ARTICLE
22 May 2025

U.S. States Unite To Strengthen Privacy Enforcement

BB
Baker Botts LLP

Contributor

Baker Botts LLP logo
Baker Botts is a leading global law firm. The foundation for our differentiated client support rests on our deep business acumen and technical experience built over decades of focused leadership in our sectors and practices. For more information, please visit bakerbotts.com.
Explore Firm Details
On April 16, 2025, a coalition of state attorneys general and privacy regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon...
United States California Colorado Connecticut Delaware Indiana New Jersey Oregon Privacy
Matthew R. Baker

On April 16, 2025, a coalition of state attorneys general and privacy regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon, and the California Privacy Protection Agency (CPPA) announced the formation of the "Consortium of Privacy Regulators." This bipartisan initiative aims to coordinate regulatory priorities, share expertise and resources across jurisdictions, and align privacy enforcement actions as U.S. state data protection law enforcement intensifies.

Key Developments Prompting the Consortium's Formation

The establishment of the Consortium follows a series of significant enforcement actions, particularly in California.

  • Honda Settlement: In March 2025, the CPPA announced a $632,500 settlement with Honda for multiple violations of the CCPA, including confusing and excessive data subject rights request processes. The CPPA stated that businesses cannot design complicated processes for submitting data requests. For example, Honda required too many data points to verify requests. The CCPA noted that the verification process for data subject rights requests should align to what is actually necessary to verify. Another concern that the CPPA raised was that Honda required identity verification for non-verifiable requests, such as where consumers tried to opt out of the selling or sharing.
  • Todd Snyder Enforcement: In May 2025, the CPPA issued a $345,178 fine against clothing retailer Todd Snyder, Inc. for failing to properly manage its consumer privacy portal. Like many businesses, Todd Synder utilized third party cookies for analytical and targeted advertising purposes. To effect consumer opt out rights, Todd Synder directed consumers to utilize a cookie settings preference center. However, for a period of 40 days, when a consumer would click on the cookie settings preference center link, a cookie banner appeared but then instantly disappeared, preventing the consumer from exercising their right to opt out. Relatedly, the Todd Synder website was not adhering to Global Privacy Controls, browser plug-ins that consumers can download and use to automatically broadcast to websites that they are opting out of targeted advertising activities.

These actions underscore a growing trend of rigorous enforcement of state privacy laws, emphasizing the need for businesses to ensure compliance with evolving regulations.

Emerging Enforcement Patterns

Analysis of recent enforcement actions reveals common themes that businesses should be aware of:

  • Data Subject Rights Requests: Regulators are scrutinizing how businesses handle data subject rights requests, focusing on the ease of submission and the appropriateness of identity verification requirements.
  • Cookie Consent and Opt-Out Mechanisms: There is increased attention on the functionality and transparency of cookie banners and opt-out tools, ensuring they are not misleading or burdensome for consumers.
  • Data Minimization: Businesses are expected to collect and retain only the minimum amount of personal information necessary for specified purposes, aligning with the principle of data minimization.
  • Privacy Notice Disclosures: Regulators are emphasizing the importance of clear, comprehensive, and up-to-date privacy notices that accurately reflect data collection and processing practices.
  • Sensitive Data Handling: The collection and use of sensitive personal data, such as biometric and geolocation information, are under increased scrutiny, with expectations for explicit consent and robust safeguards.

Recommendations for Businesses

To navigate the evolving landscape of state privacy regulations and mitigate enforcement risks, businesses should consider the following actions:

  • Audit and Update Privacy Practices: Conduct thorough reviews of data collection, processing, and sharing activities to ensure alignment with applicable state laws.
  • Enhance Consumer Rights Mechanisms: Simplify processes for consumers to exercise their privacy rights, avoiding unnecessary hurdles or excessive verification requirements.
  • Review Third-Party Vendor Compliance: Ensure that third-party service providers handling personal data comply with relevant privacy laws and that appropriate contractual safeguards are in place.
  • Implement Robust Data Minimization Policies: Limit data collection to what is necessary for specified purposes and establish clear data retention schedules.
  • Maintain Transparent Privacy Notices: Regularly update privacy policies to reflect current data practices and ensure they are easily accessible and understandable to consumers.
  • Monitor Regulatory Developments: Stay informed about changes in state privacy laws and enforcement actions to proactively adjust compliance strategies.

"We're proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms. The Consortium reflects this shared commitment—now and for the future."

cppa.ca.gov/...

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matthew R. Baker
Matthew R. Baker
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More