Alston & Bird Privacy, Cyber & Data Strategy Blog

Multistate Privacy Investigative Sweep Targeting Website Global Privacy Control (GPC) Noncompliance

By , and

On September 9, 2025, the California Privacy Protection Agency (CPPA) announced a joint investigation sweep targeting businesses that may be failing to honor consumers’ opt-out requests submitted via Global Privacy Control (GPC) signals, in coordination with the Attorneys General of California, Colorado, and Connecticut. The CPPA’s announcement underscores a growing trend of multi-jurisdictional collaboration among regulators to enforce consumer data privacy laws.

GPC is a website browser-level specification that allows website visitors to automatically transmit their choice to opt out of the “sale” and “sharing” of personal information and “targeted advertising.” Many state-level comprehensive laws, including those in California, Colorado, and Connecticut, require businesses to detect and process GPC signals as valid opt-out requests. The three-state coalition is contacting businesses suspected of violating this requirement and requesting that those businesses cure noncompliance.

This development reinforces the trend of privacy regulators’ active enforcement, as well as robust cross-state collaboration. For instance, California, Colorado, and Connecticut engaged in joint educational efforts on GPC in January 2025. These three states are also part of the bipartisan Consortium of Privacy Regulators, together with privacy regulators of Delaware, Indiana, New Jersey, and Oregon, which promotes the sharing of enforcement priorities and coordinated investigations.

Inquiries from privacy regulators can trigger significant risks and associated costs as they may seek detailed information about businesses’ privacy practices, including technical configurations and audit trails. Regulators’ focus may also shift if the investigations reveal suspected noncompliance in other areas. Additionally, California, Colorado, and Connecticut regulators may share compliance gaps identified with regulators in other jurisdictions. Therefore, it is critical for businesses that have been subject to this sweep to analyze their data management practices to assess risks and establish strategies.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from state privacy regulators. Please contact us if you have any questions.

LinkedIn
Avatar photo

About David Keating

David Keating focuses his practice on matters involving technology and data and co-leads the Privacy, Cyber & Data Strategy Team. He has advised clients on privacy and security issues arising along the entire data lifecycle for more than 20 years. He assists clients with compliance strategies, policy development and implementation, data monetization and data use analyses, new product development, privacy and security issues in transactions, and privacy enforcement matters.

[Read Bio]

Headshot of Dan Felz

About Daniel Felz

Dan’s clients receive operations-ready management of their complex privacy, security, and technology issues, as well as seamless interactions with stakeholders. Fluent in German with a U.S. litigation background, Dan helps companies of all sizes across industries and jurisdictions resolve data-related matters at the local, national, and international levels.

[Read Bio]

Avatar photo

About Hyun Jai Oh

Hyun Jai Oh is an associate in Alston & Bird’s Technology & Privacy Group in the Atlanta office. Before joining the firm, Hyun Jai worked as an intern researching a multitude of industries involving artificial intelligence solutions, environmental justice, and COVID-related state health regulations. Hyun Jai previously served as a sergeant in the Republic of Korea Army, working in the logistics department of the 21st Infantry Division Reconnaissance Unit.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly