Home Original page

Lessons Learned from 2025 CalPrivacy Enforcement - NAI: Network Advertising Initiative

A Guest Blog by Nikki Muggli and Noor Sandhu | January 22, 2026

Introduction

CalPrivacy’s 2025 enforcement actions against American Honda Motor Co., Todd Snyder, and Tractor Supply marked the beginning of a more technical and outcomes-focused approach to California Consumer Privacy Act (CCPA) enforcement.1 2 These actions follow a gradual ramp-up in activity since CalPrivacy formally gained administrative enforcement authority in mid-2023, after an initial period focused on rulemaking, guidance, and investigation.

Each 2025 enforcement action was resolved through stipulated settlement orders in which the respondent companies did not admit wrongdoing. Nevertheless, the orders reflect CalPrivacy’s interpretation of CCPA requirements and signal how it expects businesses to operationalize compliance. Across these actions, CalPrivacy concentrated on how everyday website tools function in practice, how those tools are described to consumers, and whether the resulting data flows are governed by contracts containing the CCPA’s required provisions. Cookies, pixels, analytics scripts, and loyalty integrations were evaluated based on their actual data flows, which often transmitted identifiers to third parties for cross-context behavioral advertising. But a cookie tool that stops relevant data flows may still fall short of CCPA compliance if consumers are not clearly informed that using the tool effectuates their California opt-out rights.

Collectively, these cases suggest that CalPrivacy understands the concepts of “selling” and “sharing” broadly enough to include routine tracking technologies that support analytics, personalization, or in certain circumstances measurement. The agency is establishing a clear expectation that businesses understand and control these technologies, implement effective opt-out mechanisms, and maintain contracts that appropriately govern further processing of personal information.

Enforcement Lessons from Honda, Todd Snyder, and Tractor Supply 

A central takeaway from CalPrivacy’s 2025 enforcement actions is how the agency is applying the CCPA’s statutory concepts of “selling,” “sharing,” and “third-party” status to common tracking technologies. Across the Honda, Todd Snyder, and Tractor Supply matters, CalPrivacy evaluated whether personal information was made available to third parties for cross-context behavioral advertising, whether consumers were provided a meaningful opportunity to opt out of that activity, and whether contracts satisfied the CCPA’s express requirements for limiting downstream data use.

Under the CCPA, a “sale” of personal information requires a transfer to a third party for monetary or other valuable consideration.3 By contrast, “sharing” personal information with a third party for cross-context behavioral advertising does not require any form of consideration. The focus is on purpose: whether the data is provided in a way that enables a third party to track consumers across sites or services and use those insights for targeted advertising.4 The statute defines cross-context behavioral advertising as targeting advertising to a consumer based on personal information obtained from the consumer’s activity across businesses, websites, applications, or services other than the business with which the consumer intentionally interacts.5

CalPrivacy’s 2025 settlements demonstrate how these statutory elements operate in practice. Rather than relying on cookie labels, stated intent, or disclosure language, the agency examined how tracking tools functioned, how data recipients were permitted to use the information they received, and whether opt-out mechanisms and contracts actually effectuated the limitations required by the CCPA. 

The resulting enforcement lessons emerge most clearly when viewed through the individual cases:

Honda: Opt-out mechanisms must be easy to use and must effectuate the statutory right to opt out of selling or sharing.

  • The agency closely examined how Honda’s opt-out mechanisms functioned in practice, concluding that requiring consumers to provide extensive personal information to submit opt-out and limitation requests imposed friction that is inconsistent with the CCPA’s opt-out framework.
  • CalPrivacy treated disclosures of identifiers through tracking technologies as “sharing” where those disclosures enabled cross-context behavioral advertising and vendors were not contractually restricted from reusing the data.
  • The lack of contracts containing the CCPA’s required limitations on use, disclosure, and sharing was central to the analysis, reinforcing that vendor classification and selling or sharing determinations turn on enforceable contractual terms rather than business intent or internal categorizations.

Todd Snyder: Opt-out and consent tools must function as intended in practice.

  • Regulators analyzed backend data flows from embedded tools, including a specific example in which identifiers transmitted through a website integration were made available to a third-party platform and used in a manner consistent with cross-context behavioral advertising, leading CalPrivacy to treat the disclosure as “sharing” under the statute.
  • Although Todd Snyder presented consumer-facing tools that appeared to offer choice, CalPrivacy focused on whether those tools actually prevented selling or sharing in practice and whether opting out was meaningfully equivalent to opting in.
  • The case reflects CalPrivacy’s emphasis on functional compliance: cookie categories and banner descriptions cannot override the statutory analysis where data continues to flow to third parties without sufficient technical or contractual restrictions.

Tractor Supply: Contracts are always required and are foundational to determining whether vendors are service providers, contractors, or third parties.

  • CalPrivacy alleged that certain analytics and loyalty vendors used personal information for advertising-related purposes beyond Tractor Supply’s own operations, triggering “sharing” where those vendors were not contractually restricted as service providers or contractors.
  • The agency found that Tractor Supply’s contracts lacked required CCPA provisions, including limits on use, prohibitions on selling or sharing, compliance obligations, and audit rights, preventing vendors from qualifying for non third-party status under the statute.
  • These contractual deficiencies, combined with ineffective opt-out mechanisms and inadequate consumer notices, led CalPrivacy to treat routine vendor relationships as third-party disclosures subject to opt-out obligations.

Taken together, these cases show that CalPrivacy is assessing CCPA compliance based on how systems actually function across the data lifecycle, not solely on the presence of required policy disclosures, links, or labels. Businesses should consider testing whether opt-out choices actually stop relevant third-party data transfers, ensure consumers can understand the effect of their selections, and maintain contracts and internal processes that constrain downstream use of personal information once it leaves the business.

Enforcement Themes & Takeaways for Businesses

Four themes stand out across CalPrivacy’s 2025 enforcement decisions:

  • First, these decisions interpret the CCPA to cover a broad set of tracking tools that transmit identifiers to external platforms in support of targeting advertising.
  • Second, CalPrivacy is prioritizing the reality of downstream data use over how tracking tools are labeled or described, treating data transfers as sharing where recipients are not meaningfully restricted from reusing the data for advertising or other independent purposes.
  • Third, CalPrivacy is raising compliance expectations for businesses deploying tracking technologies. Honda and Todd Snyder faced scrutiny for consent designs that made opting out harder than opting in, while Tractor Supply was required to inventory all tracking technologies and ensure that opt-out preference signals were honored.
  • Fourth, CalPrivacy is underscoring the central role of contracts in all personal information transfers, not only in determining service provider or contractor status but also in governing relationships with third parties. Across these actions, the agency treated missing or deficient contractual terms as a core compliance failure, both where vendors were improperly classified and where required third-party agreements were absent or incomplete.

These cases signal that CCPA compliance is no longer being assessed solely on the presence of required disclosure, links, or consent mechanisms. Instead, CalPrivacy is also closely examining whether those tools actually function as intended, accurately reflect how data is used in practice, and meaningfully restrict downstream data flows. Businesses must map and monitor their third-party integrations, deploy opt-out mechanisms that effectively stop data transfers, and maintain contracts and internal processes that restrict downstream use of personal information.

The Authors

  1. In 2025, CalPrivacy also pursued enforcement actions under other California privacy laws, including the Data Broker Registration statute and the Delete Act. This analysis is limited to CalPrivacy’s enforcement activity under the CCPA. ↩︎
  2. While both the California Attorney General and CalPrivacy have authority to enforce the CCPA, this blog post focuses specifically on enforcement actions brought by CalPrivacy in 2025. ↩︎
  3.  Cal. Civ. Code § 1798.140(ad) (defining “sell,” “selling,” “sale,” or “sold” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to a third party for monetary or other valuable consideration”). ↩︎
  4.  See Cal. Civ. Code § 1798.140(ah) (defining “share,” “shared,” or “sharing” as making personal information available to a third party for cross-context behavioral advertising, “whether or not for monetary or other valuable consideration”). ↩︎
  5.  Cal. Civ. Code § 1798.140(k) (defining “cross-context behavioral advertising” as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded internet websites, applications, or services, other than the business, distinctly branded internet website, application, or service with which the consumer intentionally interacts”). ↩︎