ARTICLE
26 February 2026

California Enforcement Targets Fragmented Opt-Outs

BT
Barnes & Thornburg LLP

Contributor

Barnes & Thornburg LLP logo
In a changing marketplace, Barnes & Thornburg stands ready at a moment’s notice, adapting with agility and precision to achieve your goals. As one of the 100 largest law firms in the United States, our 800 legal professionals in 23 offices put their collective experience to work so you can succeed.
Explore Firm Details
On Feb. 11, 2026, the California Attorney General announced a $2.75 million settlement — the largest California Consumer Privacy Act (CCPA) settlement to date — against a major consumer digital media/streaming company.
United States California Technology
Brian J. McGinnis,Owen Agho, and Lyric D. Menges
Your Author LinkedIn Connections
Brian J. McGinnis’s articles from Barnes & Thornburg LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Business & Consumer Services, Insurance and Law Firm industries

Highlights

  • On Feb. 11, 2026, the California Attorney General announced a $2.75 million settlement — the largest California Consumer Privacy Act (CCPA) settlement to date — against a major consumer digital media/streaming company. The settlement resolved allegations that its opt-out implementation under the CCPA was incomplete, disjointed, and misleading, resulting in ongoing sale/sharing for targeted advertising even after consumers attempted to opt out. 
  • The settlement is reportedly part of a broader investigative sweep of streaming services' opt-out practices, signaling continued enforcement focus on cross-context behavioral advertising pipelines.
  • The complaint's central theory is straightforward: The company allegedly built robust cross-device identity linking to maximize targeted advertising value but did not use that same identity resolution to ensure that an opt-out request (via a webform, in-app toggle, or Global Privacy Control (GPC)) propagated across brands, systems, and devices, as required.
  • The enforcement action suggests that regulators expect opt-outs to “follow the identity graph.” If a business uses account-based or cross-device identity resolution to enhance advertising value, it must use that same infrastructure to ensure opt-out requests fully propagate across brands, devices, vendors, and data flows; partial suppression will be treated as noncompliance.

Why This Matters for Opt-Out Compliance and the Broader Enforcement Message

The pleading emphasizes that any opt-out mechanism must stop all sale/sharing, not merely one portion of the business's advertising ecosystem. It also underscores that opt-outs must be easy, minimal-step, and implemented in the channel where the business primarily interacts with consumers (including app-based environments).

This is particularly relevant for organizations that:

  • Operate multiple brands/apps under one account ecosystem;
  • Rely on ad-tech partners and internal ad platforms in parallel;
  • Support connected TV / device-native apps or other constrained environments; and/or 
  • Have legacy “preference center” architecture where different systems honor different signals.

California's theory is clear: any opt-out mechanism must stop all  sale/sharing across the entire advertising ecosystem, not merely one brand, device, or platform. Opt-outs must also be easy, minimal-step, and implemented in the channel where the business primarily interacts with consumers, including app-based environments.

Key Allegations and the Opt-Out Failures California is Targeting

“Partial opt-out” is treated as “no opt-out”

The complaint alleges the company offered multiple opt-out paths (webform, in-app toggles, and GPC), but each one only worked for a subset of data flows, leaving other sale/sharing pathways active. Specifically, the AG alleged that the webform opt-out disabled the company's own  advertising platform but did not stop data sharing with third-party ad-tech vendors, leaving those pathways active.

Practical takeaway: If you have multiple ad monetization rails (e.g., internal audience platform and third-party ad-tech), your opt-out must shut down all relevant transfers/uses that constitute sale/sharing, not just the “owned” pathway. This includes third-party tags, pixels, server-to-server conversions, and clean room arrangements. Regulators will view an opt-out that disables your own ad platform but leaves third-party data flows intact as ineffective.

Opt-outs allegedly did not follow the person across devices/services

The complaint alleges that consumers who opted out via a toggle or GPC were opted out only on the specific service and device used at the time – even when logged into the same account – requiring repeated opt-outs across services/devices.

Practical takeaway: If your business uses account-based or probabilistic identity to deliver cross-device ads, regulators will expect your opt-out to be identity-based (account/user/household-level as appropriate) rather than cookie-only or device-only. Critically, this means GPC or Opt-Out Preference Signals (OOPS) must be honored beyond the specific browser or device where received. If you can tie a consumer to an account or persistent identifier for advertising purposes, you must apply their opt-out across that same identity graph.

Vendor limitations are not a safe harbor, especially for device-native/CTV apps

The complaint alleges gaps for certain connected-device apps where no in-app opt-out was provided; consumers were directed to a webform that allegedly did not stop embedded transfers from those apps to ad-tech partners, meaning there was no way to stop sale/sharing in that environment.

Practical takeaway:  If a platform constraint prevents a standard UX (such as a CTV app that cannot display a functional opt-out toggle), you still need a compliant mechanism that is effective for that environment. Pushing users to a webform that does not actually suppress the CTV-specific data flows will be viewed as an inadequate workaround. Engineering must confirm the request actually suppresses the relevant data flows for each platform.

Calling it an opt-out when it doesn't fully opt out is framed as deception

The complaint alleges that labeling tools as opt-outs when they do not fully stop sale/sharing or claim to honor GPC when the business fails to do so is deceptive and actionable under California Unfair Competition Law consumer protection theories in addition to the CCPA. This means businesses face both statutory CCPA penalties and potential UCL remedies, including restitution and injunctive relief.

Practical takeaway: This is not just an engineering issue; it is a consumer-facing representations issue. If the control is incomplete, the labeling, disclosures, and UX must not overpromise and the better answer is usually to fix the backend, so the control is complete.

What California Says the Law Requires

The complaint points to requirements to:

  • Treat opt-out requests and preference signals (such as GPC) as valid for known consumers, not just anonymous browsers;
  • Provide opt-out methods that are easy and require minimal steps;
  • Offer opt-out mechanisms in the channels where the business primarily interacts with consumers, including in-app; and
  • Actually cease sale/sharing upon receiving an opt-out, not merely record it.

What This Means Operationally

Treat opt-out as a vendor problem, not just an internal one. Build contractual and technical controls to ensure opt-out status is communicated to, and honored by, ad-tech partners in real time or near-real time. If your contracts or technical integrations do not enable timely propagation of opt-out status to downstream partners — for example, if you cannot suppress audience segment delivery to a DSP or data clean room after an opt-out — the opt-out is incomplete from a regulatory standpoint.

Regulators can verify opt-out effectiveness through “black box” testing like observing whether third-party requests (e.g., pixels, tags, ad calls) still fire after an opt-out. Conduct similar internal testing across platforms (e.g., web, mobile, CTV) and user states (e.g., logged-in, logged-out) to identify gaps before a regulator does. Conduct similar internal testing across platforms (e.g., web, mobile, CTV) and user states (e.g., logged-in, logged-out) to identify gaps before a regulator does. We recommend at least quarterly spot-checks and testing after any ad-tech vendor or tag management system changes.

Recommended Next Steps

Based on this enforcement action, we might suggest clients take the following steps:

  • Inventory all sale/share pathways (e.g., SDKs, pixels, server-to-server, clean rooms, audience onboarding) and confirm which opt-out mechanisms suppress each.
  • Audit GPC/OOPS handling across all surfaces: logged-out web, logged-in web, iOS, Android, CTV, and multi-brand environments.
  • Validate cross-service opt-out propagation: If consumers are linked across services for advertising, they must be linked for opt-out.
  • Review ad-tech vendor contracts for opt-out obligations and confirm technical integrations support timely status propagation.
  • Conduct black-box testing to verify suppression of third-party tags and ad calls post-opt-out, across each platform.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Brian J. McGinnis
Brian J. McGinnis
Photo of Owen Agho
Owen Agho
Photo of Lyric D. Menges
Lyric D. Menges
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More