California’s First Enforcement Action from DOJ’s Sweep of Streaming Services: Focus on Sling TV’s Deficient Opt Outs and Children’s Privacy

On October 30, 2025, California Attorney General Rob Bonta announced a $530,000 settlement with Sling TV LLC and Dish Media Sales LLC (“Sling TV”) over allegations that Sling TV failed to provide an easy-to-use method for consumers to opt out of the sale of personal information and failing to provide sufficient privacy protections for children, as required by the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code § 1798.100 et seq.). It is the first enforcement action arising out of the “investigative sweep” targeting business with popular streaming apps and devices announced in January 2024.

Sling TV operates an app-based live television and streaming service. Sling TV offers both a subscription-based service and an advertising-supported service. Sling TV’s advertising-supported service relies on targeted advertising, using consumer personal information to deliver relevant ads. In its complaint, the California Department of Justice (“DOJ”) alleged that Sling TV’s advertising services constituted cross-context behavioral advertising, as defined by the CCPA.

Under the CCPA and its implementing regulations (Cal. Code Regs. tit. 11, § 7000 et seq.), businesses that sell or share personal information are required to provide an opt out for consumers. Businesses must either title the link “Do Not Sell or Share My Personal Information,” or, alternatively, “Your Privacy Choices.” Under California regulations, a business that uses a “Your Privacy Choices” link must direct consumers to a webpage that includes information on the consumer’s right to opt out of the sale or sharing of personal information and their right to limit, as well as “[an] interactive form or mechanism” that “shall be easy for consumers to execute, shall require minimal steps,” and comply with additional regulations on the methods for submitting CCPA requests and obtaining consumer consent.

The California DOJ alleged that Sling TV’s “Your Privacy Choices” link directed consumers to a page for managing consumer cookie preferences. These preferences allow consumers to allow, limit, or refuse cookies or similar tracking technologies. However, the California DOJ alleged that Sling TV’s cookie choices would not effectuate an opt out of the sale or share of personal information. Instead, the California DOJ alleged that consumers had to locate a separate link to effectuate an opt out. Additionally, the California DOJ alleged that Sling TV’s opt out was unnecessarily confusing to locate and effectuate, requiring the consumer to engage in a multi-step opt out process.

The California DOJ also alleged that Sling TV was knowingly targeting children despite privacy disclosures stating that Sling TV is not intended to be used by anyone under the age of 18. The California DOJ alleged that Sling TV was notified by programmers when programming licensed to Sling TV was directed to children. Sling TV also offered parental controls in its app. The California DOJ alleged that Sling TV had access to demographic, interest, and account-level personal data about its consumers, obtained from data brokers and third-party vendors, and that this included information on the presence of children under the age of 16 in a household. The California DOJ alleged that Sling TV used this information to build advertising segments.

Additionally, the California DOJ alleged that Sling TV did not implement sufficient privacy protections for children. Sling TV did not offer consumers the ability to flag a user profile as a child’s profile, turning off collection, sale, and sharing of consumer’s personal information and cross-context behavioral advertising. Sling TV also did not offer affirmative authorization from consumers under the age of 16, or parental consent for children less than 13 years of age, for selling or sharing personal information. The California DOJ also alleged the Sling TV did not turn off collection, sale, or sharing of personal information or cross-context behavioral advertising when parental controls were turned on.

Under the settlement with Sling TV, Sling TV must stop directing consumers seeking to implement their CCPA rights to the cookie preferences page and must stop requiring logged in customers to fill out a webform to effectuate their opt out choices. Sling TV must also provide an opt out mechanism within the Sling TV app, instead of requiring consumers go to a separate website outside of the app to opt out. Additionally, Sling TV must allow parents to create a “kid’s profile” that automatically turns off the sale and sharing of personal information and must provide parents with clear disclosures regarding the collection and sale of personal information.

Key Takeaways and Best Practices

  • “Consumer journeys” are an important part of the opt out process. California regulations require that methods for submitting CCPA requests and obtaining consumer consent must reflect symmetry of choice. That is, the steps to take for a consumer to exercise a “less privacy-protective option” must be equal to the number of steps a consumer takes to exercise a “more privacy-protective” option.
  • Opt outs should be clear and easy to find. California regulations require opt out methods to be easy to understand, that are not confusing to the consumer, and that are easy to execute. Opt out methods must also be built in a way that they do not impair with the consumer’s ability to make a choice.
  • Smart television technology presents additional challenges. The California DOJ noted that Sling TV’s opt out was web-based, but the majority of Sling TV users use an app available for various connected televisions and streaming devices. Consumers could not opt out of Sling TV within the apps they were using on their smart devices. Businesses advertising on connected televisions and other devices should ensure that their opt out functionality carries over to the televisions they use. Additionally, disclosures should be clear and conspicuous, noting that partnerships with streaming services may require additional opt outs.
  • Children’s privacy rights are changing—and change depending on your jurisdiction. For twenty years, the federal Children’s Online Privacy Protection Act (“COPPA”) set the standard for children’s privacy online, covering children under the age of 13. Some state privacy laws mirror this standard. Others (including California) require enhanced privacy protections for children under the age of 16, and still others extend that to all minors under the age of 18. While COPPA has always had an actual knowledge standard for determining when a business is on notice that an individual user is a minor, state laws are trending in a direction of a constructive knowledge standard. For businesses that allow consumers to create individual profiles, the children’s version of the profiles offered should default to preventing the collection and sharing of personal information.

If you have questions about your company’s compliance with privacy regulations, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.