In the span of just a couple days, the California Privacy Protection Agency (CalPrivacy) announced two significant privacy enforcement actions, highlighting the increasing scrutiny on companies’ handling of personal data. These actions underscore the agency’s commitment to ensuring that businesses comply with privacy laws designed to protect individuals’ rights, particularly focusing on transparency and ease of data control for consumers. The cases involve a youth sports media company and the automotive giant Ford, both of which were alleged to have engaged in practices that violated consumers’ opt-out rights.

In the action against PlayOn Sports, CalPrivacy took particular issue with the fact that PlayOn directed users to opt out through the Network Advertising Initiative and the Digital Advertising Alliance as opposed to providing its own opt-out mechanism. CalPrivacy also alleged a failure to recognize opt-out signals and insufficient privacy notices. In its public announcement, CalPrivacy’s head of enforcement stated that “[s]tudents trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door.” PlayOn was fined $1.1 million and agreed to modify its practices.

In a separate action, CalPrivacy alleged that Ford added unnecessary friction to the opt-out process, making it cumbersome for consumers to exercise their right by requiring email verification. The agency acknowledged that Ford “didn’t intend” to require consumers to verify their identities, but it stated that the action shows it “will pursue violations regardless of intent.” As part of the settlement, Ford will pay a fine and has committed to streamlining its opt-out procedures.

These enforcement actions serve as an important reminder that regulators are still extremely focused on public-facing aspects of privacy regimes, and especially the granular details of opt-out mechanisms. Companies should review their processes carefully.