California Consumer Privacy Act (CCPA) has entered a new phase in its enforcement.
This follows what is arguably the most significant enforcement action to date, in which regulators delivered a clear, unmistakable message: partial compliance is still non-compliance.
The non-compliant businesses provided users with opt-out tools, but those tools did not fully stop the sale or sharing of personal information across devices, services, and advertising ecosystems. Although disclosures, toggles, links, and forms were in place, the investigation found that the underlying data flows continued in ways the consumer did not expect after they had exercised their opt-out rights.
A $2.75 million settlement has been reached, but it represents more than a financial penalty. As the largest in CCPA history, it signals a shift in enforcement towards operational execution, technical architecture, and real-world effectiveness rather than mere documentary compliance.
Most importantly, it carries significant lessons for organizations that operate in a similar multi-platform digital ecosystem. Read on to learn more.
As the official investigative report reveals, the company involved did initially appear to be compliant. It had all the primary hallmarks indicative of compliance. These include:
- Providing “Do Not Sell or Share” links;
- Offering web-based opt-out forms;
- Disclosing data sharing practices in its privacy policy;
- Responding to consumer preference signals.
However, as the report concludes, a deeper analysis beyond surface-level mechanisms revealed that consumer choices weren’t being honored comprehensively. Critical gaps soon became apparent, such as:
- Opt-outs that applied only to a specific device or app instance.
- Preference signals that did not propagate across a user’s account.
- Domain-wide, cross-device, cross-domain opt-outs were not honored.
- Continued data sharing with certain third-party advertising partners despite an opt-out.
- Inconsistent handling of browser-based Global Privacy Control (GPC) signals.
In short, the consumers thought they had successfully opted out of the sharing or selling of their data because the user interface told them so. But the backend data flows did not reflect their choice.
This meant the “Do Not Sell or Share” button was symbolic more than systemic.
The Key Lessons
Some of the key lessons organizations can learn from this incident include the following:
Opt Out Must Be Account-Level
Organizations are still struggling with multi-party consent management, and this case elaborates just that. Nearly every major digital platform operates across apps, browsers, connected TV apps, smart devices, and other sister brand properties that may be connected.
In such an ecosystem, organizations often fall into the trap of treating every single device and app as an independent entity, creating further compliance risk.
When a user logs into their account, regardless of what device they use, once they submit an opt-out request, both the user and, more importantly, the regulators expect this to mean:
- Application to all linked devices to that account;
- Honoring of domain-wide, cross-device, and cross-domain consent choices;
- Cascade through the backend advertising and analytics systems.
Instead, organizations opt for device-scoped controls that are no longer sufficient in the era of centralized identity.
“Sharing” For Cross-Context Is High Risk
Under the CCPA, “sharing” personal information for cross-context behavioural advertising is regulated, even when no money is being exchanged. As a result, the enforcement focus is squarely on:
- Ad-tech integrations;
- Programmatic advertising ecosystems;
- Data management platforms (DMPs);
- Pixel and SDK-based tracking;
- Cross-device advertising identifiers.
In such a scenario, if a user decides to opt out of the sale or sharing of their data, but the ad identifiers continue to be transmitted to third-party partners for cross-context targeting, regulators will view it as a violation.
Multi-layer advertising stacks have become a common industry practice, leading to blind spots like the one above. Thanks to this recent enforcement action, regulators may begin looking for such instances more actively.
GPC is NOT Optional
Under the CCPA, businesses are required to treat all browser-based opt-out preference signals, such as the Global Privacy Control (GPC), as valid requests meant to communicate that the user has opted out of the sale and sharing of their data.
However, some organizations continue to:
- Apply GPC only to browser contexts;
- Fail to link GPC to logged-in account profiles;
- Implement GPC signals within cookie-based opt-out of sale and sharing, and ignoring non-cookie-based opt-outs;
- Do not synchronize GPC with advertising systems.
This leads to a situation where if a user is logged in and sends a GPC signal, the opt-out applies to only that session and not the account broadly.
To remedy this, organizations must conduct extensive audits to:
- See how GPC signals are detected;
- Where those signals are stored;
- How they are applied internally;
- Whether it results in application across all data pipelines.
Far too many organizations fall victim to non-compliance owing to poor UI/UX design.
In some ecosystems, especially ones where connected TV apps and embedded environments exist, users are redirected to external webpages to manage their privacy preferences.
At the same time, regulators are assessing whether:
- This process is frictionless.
- Users take minimal steps across the platform.
- Opt-outs processed via web forms actually stop the data flows.
To that end, compliance teams must review:
- How many steps are required to opt out?
- Whether opt-outs require repetitions on different devices;
- Whether the user correctly describes the opt-out scope.
Privacy Architecture Must Mirror Data Architecture
One of the most immediate lessons to draw from the CCPA enforcement action is its architectural implications.
Most organizations slowly expand their ecosystems organically through a combination of acquisitions, separate ad-tech integrations, additional development teams, decentralized data lakes, and third-party SDK proliferation.
However, this creates a mismatch that eventually may lead to various risks, such as:
- Opt-outs may apply in one business unit but not another.
- Suppression lists may not sync across systems.
- Third-party integrations may operate outside centralized governance.
- Identity resolution tools may override preference signals.
Hence, organizations must look to embed privacy controls within the data architecture itself, and not just the UI layer. Doing this means:
- Centralized preference management;
- Automated suppression enforcement;
- Unified identity resolution tied to consent states;
- Continuous monitoring of third-party data flows.
In the absence of the aforementioned measures, inconsistencies will cause vulnerabilities, leading to fines and other regulatory actions.
What Must Businesses Do Now
Organizations that do not wish to be in the headlines for similar reasons must undertake the following steps to ensure complete and effective compliance with the CCPA requirements.
Conduct an Opt-Out Audit
Any opt-out audit must begin with a simple question: “What actually happens in the system once the user clicks on Do Not Sell or Share?” Organizations assume the presence of the suppression flag means compliance. However, regulators are now testing whether that flag actually stops the data flows across advertising, analytics, and affiliate systems.
A proper audit would map the entire lifecycle of the personal information after the opt-out request is received. This would lead to other inquiries such as:
- Does the preference apply only to cookies in that browser session, or is it tied to a persistent user profile?
- Does it suppress future transmissions only, or does it also restrict internal profiling?
- Are legacy identifiers still being passed to third parties?
To gain actual data related to how their processes work, organizations must simulate real-world scenarios to assess how the user journey and experience evolve.
Review Ad-Tech Integrations
Modern advertising stacks are far from simple. A combination of demand-side platforms (DSPs), supply-side platforms (SSPs), data brokers, attribution vendors, and embedded SDKs means personal information meant for ad use travels through a complex chain in milliseconds. Each of these integrations represents a potential compliance gap if the suppression signals are not enforced properly.
Hence, a detailed review is necessary to inventory every third-party pixel, SDK, API integration, and server-to-server advertising connection. Each element’s specific function in how it actually behaves vs how it is supposed to behave would help in such a review.
Moreover, organizations must pay special attention to cross-contextual behavioral advertising. Sharing identifiers for targeted advertising can trigger CCPA obligations. Hence, organizations must validate these identifiers and exclude them from bid requests and tracking calls when suppression flags are active.
Test GPC Handling
Under the CCPA, the GPC is an enforceable signal that requires organizations to ensure their systems detect, interpret, store, and propagate GPC signals consistently across websites accessed via a browser.
The testing must begin at the detection layer. Such tests should aim to answer the following questions:
- Is the GPC signal reliably captured across supported browsers?
- Is it logged?
- Is it associated with a device, a browser instance, or a persistent user account?
Similarly, it is important to assess the downstream propagation. Once a GPC signal is recognized, does it automatically prevent advertising-related data transfers, or does it centralize the suppression systems? Are mobile apps and connected devices aligned with browser-based signals when identity is linked?
Align Engineering & Legal Teams
CCPA compliance is no longer the sole responsibility of the legal team. The language of the law may define the obligation, but the enforcement risk lies in the technical implementation.
Similarly, the legal team may draft policies and interpret regulatory requirements, but the engineering teams ultimately control how data flows.
At the end of the day, alignment begins with shared definitions. What constitutes “sharing” in the organization’s data architecture? Which identifiers fall within scope? How are advertising transmissions categorized? Legal and engineering teams must have a common or joint regulatory language that translates into technical specifications.
Similarly, regular cross-functional reviews are necessary since products change, new SDK integrations are phased in, acquisitions are made, and marketing initiatives alter data flows. Without necessary oversight from each organization, legal risks not only increase but the business’s overall compliance measures continuously lag, creating further risks down the road.
How Securiti Helps
Securiti is a global leader in data privacy, security, compliance, and governance solutions, enabling organizations to streamline their compliance practices, optimize data security, and strengthen governance at a granular level.
Thanks to its plethora of AI-driven solutions, Securiti helps automate data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, universal consent management, and others to facilitate an organization can meet all its compliance-related obligations from a central dashboard.
For organizations that wish to avoid similar enforcement actions related to CCPA, owing to partial compliance and inadequate data privacy measures, they can opt for the various modules Securiti has to offer.
Request a demo to see Securiti in action and learn more about how it can assist you in meeting compliance with the CCPA as well as other data privacy and security regulations, both in the US and globally.
