The California Attorney General (CA AG) has again made waves in the privacy world, this time with a settlement requiring Sling TV to pay a $530,000 fine and make significant operational changes due to alleged violations of the California Consumer Privacy Act (CCPA) and Unfair Competition Law (UCL). This case signals an increase in CCPA enforcement and a clear mandate for companies: If you haven’t revisited your CCPA program lately, now is the time.

The Sling TV resolution is just the latest example of the CA AG pushing for aggressive interpretations and implementations of the CCPA. Essential takeaways include:

• Demand for “One-Click” Opt-Outs: The CA AG expects companies to provide consumers with direct, frictionless controls to opt out of sales and sharing of their personal information across all channels, including websites, mobile, and TV apps;
• Crackdown on Market Practices: Many compliance methods that have become standard practice, like cookie-only preference centers or requiring consumers to confirm opt-out requests, are now actively discouraged or seen as insufficient; and
• Heightened Children’s Privacy Enforcement: With lots of scrutiny on how companies treat the data of consumers under 16, the CA AG continues to make children’s privacy an enforcement priority.

The CA AG alleged multiple CCPA and UCL violations by Sling TV, with a focus on “Do Not Sell or Share” compliance and children’s privacy:

• Fragmented Opt-Out Mechanisms: Sling TV required consumers to use two different methods to opt out of sales and sharing, a cookie preference center for cookies, and a separate webform for other data. The CA AG found this “bifurcated” approach inconsistent with the CCPA’s requirements;
• Barriers for Logged-In Users: Customers who were already logged in had to re-enter their information in a webform to make opt-out requests, instead of Sling TV using existing account details to facilitate the process;
• No In-App Opt-Outs: Consumers using the TV app (the primary way most people access Sling TV) were not offered an in-app opt-out. Instead, they were sent to a website, which did not cover in-app sales or sharing; and
• Children’s Data Sold Without Opt-In Consent: Sling TV allegedly collected and shared (or sold) personal information of children under 16 without obtaining the required parental or age-appropriate consent.

As a result of the settlement, Sling TV agreed to:

• Provide Easy, Universal Opt-Outs: Implement a clear, prominent, and user-friendly opt-out mechanism on all digital properties (i.e., website, mobile app, and TV app);
• Click-to-Opt-Out for Logged-In Users: Allow logged-in customers to opt out with a single click or link, using data already on file;
• In-App Opt-Outs: Incorporate a seamless opt-out process directly within the TV app; Better Children’s Data Controls: Allow parents to designate user profiles as a kid’s profile, defaulting to the highest privacy protections (no sale/sharing, no targeted advertising); and
• Delete Existing Children’s Data: Remove personal data of children known to be under 16 collected without proper consent.

The CA AG’s stance is clear: companies must move beyond the bare minimum. Here’s how your organization can stay ahead:

• Minimize Barriers to Opting Out: Use a single, simple method for consumers to opt out of all sales and sharing of information, covering all data types and channels (not just cookies);
• Streamline For Logged-In Users: Don’t make logged-in users re-identify themselves; leverage information you already have to honor requests easily;
• Opt-Outs Where Consumers Interact: Provide opt-out mechanisms on every platform selling or sharing consumer data (i.e., apps, websites, and any other channels);
• Prioritize Children’s Privacy: Audit your children’s privacy practices now. Age verification, opt-in requirements, and data deletion protocols must be robust and ready for new regulations; and
• Plan for Development Time: Many of these changes require technical adjustments that can take months. Start planning and implementing now to avoid future enforcement actions.

The Sling TV case is a wake-up call: CCPA compliance isn’t static, and the CA AG is enforcing the letter and spirit of the law more aggressively than ever. Companies should conduct a comprehensive privacy compliance review and look for ways to make consumer rights not just technically available, but truly easy to exercise.