2025 CCPA Enforcements Stress Consumer Opt-Outs, Lawyer Says
A recent spate of California Consumer Privacy Act (CCPA) enforcements has pushed consumer opt-outs to the fore, clarifying what regulators consider important, Cynthia Cole, an intellectual property lawyer at Baker McKenzie, said during a webinar Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"What's marking 2025, with respect to the CCPA, is that we finally have some pretty substantial enforcement actions,” which offer regulatory guidance, Cole told a session that privacy vendor TrustArc sponsored.
For instance, the Healthline settlement in July (see 2507030026) centered on a failure to allow customers to opt-out of data collecting and sharing, similar to the Todd Snyder fine in May (see 2505060043). In the March settlement with Honda (see 2503120037), the CCPA took issue with excessive verification requirements, making it hard for consumers to exercise their privacy rights.
The enforcement for “a trend” focused on “consumer opt-outs,” Cole said. “Are you actually allowing consumers to exercise their rights that they were granted under the CCPA,” or “are you making it unduly difficult for them to exercise those rights, including opting out of the sale of data?”
She also linked this trend to “the rise of CIPA litigation,” which is “a different cause of action, but it's linked in the sense that it is [about], ‘What is the information that you are sharing [with] third parties in different forms, and are you managing it?’”
For Joanne Furtsch, vice president of privacy knowledge at TrustArc, California regulators start with what's happening on an organization or company's website and is publicly available.
Cole agreed and said this means it's imperative that company privacy officials understand marketing activities, since companies may violate laws unintentionally. At times, there's "a disconnect between marketing" and how a company is "driving revenue, and then that information getting back to whomever” is managing privacy data-sharing agreements.
“You need to have a regular cadence of going back and checking in on those agreements and on those arrangements” to make sure they’re up-to-date and adjusting them when needed, based on legal changes and regulatory trends, she added.
Similarly, Furtsch added that privacy is far more than posting a cookie banner, updating privacy notices and checking boxes. It "requires ongoing governance.”
Keeping up with states' regulatory news can also help privacy pros spot trends, she added, noting the recently announced joint sweep between Connecticut, Colorado and California (see 2509090045). California also tried something new, where it made a “public-facing announcement” about investigating Tractor Supply Co. for compliance issues (see 2508060070).
Daniela Sanchez, privacy knowledge lead of the law library at TrustArc, noted that updates to California’s regulations, approved in July, ask companies to "demonstrate accountability ... they really want you to explain what you're doing" with data, understand how you're processing data, and "transmit that to your consumers.”
The new rules are centered on automated decision-making technology, risk assessments, cybersecurity audits and other updates to the CCPA (see 2507240070 and 2507240049). “California is being active from both [an] enforcement and rulemaking perspective,” Furtsch said.
“This practice is absolutely overwhelming,” Cole said. “You can't do everything,” but “this is a team effort,” where being proactive and trying to simplify things pay off.
“You're never going to be 100% compliant … but the effort is worth it,” she added. “It's the ‘show your work’” that matters.