The California Privacy Protection Authority has additional privacy sheriffs helping to bring fines to businesses not complying with Global Privacy Control. With the headline “California Privacy Protection Agency Announces Joint Investigative Privacy Sweep: CA, CO, and CT Investigate Businesses Refusing to Honor Consumers’ Right to Opt-Out of the Sale of Their Personal Information” it is confirmed that Colorado and Connecticut are working hand in hand to protect consumers online and that Captain Compliance is the solution to resolve these regulatory issues.
Enforcement Escalates on GPC Non-Compliance—Why It Matters, and Why Captain Compliance Was Ahead of the Curve Protecting Websites
Today marks one of the most significant moments yet in U.S. data privacy enforcement. The California Privacy Protection Agency (CPPA), working hand in hand with the Attorneys General of California, Colorado, and Connecticut, announced a sweeping enforcement initiative aimed directly at businesses that are failing to honor the Global Privacy Control (GPC). GPC is a browser-based opt-out signal that empowers consumers to tell companies, with a single setting, not to sell or share their personal data with third parties and is only properly handled by a few consent banners with Captain Compliance’s Consent Management Solution being one of the very few that actually work and follow the legal requirements.
If you see the text on the consent banners from Captain Compliance they follow the legal requirements that the AG Rob Bonta in California requires. Most banners do not have this so if you have a website that accepts visitors from California you’ll need a solution like Captain Compliance to stay compliant.
This is not just a symbolic gesture. The regulators have confirmed that letters have already been sent to businesses found to be ignoring GPC signals, demanding immediate remediation. Attorney General Rob Bonta framed the issue in no uncertain terms: “Californians have the important right to opt-out … businesses have an obligation to honor this request.” In other words, what was once considered a gray area or “best practice” is now clearly in the crosshairs of state regulators. The announcement coincides with 2025’s Data Privacy Day efforts, a deliberate move to underscore that education and enforcement will now go hand in hand.
This builds upon prior enforcement actions, most notably the $1.2 million settlement with Sephora in 2022, which set the tone for how regulators view GPC. Today’s announcement signals a ramping up of that enforcement, making it clear that compliance is no longer optional—it is an operational necessity.
Deep Dive: CPPA Enforcement Trends and Institutional Muscle
To fully understand the significance of today’s announcement, it helps to look at how the CPPA has been building its enforcement infrastructure. Over the past year, the CPPA’s Enforcement Division has transformed from a small oversight body into a regulatory powerhouse. It has modeled its operations after leading agencies such as the Department of Justice, the Securities and Exchange Commission, and France’s CNIL, signaling its intent to enforce California privacy law with the same seriousness as securities or financial regulators.
Concrete enforcement actions back this up. Recent penalties include a $345,178 fine levied against luxury retailer Todd Snyder and a $632,500 fine against American Honda, each demonstrating the CPPA’s willingness to go after well-known brands. At the same time, the agency has carried out investigative sweeps on entire industries, including connected vehicle data and data brokers, showing a systemic approach to enforcement rather than piecemeal actions. With a budget that has grown from $5 million at inception to $12.8 million for FY 2024–25, the CPPA now has the resources to pursue these cases aggressively and at scale.
Another important factor: consumer complaints are pouring in at record levels. The CPPA’s Consumer Complaints Unit reported a 52% increase in volume over the past year, with opt-out rights (42%) and deletion rights (57%) making up the majority of grievances. In short, consumers are watching—and regulators are listening. This feedback loop ensures that enforcement is driven not only from the top down, but also from the grassroots up, creating sustained pressure for businesses to comply.
On top of all of these headwinds there’s also the California Invasion of Privacy Act claims where an individual can file a private right of action privacy lawsuit against any business and there are a few law firms capitalizing on this law and filing hundreds of lawsuits a week against businesses that are not using Captain Compliance’s software solutions.
What Makes GPC Enforcement So Critical
The significance of today’s joint enforcement sweep lies in three critical dimensions:
1. The Scale of Consequences: Violations are no longer measured in warnings or small fines. Past settlements have reached into the millions, and with multiple state attorneys general now coordinating, the exposure for companies ignoring GPC could easily scale into tens of millions of dollars. Beyond fines, the reputational damage of being named in a high-profile enforcement action can disrupt consumer trust and depress market value.
2. Technical, Not Just Legal, Compliance Is Required: Many businesses still view compliance through a legal lens only—posting privacy policies or opt-out links that technically check a box but fail to function properly in practice. Regulators are signaling that this is not enough. Businesses must technically integrate and honor GPC signals in real time, which requires robust systems, not just a line of text in a footer.
3. Multi-State Collaboration Raises the Stakes: What once may have been viewed as a California-only issue is now rapidly becoming a multi-state standard. Colorado and Connecticut’s involvement in this sweep makes clear that privacy enforcement is not going to be siloed. Instead, we’re seeing the emergence of a cooperative enforcement environment, where multiple jurisdictions can—and will—pursue violators simultaneously.
Why CaptainCompliance.com Was Already on the Front Lines
Here at CaptainCompliance.com, we have long emphasized that GPC is not just a “nice to have”—it is a binding requirement that regulators were bound to enforce. Our thought leadership articles, webinars, conferences with law firms, calls with clients, and every other way we could spread the word have consistently warned that ignoring or disabling GPC signals would be the exact type of behavior regulators would target once they moved beyond the educational phase of privacy law implementation. Today’s announcement is confirmation that those warnings were well-founded.
Our platform is uniquely positioned to help businesses avoid these risks. We don’t just provide a compliance checklist—we deliver the technical infrastructure that makes compliance seamless. Our system automatically detects incoming GPC signals and processes them in real time, ensuring that consumer data is no longer sold or shared in violation of the law. We also provide audit-ready logs, staff training, and proactive alerts so companies are not caught off guard by enforcement sweeps like the one announced today. “Captain Compliance clients have long heeded the rule: GPC is binding. Now enforcement action echoes that warning with real consequences.”
Captain Compliance clients are not scrambling this week—they are already prepared. By aligning their operations with the technical requirements of GPC, they’ve avoided the enforcement dragnet that is now ensnaring competitors.
How To Honor GPC Signals For Privacy Compliance?
The takeaway from today’s news is that enforcement is no longer hypothetical—it is here, it is coordinated, and it is escalating. Businesses that fail to honor GPC are not just risking regulatory fines; they are jeopardizing consumer trust, brand equity, and long-term growth. In today’s environment, where consumer expectations around privacy are only rising, non-compliance is the opposite of a competitive advantage—it is a liability.
By contrast, companies that take GPC compliance seriously can position themselves as consumer-first, transparent, and trustworthy. They not only avoid regulatory risk, but also gain a reputational edge in a marketplace increasingly defined by trust. This is the perspective we have been championing all along, and today’s sweep is the most powerful validation yet. The solution to resolve this is using Captain Compliance’s CMP which integrates in minutes through a Tag Manager. “Today’s coordinated enforcement sweep makes crystal clear: the age of ignoring GPC is over. Businesses must honor user browser signals—no more hiding behind opt-out links.”
Captain Compliance’s Global Privacy Control Strategic Advantage
| Trend | CaptainCompliance’s Strategic Advantage |
|---|---|
| GPC enforcement ramping up | Captain Compliance anticipated and preempted enforcement |
| Enforcement infrastructure strength | Captain Compliance provides automation, audit logs, and monitoring |
| Financial penalties are significant | Captain Compliance prevents costly fines in the hundreds of thousands to millions |
| Multi-state enforcement | Captain Compliance offers scalable solutions across jurisdictions |
Save Millions in Fines By Using Captain Compliance’s Privacy Software
“With previous violations costing hundreds of thousands—even over a million, as seen with Sephora—non-compliance is no longer a cost-of-business—it’s a corporate liability.” The CPPA’s announcement, coupled with the involvement of multiple state attorneys general, is a watershed moment in privacy enforcement. Businesses that have put off technical compliance with GPC can no longer afford delay—the risk has multiplied. For companies already working with us, today’s news is a validation of our foresight. For those who haven’t acted yet, it is the clearest possible warning that the time to do so is now.
