Federal and state enforcement actions involving opt-out failure violations, tracked from official government sources.
44
Total Actions
$912.9M
Total Fines
6
Jurisdictions
The California Privacy Protection Agency (CalPrivacy) settled with Ford Motor Company requiring the company to pay a $375,703 fine and change its practices. Ford violated the CCPA by requiring consumers to complete an email verification step before they could opt-out of the sale and sharing of their personal information collected through digital properties and connected vehicle services. In addition to the fine, Ford must provide easy methods to submit opt-out requests with minimal steps, audit its tracking technologies, and ensure compliance with opt-out preference signals including Global Privacy Control.
$376K
The California Privacy Protection Agency settled with Ford Motor Company for $375,703 after finding that Ford violated the CCPA by requiring email verification for opt-out requests, creating unnecessary friction. Ford must implement easier opt-out methods, conduct a website audit, and comply with global privacy controls.
$376K
The California Privacy Protection Agency settled with PlayOn Sports for $1.10 million over CCPA violations, including failing to provide adequate opt-out mechanisms and improperly tracking users, particularly students. The company must implement proper opt-out methods, improve disclosures, and comply with children's data consent requirements.
$1.1M
The California Attorney General settled with The Walt Disney Company for $2.75 million over CCPA violations. Disney's opt-out processes failed to stop the sale or sharing of consumer data across all devices and services associated with accounts, requiring consumers to navigate cumbersome methods. Disney must pay the penalty and implement comprehensive opt-out mechanisms.
$2.8M
Connecticut Attorney General William Tong, along with the FTC and 21 other states and counties, filed a lawsuit against Uber Technologies, LLC and Uber USA, LLC for deceptive practices related to their Uber One subscription service. The lawsuit alleges Uber used negative option marketing, misled consumers about savings, made cancellation difficult, and charged consumers prematurely. The action seeks restitution, penalties, and an injunction under the Connecticut Unfair Trade Practices Act and the Restore Online Shoppers' Confidence Act.
New Jersey Attorney General Matthew Platkin announced that New Jersey is joining a coalition of 22 states in suing Uber for deceptive practices related to its Uber One subscription service. The lawsuit alleges that Uber enrolled consumers without their knowledge and made cancellation extremely difficult, seeking restitution, penalties, and an injunction under New Jersey's Consumer Fraud Act and the Restore Online Shoppers' Confidence Act.
California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. for violating the CCPA. The mobile gaming company failed to provide opt-out methods for the sale or sharing of personal information across its 21 apps and sold or shared data of children aged 13-16 without required affirmative consent. Jam City must now implement in-app opt-out mechanisms and obtain affirmative consent for minors' data.
$1.4M
California Attorney General Rob Bonta secured a $530,000 settlement with Sling TV for violating the CCPA. The company failed to provide an easy-to-use method for consumers to opt-out of the sale of their personal information and did not provide adequate privacy protections for children. The settlement requires Sling TV to implement specific changes to its opt-out mechanisms and parental controls.
$530K
California Attorney General Rob Bonta settled with Sling TV for $530,000 over CCPA violations. Sling TV failed to provide an easy-to-use opt-out mechanism for the sale of personal information and lacked adequate privacy protections for children's data. The settlement requires Sling TV to implement changes to ensure CCPA compliance, including improved opt-out processes and children's privacy safeguards.
$530K
Connecticut Attorney General secured a $1 million multistate settlement with TFG Holding, Inc. for deceptive VIP membership program marketing and billing practices. The company must improve disclosures, obtain explicit consent, provide easy cancellation, and offer restitution to affected consumers.
$1.0M
The California Privacy Protection Agency (CPPA) settled with Tractor Supply Company for $1.35 million over violations of the California Consumer Privacy Act (CCPA). The violations included failing to maintain a proper privacy policy, not notifying job applicants of their rights, lacking an effective opt-out mechanism, and sharing personal information without adequate contracts. Tractor Supply must pay the fine and implement remedial measures such as scanning digital properties and annual compliance certification.
$1.4M
The California Privacy Protection Agency, together with the Attorneys General of California, Colorado, and Connecticut, announced an investigative sweep targeting businesses that fail to honor Global Privacy Control (GPC) signals, which automatically communicate consumers' opt-out requests. The coalition is contacting identified businesses and demanding immediate compliance with state privacy laws. This coordinated effort highlights the states' commitment to enforcing consumers' right to opt-out of the sale of their personal information.
Connecticut, California, and Colorado attorneys general, along with the California Privacy Protection Agency, announced a joint investigative sweep targeting businesses that fail to honor Global Privacy Control (GPC) signals, which allow consumers to opt-out of the sale of their personal information. The coalition sent letters to non-compliant businesses demanding immediate compliance with state privacy laws requiring respect for consumer opt-out preferences.
The California Privacy Protection Agency (CPPA) filed a petition in Superior Court to enforce a subpoena against Tractor Supply Company for alleged CCPA violations, including failure to honor consumers' right to opt-out of the sale and sharing of personal information. This is the CPPA's first judicial action to enforce an investigative subpoena, and the agency is seeking court assistance to compel the company's compliance.
Connecticut Attorney General William Tong announced a settlement with TicketNetwork, Inc. for violating the Connecticut Data Privacy Act by maintaining an unreadable privacy notice and non-functional consumer rights mechanisms. TicketNetwork agreed to comply with CTDPA requirements, maintain metrics for consumer rights requests, report to the AG, and pay $85,000.
$85K
California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC for CCPA violations. Healthline failed to honor opt-out requests, shared consumer data including health-related article titles with third parties, and used deceptive privacy practices. The settlement includes injunctive relief and a compliance program.
$1.6M
Texas Attorney General Ken Paxton announced legal action against several Chinese companies, including TP-Link, Alibaba, and CapCut, for violating the Texas Data Privacy and Security Act (TDPSA). The companies have been given 30 days to comply with requirements to disclose data processing, allow consumers to opt out of data collection, and enable data deletion. Failure to comply will result in further legal action to protect Texans' privacy rights and prevent data from being accessed by the Chinese Communist Party.
Texas Attorney General Ken Paxton has issued notices to several Chinese companies, including TP-Link, Alibaba, and CapCut, for violating the Texas Data Privacy and Security Act (TDPSA). The companies must comply with TDPSA's requirements to disclose data processing, allow opt-outs, and enable data deletion within 30 days, or face further legal action.
Texas Attorney General Ken Paxton has notified several Chinese companies, including TP-Link, Alibaba, and CapCut, that they are violating the Texas Data Privacy and Security Act (TDPSA). The companies must comply with TDPSA requirements to disclose data processing, allow consumer opt-outs, and enable data deletion within 30 days. Failure to comply will result in further legal action.
The California Privacy Protection Agency (CPPA) settled with Todd Snyder, Inc. for violating the California Consumer Privacy Act (CCPA) by failing to process opt-out requests, requiring excessive information for privacy requests, and improperly verifying identities for opt-outs. The company must pay a $345,178 fine and overhaul its privacy practices, including configuring opt-out mechanisms and providing employee training.
$345K
The Connecticut Office of the Attorney General released an updated enforcement report on the Connecticut Data Privacy Act (CTDPA) for 2024, summarizing investigations into companies handling connected vehicles, genetic data, palm recognition, teen messaging apps, and facial recognition. The report outlines expanded enforcement priorities around opt-out practices and dark patterns, and includes legislative recommendations to strengthen the CTDPA.
The California Privacy Protection Agency settled with American Honda Motor Co. for CCPA violations, including making it difficult for consumers to opt-out of data sharing, using dark patterns in its privacy tool, hindering authorized agent requests, and sharing data with ad tech companies without proper contracts. Honda must pay a $632,500 fine, implement new processes for privacy requests, certify compliance, train employees, and ensure appropriate data sharing contracts.
$633K
Attorney General William Tong announced that starting January 1, 2025, businesses covered by the Connecticut Data Privacy Act must honor global opt-out preference signals, allowing consumers to opt out of targeted advertising and data sales via tools like Global Privacy Control. The advisory explains requirements, notes exemptions for HIPAA-covered entities, and provides resources for compliance.
The FTC staff report examined data practices of nine major social media and video streaming companies and found they engaged in vast surveillance of users with lax privacy controls and inadequate safeguards for children and teens. The report recommends limiting data collection, restricting targeted advertising, and strengthening protections for young users, and calls for comprehensive federal privacy legislation.
Verkada, a security camera company, failed to secure customer data, leading to a hacker accessing over 150,000 cameras and sensitive health information. The company also violated the CAN-SPAM Act by sending spam emails without proper opt-out mechanisms. To settle, Verkada will pay $2.95 million and implement a comprehensive security program with audits.
$3.0M
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
DoorDash sold California consumers' personal information to a marketing cooperative without providing required notice or an opt-out option, violating the CCPA and CalOPPA. The settlement requires DoorDash to pay a $375,000 civil penalty and comply with injunctive terms, including reviewing vendor contracts and providing annual reports to the Attorney General. This enforcement action clarifies that participation in marketing cooperatives constitutes a sale under the CCPA.
$375K
The Connecticut Office of the Attorney General released a mandated report on the Connecticut Data Privacy Act (CTDPA), detailing over a dozen notices of violation issued to companies across various industries for deficiencies in privacy disclosures and consumer rights mechanisms. The report highlights common compliance failures and reaffirms the AG's commitment to enforcement and education under the state's consumer privacy law.
The FTC settled with data brokers X-Mode Social and Outlogic for selling precise location data without informed consent and failing to protect sensitive information. The proposed order bans the sale of sensitive location data, requires deletion of collected data, and mandates a comprehensive privacy program. This is the FTC's first action against a data broker for sensitive location data practices.
California Attorney General Rob Bonta announced a $93 million settlement with Google for deceiving users about location tracking. Google continued to collect location data even after users opted out, violating California consumer protection laws. The settlement includes injunctive terms to enhance transparency and user controls over location settings.
$93.0M
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
The FTC settled charges against Experian Consumer Services for violating the CAN-SPAM Act by sending marketing emails to consumers who signed up for credit management accounts without providing an opt-out mechanism. The emails promoted products like Experian Boost and Dark Web scans but lacked unsubscribe links. Experian must pay $650,000 and is prohibited from future violations.
$650K
The FTC settled with genetic testing company 1Health.io for failing to secure sensitive genetic and health data, deceiving consumers about data deletion, and unfairly changing its privacy policy without notice or consent. The settlement includes refunds totaling over $49,500 to 2,432 affected consumers.
$50K
Connecticut Attorney General William Tong filed a lawsuit against Michael D. Lansky, LLC (Avid Telecom) for allegedly initiating billions of illegal robocalls, including to numbers on the National Do Not Call Registry. The company is accused of violating the Telephone Consumer Protection Act and Telemarketing Sales Rule. This action is part of a multistate task force with nearly every state attorney general.
New Jersey Attorney General Matthew Platkin joined a multistate lawsuit against Avid Telecom for allegedly initiating and facilitating billions of illegal robocalls, including to numbers on the National Do Not Call Registry, in violation of the Telephone Consumer Protection Act and Telemarketing Sales Rule. The company is accused of transmitting scam calls and ignoring warnings from the Industry Traceback Group.
Attorney General William Tong and bipartisan legislators announced a bill to modernize Connecticut's anti-robocall laws, which haven't been updated since 2015. The bill would expand coverage to text messages, ban gateway VoIP providers, enforce calls to Connecticut area codes, set calling hour restrictions, strengthen telemarketer disclosures, and clarify Do Not Call List protections.
Google settled with 40 state attorneys general over allegations that it misled consumers about location tracking practices. Google will pay $391.5 million and must enhance transparency and user controls for location data collection.
$391.5M
Connecticut and 39 other states secured a $391.5 million settlement with Google for misleading consumers about location tracking and continuing to collect data after users opted out. The settlement mandates Google to enhance transparency and user controls for location settings, including clear disclosures and user-friendly account controls.
$391.5M
California Attorney General Rob Bonta announced a settlement with Sephora, Inc. for $1.2 million over violations of the California Consumer Privacy Act. Sephora failed to disclose that it sold consumer personal information and did not process opt-out requests via Global Privacy Control. The settlement requires Sephora to pay penalties and implement compliance measures including policy changes and reporting.
$1.2M
Connecticut Attorney General filed a $5 million stipulation judgment against Safe Home Security for repeated non-compliance with court-ordered consumer protection measures, including blocking contract terminations and misrepresenting terms. The judgment requires immediate payment of $1 million and suspends $4 million pending compliance, with an independent monitor for five years.
$5.0M
The FTC released a staff report based on Section 6(b) orders to six major ISPs, finding they collect extensive personal data, including internet traffic and location data, and share it with third parties. The ISPs often obscure data use disclosures in fine print and make it difficult for consumers to opt out, while combining data to profile sensitive characteristics. The report highlights the need for stricter privacy restrictions.
New Jersey joined 31 other states and the FTC in a $3.5 million settlement with Lenovo for pre-installing VisualDiscovery ad software on laptops that created a 'man-in-the-middle' security vulnerability, intercepting users' encrypted data without adequate disclosure or opt-out mechanisms. The settlement requires Lenovo to improve transparency, obtain affirmative consent, provide effective opt-out tools, and implement a long-term security compliance program with independent audits.
$3.5M
Lenovo preinstalled 'Visual Discovery' software on its computers that intercepted browsing data and broke encrypted connections without user consent, compromising security and privacy. The multi-state settlement imposes a $3.5 million penalty and requires Lenovo to implement disclosure, consent, opt-out, and security compliance measures.
$3.5M
PulsePoint circumvented Safari browser privacy settings to place unauthorized cookies, enabling targeted advertising without user consent. The New Jersey Division of Consumer Affairs secured a $1 million settlement, including a $566,200 civil penalty, and mandated privacy reforms such as third-party assessments and website disclosures.
$566K