The California Privacy Protection Agency (CPPA) continues to actively enforce the CCPA, announcing two new enforcement cases last week.
The following companies were targeted:
PlayOn Sports: $1.1 million fine The company formally provided an opt-out option (email + phone), but:
Requests were not applied to on-site tracking technologies.
Users were redirected to third-party opt-out tools.
The cookie banner essentially forced users to click “Accept” without providing an equivalent alternative.
On mobile devices, it was even stricter: users couldn’t access their tickets without consenting to tracking.
Ford: Over $375,000 fine The issue here was different-excessive verification. The company required identity verification for opt-out requests. The regulator explicitly stated that this creates “unnecessary friction” and violates the law.
Key Takeaways for Businesses: The opt-out mechanism must be functional, not just formal. It should be genuinely simple and effective—without extra steps, verification hurdles, or user restrictions. Interface design must remain neutral: “Accept” and “Reject” buttons should be given equal weight, and cookie banners should not block access or nudge users toward consent. Furthermore, it is crucial not only to implement opt-out features but also to regularly verify that they work correctly across all tracking tools.
Both cases center on the same principle: the user’s right to opt out of data sharing.
The CPPA has already initiated discussions on new rules regarding “reducing friction” for users exercising their rights. Comments are being accepted until April 6-a clear signal that regulation is becoming even stricter.
Conclusion: The regulator no longer looks at the mere “existence of a policy”-it looks at the actual User Experience (UX). If a user finds it difficult to opt out of data sharing, it is now the business’s problem.