regulatory environment that sophisticated compliance programs could navigate with relative comfort, and that smaller or less attentive operators could largely ignore.
That environment no longer exists. The passage of comprehensive consumer privacy statutes in more than twenty states — most of them operational or becoming operational between 2023 and 2026 — has handed state regulators both the legal authority and the political mandate to pursue data privacy enforcement at a scale previously impossible. The California Privacy Protection Agency, the first regulatory body in the United States created exclusively to enforce consumer data privacy law, has moved beyond its early capacity-building phase and into active enforcement. State attorneys general from Connecticut to Texas are investigating companies across sectors. And the compliance obligations that were once largely aspirational — consumer rights processes, opt-out mechanisms, data minimization standards — are now the specific subject of regulatory scrutiny.
This article examines the first and most operationally immediate enforcement priority that has emerged from this new landscape: consumer privacy rights, and in particular the opt-out infrastructure that companies have built — or failed to build — to support them.
The Statutory Foundation: What Consumer Rights Laws Actually Require
Every comprehensive state consumer privacy statute enacted in the current wave of legislation includes a consumer rights framework. The specific rights vary modestly by jurisdiction, but the core package is consistent: the right to know what personal information a business collects and how it is used; the right to access that information; the right to correct inaccuracies; the right to delete; the right to data portability; and, critically, the right to opt out of certain categories of data processing — most commonly the sale of personal information and the sharing of personal information for cross-context behavioral advertising.
California’s framework, the most detailed and most actively enforced, provides the clearest illustration of what these rights obligations look like in regulatory practice. Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, businesses subject to the law must provide consumers with meaningful, accessible mechanisms to exercise each right. The California Privacy Protection Agency has issued implementing regulations — now codified in the California Code of Regulations — that specify, with unusual granularity, what that accessibility requires and what it prohibits.
The opt-out right has received the most regulatory attention, and for structurally sound reasons. When a consumer exercises a deletion right and the business fails to comply, the harm — continued retention of data the consumer wanted removed — is real but often not immediately visible or verifiable. When a consumer exercises an opt-out right and the business fails to honor it, the harm is ongoing and often directly measurable: personal information continues to flow to third-party advertising networks, data brokers, or analytics platforms. The connection between the procedural failure and the substantive privacy harm is direct, which makes opt-out non-compliance both easier to investigate and more compelling to pursue from an enforcement standpoint.
The California Enforcement Pattern: Friction as the Core Violation
The California Privacy Protection Agency’s enforcement pattern in 2025 and 2026 has been remarkably consistent in its focus. Across multiple investigations and enforcement actions, the CPPA has returned repeatedly to a single theme: companies are making it unreasonably difficult for consumers to exercise their opt-out rights, and that difficulty is not accidental.
The regulatory framework under which CPPA is operating is explicit on this point. Under Cal. Code Regs. Tit. 11, §§ 7026(d), 7027(e), and 7060(b), businesses are prohibited from requiring identity verification or other unnecessary additional information as a condition of processing opt-out requests. The logic is straightforward: the right to opt out of the sale or sharing of personal information is not a right that requires the consumer to prove who they are before exercising it. The consumer is directing the business to stop a particular category of processing, not requesting access to their own data file. Requiring verification imposes a burden that is disproportionate to the request — and, the CPPA has noted, it creates a secondary privacy harm by causing the consumer to submit additional sensitive information in order to exercise a privacy right.
This enforcement focus on additional information requirements has surfaced in multiple CPPA investigations. The pattern is consistent: a company builds an opt-out request form that asks consumers to provide their email address, account credentials, phone number, or other identifying information before the opt-out can be submitted. The business may characterize this as necessary to locate the consumer’s data records and effectuate the opt-out. The CPPA’s position is that this characterization, while sometimes technically defensible, generally does not override the regulatory prohibition. The regulations permit a business to seek additional information where it is “reasonably necessary” to process the request — but the standard is strict, and the presumption runs against requiring verification for opt-out requests.
Design Choices That Create Legal Exposure
Beyond the verification requirement problem, CPPA enforcement has illuminated a broader category of design choices that create compliance exposure: what practitioners and regulators have come to call “dark patterns” in the consumer rights context.
The term, borrowed from UX design literature, refers to interface choices that are structured to produce outcomes the user would not choose if the process were neutral. In the privacy rights context, dark patterns encompass a wide range of practices: opt-out flows that require more steps than the equivalent opt-in; consent withdrawal mechanisms that are significantly harder to locate than the original consent mechanism; confirmation dialogs that use emotionally loaded language to discourage consumers from completing their request (“Are you sure you want to stop receiving personalized offers?”); and multi-step processes that time out, require repeated confirmation, or present barriers that erode completion rates.
The CPPA’s regulations specifically address dark patterns in the consumer rights context. Section 7004 of the implementing regulations prohibits businesses from using “dark patterns” — defined to include interface designs that have the substantial effect of subverting or impairing user choice — in their consent mechanisms and rights request processes. The prohibition is not limited to intentionally deceptive design; a design that has the functional effect of making opt-out more difficult than opt-in, or that meaningfully discourages consumers from completing rights requests, can violate the regulation regardless of whether that effect was specifically intended.
For compliance professionals, this creates a design review obligation that many organizations have not fully integrated into their product development processes. A privacy policy that accurately describes consumer rights, combined with a rights request form that is technically functional but practically difficult to use, is not a compliant implementation. The question regulators are asking is not whether a mechanism exists, but whether the mechanism is designed to be used.
Processing Timelines and Response Quality
A second major enforcement focus has emerged around the timeliness and substantive quality of responses to consumer rights requests — not just the opt-out right, but the full suite of access, deletion, correction, and portability rights.
Under California law, businesses must respond to verifiable consumer requests within 45 days, with a single 45-day extension available if the business notifies the consumer of the need for additional time. This timeline is not particularly aggressive by global standards — the GDPR’s one-month response period, with a two-month extension in complex cases, imposes a similar structure — but it requires that businesses have functional request intake, routing, and response systems in place before the requests arrive, not after.
CPPA investigations have found a recurring pattern: businesses have nominal consumer rights processes — web forms, email addresses, toll-free numbers — but those processes are not connected to the operational systems where personal data actually lives. A consumer submits a deletion request through the privacy rights portal on the company’s website. The request is logged. But the downstream fulfillment — identifying all data records associated with that consumer, coordinating deletion across first-party databases, notifying relevant service providers and vendors about the deletion obligation — does not happen reliably or within the statutory timeframe. The consumer either receives no response, receives a confirmation that the request was received without any substantive follow-up, or receives a deletion confirmation that does not accurately reflect the actual scope of data that was deleted.
This gap between the front-end consumer experience and the back-end operational reality is, enforcement record suggests, extremely common. It reflects the fact that building a compliant consumer rights infrastructure requires not just a visible intake mechanism but genuine data mapping, cross-functional coordination between privacy, engineering, and operations teams, and contractual provisions in vendor agreements that allow deletion and portability requests to be propagated through the data supply chain.
The Opt-Out Signal Problem: GPC and Automated Preference Expression
One of the most technically complex consumer rights enforcement areas to emerge in 2025 and 2026 involves the Global Privacy Control signal and the broader question of automated opt-out preference expression.
The GPC is a browser-level technical signal that allows consumers to express a preference against the sale or sharing of their personal information across all websites they visit, without having to submit individual opt-out requests site by site. Under California law — specifically, CPPA regulations implementing CCPA — businesses subject to the law must honor the GPC signal as a legally valid opt-out of sale and sharing. The California Attorney General’s office began auditing GPC compliance as early as 2022, and the CPPA has continued and expanded that enforcement focus.
The compliance picture on GPC remains poor across many sectors. Audits and enforcement investigations have consistently found that large categories of businesses — including some with otherwise mature privacy programs — are either not detecting the GPC signal at all, detecting it but not translating the detection into downstream changes to their data sharing behavior, or honoring it for first-party analytics while continuing to fire third-party tracking tags before user consent or opt-out status is assessed. The last failure mode is particularly significant: a business that honors GPC in its first-party data processing but continues to allow advertising pixels, retargeting tags, and data broker SDKs to load and transmit data before the GPC preference is applied is not complying with the opt-out obligation, regardless of how the privacy notice characterizes the company’s GPC posture.
This enforcement focus has significant technical implications. Businesses relying on tag management systems, consent management platforms, and server-side tagging architectures need to verify that GPC detection is implemented at the appropriate layer of the stack — early enough in the page load sequence to suppress non-essential third-party data collection before it occurs, not as a post-hoc adjustment to first-party records after the data has already been shared.
Multi-State Enforcement: Beyond California
While California’s enforcement activity has been the most systematic and most publicly documented, the consumer rights enforcement picture is no longer a single-state story. State attorneys general operating under comprehensive privacy statutes in Connecticut, Colorado, Virginia, Texas, Oregon, and a growing number of other jurisdictions have begun launching their own enforcement activities, and the enforcement priorities show substantial consistency with California’s focus areas.
Connecticut’s attorney general has been particularly active, having issued investigative demands to companies in the health technology, retail, and financial services sectors related to consumer rights processing failures. Colorado’s attorney general has launched coordinated sweep actions targeting specific industries. Virginia’s enforcement posture, historically more cautious, has shifted as the Virginia Consumer Data Protection Act’s enforcement mechanisms have matured and agency capacity has grown.
The multi-state character of current enforcement creates compliance complexity that single-state analysis tends to understate. A company that has achieved solid California compliance may face different obligations under Connecticut’s law — different covered entity definitions, different right-to-cure frameworks, different specific prohibitions — that require separate review. A consumer rights process designed around CCPA’s requirements may not satisfy CDPA’s distinct specifications for how opt-out mechanisms must be presented. And a company investigated by one state AG is statistically more likely to face investigation by others: enforcement cooperation between state attorneys general has increased substantially over the past two years, and an enforcement matter opened in one state frequently triggers outreach from regulators in other states where the company operates.
What Compliant Consumer Rights Infrastructure Actually Requires
The enforcement picture that has emerged from 2025 and 2026 regulatory activity provides a useful inverse map of what compliant consumer rights infrastructure looks like — what must be in place for a company to confidently respond to a regulatory inquiry or consumer complaint about its rights processes.
Rights intake that does not impose unauthorized barriers. The intake mechanism — web form, email address, toll-free number, or in-app workflow — must be designed to accept requests without requiring the consumer to provide information that the applicable law or regulation does not permit. For opt-out requests in California, this means no identity verification requirement and no collection of information beyond what is minimally necessary to locate the consumer’s data profile and effectuate the request.
Design review for friction and dark patterns. Every element of the rights request flow — from the initial disclosure in the privacy notice to the confirmation page after a request is submitted — should be evaluated by privacy counsel or a qualified compliance reviewer for design choices that could constitute dark patterns under applicable regulations. This is not a one-time review; product updates that touch the consumer-facing privacy interface require re-review before deployment.
Backend fulfillment systems connected to intake. The most common operational failure is the disconnection between the intake system and the fulfillment system. Compliance requires that rights requests received through the front-end mechanism are routed to the team or system responsible for fulfillment, tracked against statutory response timelines, and resolved with documentation that the company can produce in the event of a regulatory inquiry. This requires workflow tooling, cross-functional accountability, and in most cases explicit contractual obligations in vendor agreements requiring vendors to support consumer rights request fulfillment within defined timeframes.
GPC and automated signal detection. Businesses subject to California law must audit their tag management and consent management infrastructure to confirm that GPC signals are detected, that detection triggers appropriate suppression of non-essential data sharing, and that this suppression occurs before third-party data collection begins rather than after. For businesses using client-side tag management, this typically requires configuring the consent management platform to block non-essential tags pending GPC and consent status evaluation. For businesses using server-side architectures, it requires equivalent logic at the server layer.
Cross-state harmonization analysis. For companies subject to multiple state privacy laws — which includes most mid-sized and larger businesses with national consumer-facing operations — a single unified consumer rights process may not satisfy all applicable state requirements without customization. A rights request mapping exercise that identifies where the various applicable state laws diverge, and where those divergences require different consumer-facing or operational approaches, is a prerequisite to confident multi-state compliance.
The Enforcement Signal and What Comes Next
The consumer rights enforcement trend documented across 2025 and into 2026 reflects a regulatory posture that is unlikely to relax. The CPPA has committed publicly to continued enforcement activity and has made clear that it intends to use its rulemaking authority to fill perceived gaps in the current regulatory framework. State attorneys general who have invested political capital and institutional resources in building privacy enforcement capacity will continue deploying that capacity. And the expansion of state comprehensive privacy laws to additional jurisdictions — with several more statutes becoming operational in 2026 and 2027 — will broaden the pool of enforcement authorities empowered to act.
The practical implication for companies is that the period of relative enforcement tolerance — during which regulators were building capacity and companies could reasonably expect investigative attention to fall primarily on the largest and most egregious violators — is closing. Consumer rights process failures, including failures that would have generated only informal guidance letters or cure opportunities in earlier enforcement cycles, are increasingly the subject of formal investigations, public enforcement actions, and, in California, administrative proceedings that carry significant reputational exposure even when financial penalties are modest.
The first-mover compliance advantage — building rights infrastructure that genuinely works before enforcement pressure arrives — remains available, but the window in which it confers significant protection against regulatory attention is narrowing. For compliance programs that have treated consumer rights processes as a website checkbox rather than an operational discipline, that assessment should prompt immediate remediation review.
