CCPA Opt-Out Failures

California has long served as the leader in progressive consumer privacy protection. When the California Consumer Privacy Act took effect in 2020, it represented the most comprehensive data privacy legislation any state had enacted. But years later, a significant number of businesses subject to the CCPA are not actually complying with one of its most foundational requirements—the right to opt out of the sale or sharing of personal information.

What makes this significant from a legal standpoint is that this may also constitute violations of California’s Unfair Competition Law, opening the door to private litigation and injunctive relief. Contact our data privacy attorneys if you believe you have a related claim. 

What the CCPA Actually Requires

The CCPA grants California residents several enforceable rights over their personal data. Among the most important is the right to direct a business to stop selling or sharing their personal information with third parties. To honor this right, companies must provide a clear and conspicuous opt-out mechanism—most commonly a “Do Not Sell or Share My Personal Information” link placed prominently on the homepage and throughout the website.

The California Privacy Rights Act, which amended and strengthened the CCPA, made these requirements more demanding. Businesses that use targeted advertising, data brokers, or cross-context behavioral tracking must now ensure their opt-out mechanisms actually function—not merely appear to function. A link that leads to a broken page, a form that times out, a preference center that resets after a few days, or a process so cumbersome that a reasonable consumer would abandon it before completing it can all constitute noncompliance.

The Gap Between Appearance and Reality

Common violations include opt-out links that are buried in fine print rather than displayed prominently, forms that require consumers to submit personal information just to exercise their privacy rights, global privacy control signals that websites fail to recognize or honor, and opt-out preferences that expire automatically or reset without user action.

Each of these practices undermines the core purpose of the CCPA. The statute was designed to give consumers a genuine, workable mechanism for controlling how their data is used commercially. When companies engineer opt-out processes to be technically present but functionally useless, they retain the economic benefit of data monetization while presenting a facade of compliance.

When CCPA Violations Become UCL Claims

California’s Unfair Competition Law is one of the most powerful consumer protection statutes in the country. It prohibits any business practice that is unlawful, unfair, or fraudulent. These three prongs operate independently—meaning a company can face UCL liability even if its conduct does not constitute a standalone statutory violation, as long as it qualifies as unfair or deceptive by the statute’s broad standards.

When a company violates the CCPA by failing to provide a functional opt-out mechanism, that conduct is unlawful within the meaning of the UCL because it violates an underlying statute. But the conduct may also independently qualify as unfair—it harms consumers by stripping them of statutory rights they are legally entitled to exercise.

The Business Practices Drawing the Most Scrutiny

California Attorney General recently announced a settlement with the Walt Disney Company, resolving allegations that the company violated the California Consumer Privacy Act by failing to fully effectuate consumer requests to opt-out of the sale or sharing of their data across all devices and streaming services.

Data brokers and people-search websites have faced claims for making opt-out processes nearly impossible to complete without providing additional personal information. Retailers and e-commerce platforms have been targeted for failing to provide a valid opt-out mechanism equivalent to a manual submission. Ad tech companies and social media platforms have faced scrutiny for technical architectures that continue sharing data with downstream partners even after a consumer submits an opt-out request.

In each of these contexts, the legal theory is similar: the business represented—either explicitly or through the structure of its website—that consumers could control their data, while simultaneously designing systems that made effective control impossible or impractical.

What Consumers Can Do

California residents who have attempted to opt out of the sale or sharing of their personal information and believe their request was ignored or undermined may have legal options. A successful UCL claim can result in the business being ordered to change its practices, disgorge profits obtained through the unlawful conduct, and pay restitution to affected consumers. Class action litigation in this space has produced significant results, and the number of active cases continues to grow.

If you submitted a CCPA opt-out request and continued to receive targeted advertising, discovered your data was still being sold to third parties, or encountered a process so defective it prevented you from exercising your rights, your experience may reflect a pattern of unlawful conduct affecting thousands of other California consumers.

Why Hire The Lyon Firm for CCPA and Data Privacy Cases

The Lyon Firm represents consumers in California and across the country in data privacy litigation, including cases involving CCPA opt-out failures, unlawful data sharing, and violations of state unfair competition laws.

If you are a California resident who believes your CCPA rights have been violated, or if you are located anywhere in the country and have concerns about how your personal data is being handled, contact The Lyon Firm today for a confidential case evaluation.