CCPA Enforcement Sweep & EU Data Act Updates
Sept 8–15, 2025
Privacy enforcement intensified across multiple jurisdictions this week. U.S. regulators coordinated a multi-state sweep on Global Privacy Control compliance, Europe rolled out the landmark Data Act, and key state and federal laws saw significant rule-making and public feedback. Organizations must review consent flows, data-sharing contracts, AI governance, and breach protocols to stay ahead of evolving requirements.
CPPA Launches Multi-State GPC Compliance Sweep
On September 10, California’s Privacy Protection Agency (CPPA) joined forces with regulators from Washington, Colorado, and Virginia to launch a coordinated enforcement sweep targeting companies that ignore Global Privacy Control (GPC) signals. The action zeroes in on cookie-consent platforms and server-side implementations that fail to honor browser-level “do not sell” requests. Companies relying on OneTrust, Cookiebot, or home-grown CMP solutions must verify GPC signal recognition across all domains. Early findings suggest up to 40% of websites visited by sweep investigators accepted tracking despite clear opt-out signals, exposing them to potential fines under CCPA and CPRA.
Source
Practical GPC Implementation Guide Published
On September 9, Sourcepoint released an in-depth guide—“How to Honor Consumer Opt-Out Requests via GPC”—detailing server-side and client-side integration methods. The post highlights common pitfalls in OneTrust and Cookiebot setups, recommends fallback strategies for uncaptured signals, and provides sample code snippets for Apache and Nginx servers. It also advises CMP vendors to expose GPC compliance reports to clients, enabling automated audits.
Source
EPIC Weighs In on NJDPA Proposed Rules
On September 8, the Electronic Privacy Information Center submitted detailed comments on New Jersey’s proposed Data Privacy Act regulations. EPIC urged the Division of Consumer Affairs to strengthen safeguards around biometric and geolocation data, eliminate “consent-bundling” loopholes, and require standardized consent dashboards. The submission calls for explicit prohibition of dark patterns and enhanced breach notification timelines of 48 hours. Public comments close October 1, with final rules expected mid-2026.
Source
EU Data Act Enforcement Begins
Effective September 12, the EU Data Act empowers consumers to access and share data generated by their connected devices. The law bans unfair contractual terms in B2B and B2C data-sharing agreements, while mandating interoperable data formats and cloud portability measures. Manufacturers of IoT products must update user interfaces, API endpoints, and terms of service to grant data subject requests. Member-state authorities will enforce penalties up to €20 million or 4% of global turnover for non-compliance.
Source
AI Act’s First Enforcement Wave
The EU’s AI Act entered its first enforcement phase this week, prohibiting certain high-risk applications—such as social scoring and biometric surveillance—and requiring strict data governance controls for permitted uses. Organizations deploying AI systems under GDPR’s scope must document data lineage, implement Privacy Impact Assessments, and secure explicit opt-in consent for profiling. The European Data Protection Supervisor is coordinating with national DPAs to audit compliance, focusing on transparency logs and algorithmic impact reports.
Source
CCPA Rule Amendments Finalized
On September 11, the California Privacy Protection Agency approved final amendments to CCPA regulations clarifying the definition of “sale” and extending purposes for which data-sharing service providers can process personal data. The update includes detailed record-keeping requirements for opt-out requests and tighter reuse restrictions for de-identified data. Businesses must align privacy policies by January 1, 2026, and implement robust audit trails for consumer rights requests.
Source
Upcoming COPPA 2.0 Deadline Reminder
The FTC’s Children’s Online Privacy Protection Act amendments, effective June 23, 2025, require full compliance by April 2026. Key changes include mandatory opt-in consent for targeted ads to under-13 users, strict data-retention limits of six months, and new transparency disclosures for Safe Harbor-certified platforms. Businesses should audit their kid-focused services now to avoid enforcement actions.
Source