By Mark Sanborn
Senior Product and Regulatory Counsel
As we detailed in a previous article, on July 1, 2025, California Attorney General Rob Bonta announced a landmark $1.55 million settlement in a privacy enforcement action against Healthline Media—the largest California Consumer Privacy Act (CCPA) settlement to date..
Beyond its record-setting size, this enforcement action reveals several clear reasons why all dealers must implement both CCPA privacy functionality as well as a properly functioning cookie banner on all websites. Indeed, this settlement highlights the necessity of implementing a functional and comprehensive “triple opt-out” system. While the phrase “triple opt-out” does not explicitly appear in the CCPA or its regulations, this case strongly suggests the Attorney General expects businesses to provide—and effectively honor—multiple, simultaneous opt-out mechanisms for consumers.
What Exactly is the “Triple Opt-Out”?
The “triple opt-out” is a term that appears to be used for the first time in the Healthline case, but the components of the concept have existed for some time. “Triple opt-out” refers to providing consumers multiple, interconnected methods to clearly and effectively express their privacy preferences. Specifically, the three components of a triple opt-out include:
- Cookie Consent Banner: A prominent, clearly understandable cookie banner displayed directly on your website. This banner should explicitly inform consumers about privacy and cookie practices, including targeted advertising and tracking cookies if applicable, allowing consumers to make informed cookie consent choices through an easily accessible interface.
- Do Not Sell or Share Link: Clearly placed links on websites that link directly to a consumer request portal, enabling consumers to exercise their privacy rights, including opting out of data selling or sharing.
- Global Privacy Control (GPC): The CCPA mandates businesses to honor browser-based opt-out preference signals such as the Global Privacy Control (GPC). This universal signal enables consumers to set their privacy preferences once through their browser settings, automatically communicating opt-out preferences to all participating websites.
Previously, businesses may have viewed these three methods as alternative approaches or, in some cases, optional extras. The Healthline enforcement action strongly suggests that the AG views the combination of all three methods as necessary for true compliance, effectively setting a new implied standard for consumer privacy protection.
The importance of the triple opt-out as a compliance standard is reinforced by the AG’s additional citation of Healthline for violating the CCPA’s purpose limitation principle. This principle requires businesses to use personal information only for the specific purposes disclosed at the time of collection, or for other purposes that are compatible with those disclosures and consistent with consumers’ reasonable expectations. By providing clear and accurate disclosures—such as those in a cookie banner—businesses can effectively establish and manage consumer expectations.
Privacy Settings Must be Honored—Without Exception
A key takeaway from the Healthline investigation is that simply providing consumers with the triple opt-out mechanisms is not sufficient—businesses must ensure these mechanisms reliably honor consumer choices. Cookie banners, consumer request portals, and universal browser signals must each function exactly as promised.
Triple Opt-Out: The New Normal for Privacy Compliance
The Healthline enforcement case sets the new implied expectation from the Attorney General: dealers must provide and honor a comprehensive “triple opt-out” system. Merely offering limited opt-out methods, or providing multiple methods that fail in practice, will not meet this standard.
Bottom Line for Dealers
Dealers who previously may have viewed cookie banners as optional (or required only in relation to CIPA or related claims) under the CCPA should now reconsider that stance in light of the AG’s enforcement action. Implementing a clear, functional cookie banner as part of a triple opt-out strategy is the emerging standard for CCPA compliance for ALL California dealers.
Ensure your dealership meets these implicit privacy compliance standards seamlessly. ComplyAuto provides comprehensive privacy compliance solutions—including fully functional cookie banners, GPC support, and robust vendor oversight. Contact ComplyAuto to simplify your compliance and protect your dealership today.