Sling TV Fined for CCPA Violations

Sling TV has been fined $530,000 for violating the California Consumer Privacy Act (CCPA). California Attorney General Rob Bonta alleged the streaming television provider failed to offer customers an easy method to stop the sale of their personal data and did not provide sufficient privacy protections for children. The investigation into Sling’s privacy operations stemmed from the California Department of Justice’s (DOJ) investigative sweep of streaming services following the CCPA’s opt-out requirements.

Here are details of the CCPA violations found during the investigation that led to the penalty.

Failure to Provide an Easy-to-Execute Opt-Out Method

Sling provided a “Your Privacy Choices” link that directed consumers to cookie preferences center, even though this was only part of the equation and cookies were not the only way Sling sells and shares personal information. To completely opt-out, consumers needed to first find a link on the Sling website and enter personal information (in many cases already known to Sling when the consumer was logged-in) in order to opt-out of the sale of personal information.

Further, consumers who completed these steps and submitted the web form were directed to a “Review your Request” page where they were asked, “Are you sure?” and told, “Please note: Being added to our ‘Do Not Sell’ list may result in losing some of the customization of advertisements to your interests.”

The majority of Sling TV customers access the platform through an app on devices such as their smart television or gaming console. The app did not provide users with an easy-to-use avenue to opt out. Instead, they had to use a long URL in a web browser, usually on a different device, which took them to a cookie preferences page, which had the same issues described above.

Failure to Protect Children’s Privacy

Sling TV’s terms of use stated its service was not intended for minors, but the service included channels and programming directed to children. Sling obtained demographic data, including the presence of children under 16 in the household, from data brokers and other vendors. The company uses data about the presence of children in a household and their age ranges to build specific groups of viewers that can be targeted for cross-context behavioral advertising.

Sling gave users the ability to create multiple user profiles, but not the ability to create a kid’s profile that turned off the collection, sale, and sharing of consumers’ personal information and cross-context behavioral advertising when children are watching. Further, The company did not seek affirmative authorization from consumers under 16 years of age, or parental “opt-in” consent for children under 13, for selling or sharing personal information when children watch Sling TV.

Sling customers have access to parental controls, but the company did not turn off the collection, sale, and sharing of personal information or cross-context behavioral advertising when parental controls were turned on or when children were likely watching.

Settlement

Along with the $530,000 penalty, Sling TV has agreed to the following actions as part of the settlement:

• Stop directing consumers seeking to exercise their CCPA opt-out rights solely to a cookie preference center.
• Stop requiring logged-in customers to fill out a web form with information already available to the business, which adds unnecessary steps and could deter consumers from exercising their opt-out rights. 
• Provide an opt-out mechanism within the Sling TV app, so consumers accessing Sling TV on various devices do not need to go to Sling TV’s website to opt out.
• Allow parents to designate one or more user profiles as a “kid’s profile” that defaults off the sale and sharing of personal information and targeted advertising.
• Provide parents with clear disclosures and tools to protect their children’s privacy.

2025 CCPA Enforcements

To date in 2025, the following CCPA enforcements have been handed down:

• Tractor Supply was fined $1.4M by the CPPA for not honoring opt-out requests, not processing opt-out preference signals, and having insufficient privacy polices.
• In July, AG Bonta issued a $1.55M fine to Healthline for sharing data, including data that suggested the consumer could have had a health condition, with third parties without proper privacy protections.
• In May, clothing retailer Todd Snyder was fined $345,178 by the CPPA for not honoring opt-out requests for 40 days and requiring consumers to verify their identity to opt out of the sale or sharing of their data.
• In March, the CPPA fined Honda $632,500 for requiring excessive personal information to exercise privacy rights, having a longer process for opting out than opting in, and other violations.

Learn more about these CCPA enforcements and the lessons learned by watching the podcast below.

CompliancePoint offers Cookie Management Services to help businesses with privacy and consent functionality, so they can avoid similar penalties. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.