On September 9, 2025, the California Privacy Protection Agency, the Colorado Attorney General, and the Connecticut Attorney General announced something that had not happened before: a coordinated investigative sweep, targeting the same technical violation across three jurisdictions, with shared findings. Three regulators. One sweep. Shared evidence. $7,988 per intentional violation, multiplied across three jurisdictions. The Disney settlement ($2.75M, February 2026) and Ford settlement ($375K plus audit obligation, March 2026) both came out of that sweep. Healthline ($1.55M, 2025) was the warm-up.
What Actually Changed on September 9, 2025
The underlying laws — CCPA in California, CPA in Colorado, CTDPA in Connecticut — did not change that day. The enforcement model did. For every prior year of state privacy regulation, US stores treated compliance as a per-state problem: pass California audits, hope the rest follow on a delay. The September 9 sweep replaced that assumption with a different one: the same architectural failure that loses you California now also loses you Colorado and Connecticut, at the same time, with shared evidence between regulators.
That matters for WooCommerce stores because the three states are not running parallel investigations of three different technical issues. They are running one investigation of the same technical issue — non-compliance with universal opt-out preference signals (GPC) — and dividing the findings. Global Privacy Control on WordPress: Why Your WooCommerce Store Is Already in Violation covers the per-store architectural angle; this piece is about what changed at the regulator level.
By January 1, 2026, twelve states require recognition of universal opt-out mechanisms by law: California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas (Didomi GPC tracker). The September 9 sweep is the template for how at least three of those states intend to enforce.
The Disney Pattern: $2.75M for Honoring GPC the Way Most Sites Do
The Disney settlement (February 2026, $2.75 million) is the cleanest illustration of how a “compliant” implementation gets fined. Disney’s setup honored the GPC signal — but only on the device and browser session where it was sent. The opt-out did not propagate to the user’s authenticated account state, did not carry over to other Disney properties, and did not persist on a different device the same user logged into.
The California AG’s finding pointed to CCPA § 7025(c)(2): an opt-out preference signal must be processed at the consumer level, not just at the browser-session level. Disney’s architecture treated GPC as a device-level event. That is the default behavior of nearly every cookie consent platform deployed on WooCommerce today.
If your GPC opt-out lives in a cookie that does not survive a fresh session on the same customer’s other device, you have the Disney pattern.
WooCommerce-specific failure mode: a logged-in customer triggers GPC on Chrome desktop, gets the opt-out, then opens your store on Safari mobile while logged into the same account — and is once again fully tracked because the opt-out was never written against the customer record.
The Healthline Pattern: $1.55M for the Opt-Out That Didn’t Reach Downstream
Healthline (July 2025, $1.55 million) is the other half of the story. Healthline’s site honored the opt-out on the page — the cookie banner state was correct, the consent string updated, the on-page tracking respected the preference. What did not respect the preference: the data already flowing to downstream advertising partners.
The pattern: a GPC signal flips the page-level state to opted-out, but server-side events continue firing. Meta CAPI keeps sending purchase events. GA4 Measurement Protocol keeps receiving conversions. Klaviyo keeps appending to its track API. The page is compliant. The data flow is not.
Most WooCommerce stacks have this gap by design. Browser-side consent platforms govern the front-end pixels well. They do not govern the server-side feeds that fire from PHP hooks once woocommerce_payment_complete runs. Those feeds were configured before GPC was an enforcement priority, and they are firing now whether the page state honors the opt-out or not.
The opt-out has to reach every destination, including the ones that don’t run in the browser.
The Wave Coming: § 7025(c)(6) Visible Display
California’s CPRA regulations effective January 1, 2026 added a visibility requirement under § 7025(c)(6): when a GPC opt-out is honored, the site must display that the opt-out request was processed. Silent compliance — honor the signal but show no acknowledgment — is now itself a violation.
This is the next wave because it is the easiest to evidence. A regulator does not need to inspect your network calls to prove a § 7025(c)(6) violation; they need to load your site with GPC enabled and screenshot what is, or is not, displayed. WooCommerce stores running GPC compliance through a cookie banner script that updates state silently are sitting on a discoverable violation that requires no technical investigation to confirm.
The Architectural Fix: Consent at the Server, Not Just the Browser
The two settled patterns — Disney and Healthline — share a root cause. Browser-side consent enforcement governs only what happens in the browser. Customer-level state lives in your database. Downstream destinations receive data through server-to-server pipes that the cookie banner cannot see.
The structural fix moves GPC enforcement up the stack. When a visitor signals GPC, the opt-out is recorded against the customer record (not just the device cookie). The opt-out flag is read every time the server prepares an outbound event for Meta CAPI, GA4 Measurement Protocol, Google Ads Enhanced Conversions, Klaviyo, BigQuery, and any other downstream destination. If the flag is set, the destination feed does not fire — regardless of whether the browser is involved at all.
That single architectural change closes both the Disney pattern (because the customer-record opt-out follows the user across devices) and the Healthline pattern (because every downstream destination reads the same server-side flag). For a deeper map of the laws driving these patterns, see CCPA, VCDPA, and CPA: What US State Privacy Laws Actually Require From Your WooCommerce Tracking.
The question is not whether your cookie banner is compliant. The question is whether the opt-out reaches every system that processes a customer’s data.
Where Transmute Engine™ Fits
Transmute Engine is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures the GPC signal and the customer record together, and sends both via API to your Transmute Engine server, which holds a single source of truth for opt-out state. Every outbound event — Meta CAPI, GA4, Google Ads Enhanced Conversions, Klaviyo, BigQuery — reads that flag before firing. One opt-out, recorded once, honored everywhere downstream. The architecture eliminates the Disney pattern by attaching opt-out to the customer (not the device) and the Healthline pattern by gating every server-side destination behind the same flag.
Key Takeaways
- September 9, 2025 changed the enforcement model. California, Colorado, and Connecticut now run coordinated investigations and share evidence on universal opt-out non-compliance.
- Disney pattern ($2.75M, February 2026): GPC honored on the originating device only — no cross-account, cross-device propagation. CCPA § 7025(c)(2) violation.
- Healthline pattern ($1.55M, July 2025): Page-level opt-out correct, but server-side feeds (Meta CAPI, GA4, downstream partners) continued firing.
- § 7025(c)(6) is the next wave (effective January 1, 2026): silent GPC compliance — no visible “Opt-Out Request Honored” display — is now itself a violation, evidenced by a screenshot.
- The architectural fix is server-side consent enforcement. Record opt-out against the customer record, gate every downstream destination behind the same flag. One opt-out, honored everywhere.
Frequently Asked Questions
It means the same architectural failure that loses you California now loses you Colorado and Connecticut at the same time, with shared evidence between regulators. The September 9, 2025 announcement consolidated investigative work across three states. WooCommerce stores that pass on Meta Pixel, GA4, and Google Ads tag opt-out enforcement under California rules now face the same scrutiny under Colorado CPA and Connecticut CTDPA simultaneously.
Yes. The September 9, 2025 announcement explicitly framed the sweep as coordinated. Investigative findings from one regulator inform the others. Stores investigated by California for GPC non-compliance can expect parallel actions or evidence-sharing with Colorado and Connecticut, where the underlying technical violation is the same.
Disney’s implementation honored the GPC signal only on the specific device and browser session where it was sent. The settlement found that the opt-out did not propagate to other Disney properties or to the user’s authenticated account state, violating CCPA § 7025(c)(2). Most WooCommerce stores have the same gap: GPC opt-out is treated as a device-level event, not a customer-level one.
Audit two patterns this week. First, the Disney pattern: does your GPC opt-out persist across the customer’s account, devices, and re-visits — or only the current session? Second, the Healthline pattern: when GPC is honored, does data actually stop flowing to downstream partners (Meta CAPI, Google Ads, Klaviyo, BigQuery) — or does the page-level opt-out coexist with server-side events still firing?
Audit the Disney pattern and the Healthline pattern in your WooCommerce stack this week, before the next coordinated sweep. See how Seresa enforces consent at the server layer.
