ARTICLE
13 May 2025

State Privacy Enforcement Ramp-Up Continues With New Actions In California And Texas

WR
Wiley Rein

Contributor

Wiley Rein logo
Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
Explore Firm Details
State enforcement agencies are keeping the pressure on businesses, with two new enforcement actions announced this week in California and Texas.
United States California Texas Privacy
Duane C. Pozza,Kathleen E. Scott,Ian Barlow
+2 Authors

State enforcement agencies are keeping the pressure on businesses, with two new enforcement actions announced this week in California and Texas. This activity signals to companies – both within and outside of the United States – that states are actively enforcing their privacy laws. Below, we highlight the two latest actions in California and Texas and flag key takeaways for companies.

California

On May 6, 2025, the California Consumer Privacy Protection Agency (CPPA or Agency) announced a settlement with a national menswear retailer, Todd Snyder, over allegations that the company's opt-out and other privacy request processes did not comply with the California Consumer Privacy Act (CCPA). The company has agreed to pay $345,178 in penalties to resolve the allegations and will overhaul its privacy compliance practices. This enforcement action follows the Agency's first enforcement action earlier this year against Honda, which included similar allegations.

Key takeaways include:

  1. Ensure that opt-out mechanisms are properly configured and operative. This most recent enforcement action deals in part with the CCPA's consumer right to opt out of the selling and sharing of personal information, particularly for purposes of behavioral advertising. Specifically, the Order alleges that the company's opt-out mechanism was not properly configured. Businesses that trigger opt-out requirements under the CCPA should have clear and easily accessible mechanisms for consumers to exercise this right. Further, the Agency's action makes clear that where businesses rely on third-party privacy management tools, they must actively oversee and ensure the proper functionality of those tools.
  2. Tailor opt-out and other privacy request mechanisms. The Agency alleged that the company collected "more information than necessary" for certain requests and imposed verification requirements for opt-out requests, both in violation of the CCPA. This warns against a "one-size-fits-all" approach to privacy requests; companies should tailor their consumer request mechanisms to ensure compliance with the CCPA's detailed and specific rules.
  3. Mitigate risk through privacy training. Regular and comprehensive training programs are key for CCPA compliance, and the Agency has included these elements in their settlement agreements.

Texas

Since Texas' comprehensive privacy law took effect last year, the Texas Attorney General's (AG) office has been actively enforcing it, along with other privacy laws in the state. Most recently, on May 6, 2025, the AG issued a press release announcing that the office has put several Chinese and Chinese Communist Party-aligned companies on notice regarding potential violations the Texas Data Privacy and Security Act (TDPSA).

Key takeaways include:

  1. Companies that receive notices of apparent violation should respond quickly. While different states have different approaches to cure periods, the TDPSA provides a 30-day notice and cure period. However, to benefit from the cure period – as the most recent press release makes clear – it is critical for companies that receive notices of apparent violation to respond quickly.
  2. Privacy notices and consumer rights are key elements to a privacy compliance program. While the specifics of the notices sent to these companies were not released by the AG's office, the press release reiterates that "[t]he law requires companies to disclose whether they process consumer data, allow consumers to opt out of data collection, and enable consumers to delete their personal data entirely." All companies subject to the Texas law should review their consumer-facing notices and consumer rights to ensure compliance with the law.
  3. The TDPSA has broad reach. The Texas AG's focus on Chinese companies indicates that the office is taking a broad view of the TDPSA's reach. It also is consistent with concerns that are trending at the federal level around foreign adversary access to U.S. personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Duane C. Pozza
Duane C. Pozza
Photo of Kathleen E. Scott
Kathleen E. Scott
Photo of Joan Stewart
Joan Stewart
Photo of Ian Barlow
Ian Barlow
Photo of Alissa Lynwood
Alissa Lynwood
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More