California AG Secures $530,000 Settlement With Sling TV: A New Phase In CCPA Enforcement

Insights

Our insights are intended to discuss in a general nature the legal developments relating to our core areas of practice. Insights should not be construed as legal advice or legal opinion. Furthermore, these matters are continually subject to change, and therefore the information below may not reflect the most current legal developments. Readers should not act or rely upon the information without seeking specific advice relating to their facts and circumstances from legal counsel.

CCPA Privacy Law Harry Richt November 6, 2025

Contents show

California Attorney General Rob Bonta recently announced a $530,000 settlement with Sling TV, marking the fifth enforcement action by the Attorney General’s office and the eighth overall under the California Consumer Privacy Act (CCPA) since its enactment (See other enforcement actions against: Honda, Todd Snyder, Healthline, among others). The official press release detailing the case is available on the California OAG’s website, and the complaint outlining the allegations can be viewed here.

The settlement underscores two key themes defining current privacy enforcement trends—honoring consumer opt-out rights and protecting children’s personal information. According to Attorney General Bonta, Sling TV failed to (1) properly process user opt-out requests related to personal data sales and sharing, and (2) implement adequate safeguards for children’s privacy.

Enforcement Momentum Continues

This follow-through by the Attorney General’s office came roughly a year after regulators announced a sweep of streaming services to examine compliance with CCPA data-sharing rules. The Sling TV case confirms that such investigations are not merely symbolic, as California regulators are continuing to expand and deepen enforcement activity within targeted industries. It also illustrates how CCPA enforcement has matured into a steady pipeline of investigations, settlements, and compliance mandates.

At this pace, CCPA enforcement is becoming a routine compliance risk across consumer-facing sectors, including entertainment, retail, and technology. That trend amplifies the need for companies to maintain clear privacy policies and broader privacy compliance programs, including with respect to cookies and opt-out mechanisms such as the Global Privacy Control (GPC), robust consent tools, and transparent user privacy rights mechanisms, particularly where personal information is sold, shared, or used for cross-context behavioral targeted advertising.

Opt-Outs Go Beyond Cookies

An important takeaway from this enforcement is that the opt-out violations did not solely concern cookies. The AG found Sling TV’s interface made it difficult for consumers to exercise their opt-out rights, particularly with respect to non-cookie-based data sharing.

That finding reinforces a crucial compliance point: the CCPA and CPRA regulate the processing and transfer of personal information, not just the use of cookies. Businesses must ensure they have mechanisms to capture and honor opt-out choices across all types of tracking technologies, APIs, and data partnerships, not just web-based cookies.

For companies developing compliance programs, this underscores the importance of data mapping beyond browser activities, verifying all data-sharing arrangements, and ensuring required contracts regulating them via data processing agreements (DPAs) or similar contractual restrictions.

Children’s Data: A Growing Enforcement Priority

Equally notable, the case highlights Sling TV’s alleged failure to implement adequate parental control mechanisms or obtain verifiable parental consent for children’s profiles. Under recent amendments, children’s data is now classified as “sensitive personal information,” making it particularly risky for misuse or monetization.

This action builds momentum behind a broader regulatory focus on children’s online privacy, evident in both California’s Age-Appropriate Design Code Act and legislative trends in other jurisdictions. Businesses engaging with minors online should ensure that age-gating, preference management, and consent-capture systems are technically sound and verifiable.

Looking Ahead

The Sling TV settlement reveals that privacy regulators are becoming more operationally advanced in identifying, investigating, and enforcing compliance. The takeaway for organizations is clear: compliance is now an operational discipline, not a static checkbox exercise. Companies should expect coordinated enforcement between the California Privacy Protection Agency (CPPA) and the Attorney General’s office, as well as consortia that have formed, all of which are actively looking beyond traditional web tracking to broader data ecosystems.

For businesses in streaming, advertising, or e-commerce, now is the time to proactively assess how their data collection and sharing practices align with the CCPA and other privacy laws, amend their user interfaces, and revisit their privacy notices.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights