October 21, 2025
The California Digital Age Assurance Act
A new California law represents a major shift in protecting children's safety and privacy online, putting operating systems and app developers in the crosshairs.
Streaming service Sling TV will pay a $530K fine for violations of the California Consumer Privacy Act (CCPA), according to a press release from Attorney General Rob Bonta. The case arises from an investigative sweep that was announced in 2024.
Let’s dive into what Sling TV is alleged to have done wrong.
As we’ve repeatedly seen in other CCPA enforcement actions, honoring consumer opt-outs is a central focus for regulators. Businesses’ failure to fully process opt-outs, use minimally invasive request forms, and offer easy access to opt-out mechanisms keep getting them in trouble. Such was the case with Sling TV.
When consumers wanted to opt-out, in some contexts Sling TV was directing them to a cookie preferences management tool. A lot of businesses do this same thing; they tell consumers that they can turn off marketing cookies and assume that’s good enough. However, “to truly opt-out, turning off cookies [is] insufficient.”
Why is that?
Turning off cookies does nothing to remove cookies/trackers that have already been downloaded to the consumer’s device. It does nothing to address disclosures of personal data that took place before cookies were turned off. It also doesn’t affect data selling and/or targeted advertising practices that take place outside of the website (e.g., participation in a marketing cooperative or uploading custom audiences to social networks).
In Sling TV’s case, the Attorney General also states that they were sending app users to manage cookies on the Sling TV website, which had no effect on data processing within the streaming app.
Sling TV did also have a webform for submitting opt-out requests, but it required consumers to provide their name, address, email, and phone number, even if the person was logged in to their Sling TV account. Because Sling TV already had that information about those consumers, requiring them to provide it in a webform was an unnecessary burden.
The general rule is that businesses can only seek the minimum amount of information necessary to associate an opt-out request with a particular consumer. (See the Honda case for an example of asking for too much info.) Here we see that if a user is logged in to their account, the business probably shouldn’t be asking for any additional information in order to process an opt-out because they already know exactly who is submitting it.
Sling TV has a streaming app available on various platforms (Roku, Apple TV, Xbox, etc.). Instead of providing an opt-out mechanism that could be activated directly inside the app, Sling TV instead directed consumers type in a long URL for company’s website in order to submit an opt-out.
As part of the settlement, Sling TV must “implement an in-app, easy-to-use opt-out method with minimal steps such as a simple toggle, not requiring use of a second device.” If it is not possible to do so, they must provide a simple method such as a scannable QR code that captures their login information and immediately effectuates the opt-out.
Under the CCPA, businesses must get opt-in consent before selling or sharing the personal information of consumers under the age of 16. According to the Attorney General’s complaint, Sling TV was not doing enough to prevent the data of minors from being used in this way without consent.
Going forward Sling TV must provide a way to create user profiles for children and minors, and to designate certain channels as intended for children and minors.
As privacy enforcement picks up pace, noncompliance is becoming an increasingly expensive gamble. Laws like the CCPA have already been in force for years, and authorities aren’t taking them lightly.
Rather than take a risk that could cost your company hundreds of thousands of dollars, get compliant quickly and cost-effectively with TrueVault. Guided by our attorney-designed software and experienced support team, you can create a data map, onboard vendors, post privacy notices, and be ready to respond to consumer requests, all within a matter of days. As new U.S. privacy laws go into effect, they are automatically added to your privacy center at no extra cost.
Contact our team today to learn how TrueVault can help support your business’s compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
