BlogTwo Simultaneous Enforcement Waves Are Targeting the Same Flaw: Broken Opt-Outs and Opaque Privacy Notices
Industry News

Two Simultaneous Enforcement Waves Are Targeting the Same Flaw: Broken Opt-Outs and Opaque Privacy Notices

The EDPB just activated 25 DPAs to audit GDPR transparency disclosures, while California has already levied $4M+ in CCPA fines over broken opt-out flows. Both actions expose the same root failure.

CookieGap Team

Regulators on both sides of the Atlantic fired shots in the same week of March 2026 — and they both hit the same target. The European Data Protection Board activated a pan-European enforcement sweep focused on how organisations disclose data practices to users. Meanwhile, California had already opened the year with more than $4 million in settled penalties against Disney, Ford, and PlayOn Sports — all stemming from opt-out mechanisms that failed in practice, not in writing.

If you're running a consent flow today, both actions are directly relevant to your stack.

What the EDPB's CEF 2026 Actually Means for You

On 19 March 2026, the EDPB formally launched its Coordinated Enforcement Framework (CEF) action for the year. The topic: compliance with GDPR transparency and information obligations under Articles 12, 13, and 14.

In plain terms, those articles require that when you collect personal data, you tell users what you're collecting, why, who receives it, and how long you keep it — in language that is concise, intelligible, and easy to find. Not buried in a 6,000-word policy, and not written for lawyers.

What makes this enforcement round different from a DPA sending a strongly worded letter to one company:

  • 25 national DPAs across Europe are participating, running investigations in parallel using a shared audit methodology.
  • Results will be aggregated by the EDPB and can trigger targeted follow-up at both national and EU level.
  • Previous CEF topics (right of access in 2024, right to erasure in 2025) each produced formal investigations and, in some cases, enforcement actions.

The transparency sweep specifically targets Articles 12–14 — the rules that require organisations to proactively inform users when their data is processed. That scope covers your cookie banner, your privacy policy, and every first-party data collection point (forms, checkout, analytics pixels, ad tags). If your policy hasn't been updated to reflect your actual data flows, you're exposed.

California's $4M+ CCPA Opt-Out Enforcement Wave

While European DPAs geared up for their transparency sweep, California was already issuing fines.

On 11 February 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with Disney and ABC — the largest CCPA settlement to date. The core issue: Disney could track users across all its streaming services for advertising, but when consumers used toggle settings to opt out, the opt-out applied only to that specific service and device. The capability to link accounts existed; Disney simply didn't apply it to honour user choices.

Shortly after, in the first week of March, CalPrivacy announced two more enforcement actions totalling nearly $1.5 million, involving Ford and PlayOn Sports:

  • Ford required consumers to complete an email verification step before their opt-out request would be processed — something CCPA explicitly prohibits. As a result, valid requests went unprocessed.
  • PlayOn Sports became the first CalPrivacy decision to address privacy violations involving students and California schools.

Taken together, these cases send a clear message: regulators are technically testing opt-out flows, not just reading privacy policies. Investigative sweeps used in the Disney case targeted streaming services and connected TV devices for potential CCPA violations — and found them.

The Common Root Failure

Strip away the jurisdictions and the specific statutes, and both enforcement waves are reacting to the same pattern:

  • Privacy controls that work in policy but not in practice. Disney's banner let you opt out. It just didn't apply the opt-out consistently. Ford's process looked functional. It required unnecessary friction that invalidated the request.
  • Disclosure that describes but doesn't inform. The EDPB's transparency focus targets policies that technically mention data processing but fail to clearly tell users what is actually happening — vague third-party references, missing legal bases, boilerplate language that hasn't been updated when data flows changed.

Both regulators are essentially saying: we're going to look at what your system does, not what your policy says.

Four Checks to Run Right Now

Given active enforcement on both Article 12–14 transparency obligations and CCPA opt-out mechanisms, here is a practical starting point:

  • Audit your privacy notice against your actual data flows. List every third-party tag and pixel firing on your site. Check whether your policy names them, explains the processing purpose, and states the legal basis. Vague language like "we may share data with trusted partners" will not satisfy the EDPB's 2026 standard.
  • Test your opt-out end-to-end. Submit a real opt-out or "do not sell / share" request and trace it through every downstream system — your CMP, your tag manager, your analytics platform, your ad stack. Verify that cookies blocked in your consent UI are actually blocked, not just labelled as blocked.
  • Remove verification friction from opt-out flows. Do not ask users to verify their identity to exercise an opt-out right. Ford's six-figure penalty is a direct precedent. CCPA prohibits it.
  • Check cross-service consistency. If a user opts out on one property or device, does that signal propagate to linked accounts and services? Disney's fine makes this an operational requirement, not a nice-to-have.

The Practical Takeaway

The EDPB CEF and the California actions are coincidental in timing but not in cause. Both reflect a shift in enforcement methodology: regulators are now running technical audits and testing actual user journeys rather than reviewing policy documents in isolation.

For compliance and development teams, this means consent management is not a deploy-and-forget configuration. Disclosures drift out of sync when new vendors are added. Opt-out signals break when tag managers are updated. A quarterly review cycle — matching your actual cookie scan against your live privacy notice and testing opt-out flows across devices — is now a minimum defensible standard.

If you haven't scanned your site's cookies recently, now is a good moment to find out what's actually firing — and whether your notice covers it.

See where your site stands

Run a free CookieGap scan and get a compliance report in under a minute.

Scan your site free