For two decades, privacy enforcement worked like a health code inspection.
If they got word that something was amiss, they showed up, pointed out violations, and gave you time to fix them. To make sure everything was in order, they’d schedule a follow up.
Companies got used to a rhythm of warning letters and cure times before fines were levied. But that changed in 2025. California announced millions in enforcement actions stemming from implementation failures like opt-out mechanisms that didn’t work, cookie banners that disappeared, and vendor contracts missing required terms.
Table of Contents
California Enforcement Actions Bring Implementation to the Forefront
What’s behind the enforcement actions in 2025? For years, privacy policies got the attention while implementation stayed in the background. But the California Attorney General and California Privacy Protection Agency is making it clear that how you implement your policies matters just as much as how you write them. Cases in point: Honda, Todd Synder, Healthline Media, Tractor Supply, and Sling TV.
Honda: $632,500 (March 2025)
One of the first major enforcement actions of 2025 saw Honda’s user design interface scrutinized for how it interfered with opt out actions.
What Happened
Honda’s cookie consent tool required consumers to click twice to opt out of data sharing but only once to accept tracking. That’s a dark pattern under CCPA regulations.
The company also required identity verification before opting out of sale and sharing. Privacy request forms required up to eight fields of information, making it difficult for consumers to submit requests.
(This wasn’t all, though: the CPPA also found that vendor contracts used generic data protection language instead of CCPA-specific terms and that employees weren’t sufficiently trained on privacy rights requests.)
The Takeaway
Ask yourself (or your privacy team) if you’re creating obstacles when it comes to exercising privacy rights. This means:
- Cookie consent banners must make opting out as easy as opting in
- If accepting tracking takes one click, declining must also take one click
- Don’t require verification for opt-out requests (CPPA prohibits this)
- Keep privacy request forms simple
- Vendor contracts need specific CCPA statutory language
- Employee training needs to be adequate and documented
Todd Snyder: $345,178 (May 2025)
In May, an online clothing retailer’s 40-day cookie banner outage became evidence of inadequate compliance monitoring and a problematic approach to third-party vendor privacy responsibilities.
What Happened
Cookie banners are essential for forming users about data collection and giving them a chance to consent to tracking and non-essential cookies. But Todd Snyder’s cookie banner disappeared for 40 days, meaning consumers had no way to opt out during that period.
Their website also failed to recognize browser-based universal opt-out mechanisms like Global Privacy Control.
Additionally, like Honda, Todd Snyder required identity verification before consumers could opt out. The privacy rights webform treated all requests the same way, requiring consumers to upload a photo with government-issued ID to exercise any rights.
The Takeaway
You’re responsible when cookie consent technologies fail, not your third-party vendors. That means if your vendor’s platform goes down, stops functioning, or fails to honor opt-outs, you face the penalties. You need:
- Monitoring systems in place to catch failures immediately
- Regular testing protocols to verify the technology works as intended
- Documented oversight showing you’re actively managing these tools
Moreover, the 40-day outage is why continuous monitoring matters. You need systems that alert you immediately when opt-out mechanisms stop working.
Don’t require verification for opt-outs. For other privacy rights requests where verification is necessary, government-issued IDs are overcollection; collect only what’s needed to confirm identity for that specific request type.
Healthline Media: $1.55 Million (July 2025)
The largest CCPA settlement to date arose when the major online health publisher had multiple opt-out mechanisms fail simultaneously.
What Happened
Healthline had proper privacy disclosures, but although their cookie banner told consumers they could disable advertising cookies, the controls didn’t function. Consumers tried to opt out through webforms, cookie managers, and Global Privacy Control, but one of them worked.
As a result, up to 118+ cookies and pixels were still firing data to third parties.
The company also violated purpose limitation rules. Health article titles revealing serious health conditions got shared for advertising purposes. Regulators determined this exceeded reasonable consumer expectations—when you read a health article, you don’t expect that information used for targeted ads.
The Takeaway
This is the first CCPA case applying the “reasonable consumer expectation” standard for purpose limitation, and it may signal a shift toward requiring opt-in consent for sensitive data categories.
You can’t just implement one opt-out method and assume you’re compliant. It’s important to test every channel consumers might use and verify that data sharing actually stops when it’s supposed to. Validate this regularly, not just when there are updates.
Tractor Supply: $1.35 Million (September 2025)
Multiple compliance failures piled up in CCPA’s third largest compliance violation of 2025: Tractor Supply was found to have outdated privacy policies, missing employee notices, and non-functioning opt-out systems.
What Happened
Tractor Supply failed to maintain a current privacy notice on its website. The company didn’t present privacy notices to job applicants during the hiring process, violating CCPA’s requirement to inform consumers at the point of data collection. When consumers submitted opt-out requests through the company’s webform, third-party tracking continued. The company failed to honor universal opt-out mechanisms like Global Privacy Control. Vendor contracts lacked CCPA-specific terms.
The Takeaway
Privacy notices must be current and accessible at every collection point—including employment applications. To avoid the same pile-on of problems:
- Keep privacy notices current and accessible at every collection point
- Remember that job applicants are consumers, too—provide privacy notices there, too
- Test opt-out systems by submitting requests and verifying tracking stops across all third parties
- Implement Global Privacy Control recognition to honor automated opt-out signals
Sling TV: $530,000 (October 2025)
A streaming service’s confusing opt-out design is another example of how making consumers hunt for privacy controls can lead to enforcement exposure.
What Happened
Sling TV’s “Your Privacy Choices” link only directed consumers to cookie preferences. If consumers wanted to opt out of other data sales, they had to hunt for a separate link that was embedded in a text. All in all, a confusing and frustrating process for consumers looking to exercise their privacy rights.
And like Todd Snyder and Honda, Sling TV required identity verification to opt out. Finally, they also failed to provide adequate protections for children on the platform.
The Takeaway
Your “Do Not Sell My Personal Information” link must cover all relevant data practices, not just cookies. If you make consumers hunt through text for additional opt-out options defeats the purpose, regulators will treat that as non-compliance.
If children use your platform, you need specific protections beyond what’s required for adults. That means:
- Obtaining parental consent before collecting data from children under 13
- Providing opt-in mechanisms (not just opt-out) for children under 16
- Implementing age-appropriate privacy controls
When children are involved, the default must be maximum privacy protection unless parents explicitly authorize otherwise.
Jam City: $1.4 Million (November 2025)
A mobile gaming company faced the year’s second-largest penalty when regulators discovered the company failed to offer opt-out mechanisms in its mobile apps.
What Happened
Jam City, maker of popular mobile games based on franchises like Harry Potter and Frozen, collected and shared consumer data for advertising across 21 mobile apps.
Despite generating revenue through personalized advertising, the company didn’t offer any CCPA-compliant opt-out methods in any of its apps. The company also used age gates to screen users but didn’t implement the necessary protections for children after collecting that age information.
The Takeaway
If you collect data through mobile apps, opt-out mechanisms must exist within those apps—not just on your website. The $1.4 million penalty reflects complete absence of required controls rather than controls that didn’t work quite right. And if you’re using age gates or other screening tools, regulators will infer you know users’ ages and expect you to implement appropriate protections for minors.
Oregon Shows What’s Coming When Cure Periods Disappear
California’s enforcement actions came with substantial penalties, but at least companies knew what regulators were examining. Oregon’s first-year report offers a preview of what happens when the safety net disappears.
In August 2025, Oregon published enforcement data revealing 214 consumer complaints in the first year: 77 about companies denying deletion requests, 20 about incomplete responses that provided transaction history but not marketing profiles or behavioral predictions, and 19 about companies refusing to identify specific third parties who received consumer data. Technical failures appeared repeatedly—rights request forms missing Oregon from dropdown menus, self-help mechanisms that only worked for account holders.
Oregon’s 30-day cure period ends January 1, 2026. After that date, these consumer complaints turn directly into enforcement actions without warning.
Privacy Regulators are Coordinating Across State Lines
California and Oregon aren’t the only states moving towards enforcement. In October 2025, the California Privacy Protection Agency announced that Minnesota and New Hampshire joined the Consortium of Privacy Regulators, a bipartisan group that includes nine states committed to privacy enforcement efforts:
These states hold regular meetings, share expertise and resources, and, perhaps most importantly, coordinate investigations into potential violations. This has already yielded investigations and enforcement:
- In November 2025, Connecticut, California, and New York came to a $5.1 million settlement with Illuminate Education following a 2022 data breach exposing sensitive information for over 4.7 million students. As a result, Illuminate faced comprehensive requirements across all three states rather than separate conflicting enforcement actions.
- In September 2025, California, Colorado, and Connecticut launched a joint investigation that targeted businesses failing to honor GPC signals. They sent letters to businesses not processing opt-out requests and requested immediate compliance. This was noted as the consortium’s first major enforcement initiative, where regulators actively identified non-compliant businesses rather than waiting for complaints.
Companies operating across multiple states can’t assume enforcement will stay siloed within individual jurisdictions. Nor can they assume that regulators will sit on their hands and wait for complaints; action is becoming more increasingly proactive.
Need Help Getting your Privacy Operations Enforcement-ready?
Red Clover Advisors works with companies to audit technical controls, review vendor relationships, and test opt-out mechanisms before regulators do.
Resources to help you prepare:
- 2026 Privacy Compliance Checklist — Essential steps to build a sustainable privacy program
- Third-Party Risk Management Guide — Practical guidance for vendor privacy risk management
- Guide to Cookie Governance — Manage cookies with legal, technical, and operational confidence
Schedule a consultation to discuss what 2025 enforcement actions mean for your compliance program.
@media screen and (max-width: 1023px){section[data-id=”block_1c6654f3494857d6b194e6432e8f5247″]{ margin-top: 0px; }}@media screen and (min-width: 1024px) and (max-width: 1365px){section[data-id=”block_1c6654f3494857d6b194e6432e8f5247″]{ margin-top: -50px; }}@media screen and (min-width: 1366px){section[data-id=”block_1c6654f3494857d6b194e6432e8f5247″]{ margin-top: -50px; }}
State Privacy Laws Comparison Guide
Stay ahead of state privacy laws with our guide—clear definitions, key dates, and crucial compliance tips!
The post 2025 Privacy Enforcement: What the Past Year Teaches About 2026 Compliance appeared first on Red Clover Advisors.