Privacy Enforcement Actions & Penalties

Adding Unnecessary Friction to Opt-Out Process

The California Privacy Protection Agency (CPPA) fined Ford Motor Company $375,703 for adding unnecessary friction to the consumer opt-out process. Ford required consumers to verify their email address before their opt-out requests would be processed — those who did not click the confirmation link had their requests ignored. This was CalPrivacy's second enforcement action stemming from its connected vehicles investigative sweep. Ford must process all previously unfulfilled opt-out requests, provide compliant opt-out submission methods, audit tracking technologies on its website, and ensure proper handling of opt-out preference signals.

Student Privacy / Failure to Provide Opt-Out

The California Privacy Protection Agency (CPPA) issued a $1.10 million fine against PlayOn Sports, whose GoFan platform sells digital tickets for approximately 1,400 California schools. PlayOn used tracking technologies to deliver targeted ads to ticketholders without providing a sufficient opt-out mechanism, instead directing users to third-party ad industry tools rather than operating its own opt-out. This is the first CPPA enforcement action addressing student privacy violations.

Failure to Honor Opt-Out Across Services

California Attorney General Rob Bonta secured the largest CCPA settlement in state history — $2.75 million against Disney for failing to fully effectuate consumer opt-out requests across all streaming services and devices linked to their Disney accounts. When consumers opted out on one Disney streaming app, the opt-out did not carry across to other Disney platforms like Hulu or ESPN+.

Failure to Register as Data Broker

The CPPA's newly launched Data Broker Enforcement Strike Force fined Rickenbacher Data LLC (d/b/a Datamasters) $42,000 for failing to register as a data broker under the California Delete Act (SB 362). This was one of the first enforcement actions by the Strike Force, demonstrating the CPPA's aggressive posture toward data broker compliance.

Children's Privacy / Failure to Honor Opt-Out

California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, a mobile gaming company, for CCPA violations including lacking opt-out mechanisms in 20 of 21 apps and selling personal information of minors aged 13-16 without obtaining required affirmative authorization.

Failure to Honor Opt-Out / Privacy Notice Violations

The California Privacy Protection Agency (CPPA) issued its largest monetary penalty to date — $1.35 million against Tractor Supply Company for failing to properly notify consumers and job applicants of their privacy rights, failing to maintain adequate service provider agreements, and failing to provide effective opt-out mechanisms.

Privacy Notice Deficiencies / Inoperable Opt-Out

Connecticut Attorney General William Tong announced the state's first enforcement action under the Connecticut Data Privacy Act (CTDPA) — an $85,000 settlement with TicketNetwork, Inc., a Connecticut-based online ticket marketplace. The AG found that TicketNetwork's privacy notice was "largely unreadable," lacked required consumer data rights disclosures, and had misconfigured or inoperable opt-out mechanisms. The company had been given multiple notices to cure since November 2023 but failed to fully remediate.

Failure to Honor Opt-Out Requests

California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC for violating the CCPA by failing to honor opt-out requests and improperly sharing consumer data with third parties.

Unauthorized Data Collection

Texas Attorney General Ken Paxton secured a $1.375 billion settlement with Google related to data privacy rights of Texans. The settlement addressed unauthorized collection and use of personal data, marking the second billion-dollar privacy settlement for Texas.

Unauthorized Biometric Data Collection

Texas Attorney General Ken Paxton secured a record $1.4 billion settlement with Meta for running facial recognition on photos uploaded to Facebook without user consent, violating the Texas Capture or Use of Biometric Identifier Act (CUBI). This is the largest privacy settlement ever obtained by a single state.

Children's Privacy / Dark Patterns

NGL Labs settled for $5 million for collecting personal data from children under 13, using dark patterns to lure young users, and marketing a paid subscription feature using fake messages that appeared to come from real people.

Unauthorized Sharing of Health Data

Telehealth firm Cerebral was fined $7 million for sharing sensitive health data of nearly 3.2 million users with third parties for advertising purposes and for making it difficult to cancel subscriptions.

Geolocation Data Collection Without Consent

The FTC settled with InMarket Media, prohibiting the data aggregator from selling or licensing precise location data. InMarket tracked consumers' locations to serve targeted advertising without informed consent.

Sale of Sensitive Location Data

The FTC banned data broker X-Mode Social (now Outlogic) from sharing or selling sensitive location data, marking the first FTC action to prohibit a data broker from selling sensitive location data.

Facial Recognition Misuse

The FTC banned Rite Aid from using facial recognition technology for five years after the company's surveillance system falsely flagged consumers, disproportionately impacting people of color.

Children's Privacy Violation

Mobile game developer Tilting Point Media settled for $500,000 for collecting personal information from children under 13 playing its games without parental consent.

Sale of Sensitive Geolocation Data

The FTC sued data broker Kochava for selling geolocation data that could be used to track people to sensitive locations such as reproductive health clinics, places of worship, and domestic violence shelters. Ongoing litigation.

Children's Privacy / Voice Data Retention

Amazon settled for $25 million for retaining children's voice recordings and geolocation data from Alexa indefinitely, even after parents requested deletion, violating COPPA.

Unauthorized Access to Customer Videos

Amazon's Ring subsidiary paid $5.8 million to settle claims that it allowed employees and contractors to access consumers' private videos and failed to implement adequate security measures.

Unauthorized Sharing of Health Data

Easy Healthcare, maker of the Premom fertility app, was fined for sharing users' sensitive health data with third-party analytics and marketing companies including AppsFlyer, Umeng, and Google without consent.

Unauthorized Sale of Personal Information

DoorDash was fined for selling consumers' personal information to a marketing cooperative without providing notice or an opportunity to opt out of the sale.

Children's Privacy / Dark Patterns

Epic Games paid $275 million for COPPA violations related to Fortnite, collecting personal information from children without parental consent, and using dark patterns to trick players into making unintended purchases.

Failure to Honor Opt-Out

Sephora settled with the California AG for $1.2 million for failing to disclose it was selling consumers' personal information, failing to process opt-out requests via Global Privacy Control (GPC), and failing to cure violations within 30 days.

Children's Privacy Violation

OpenX, a programmatic advertising company, paid $2 million for collecting personal information from children under 13 and for collecting geolocation data from users who opted out.

Deceptive Security Practices

Zoom settled a class action for $85 million related to privacy and security issues including sharing user data with Facebook, Google, and LinkedIn, and falsely claiming end-to-end encryption.

Children's Privacy Violation

Google and YouTube paid $170 million to settle allegations of collecting personal information from children under 13 without parental consent, violating COPPA. This was a joint FTC and New York AG enforcement action.