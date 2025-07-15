State attorneys general and regulatory agencies continue to enforce against violations of comprehensive state privacy laws, as demonstrated by recent enforcement actions by the California and Connecticut Attorneys General and the California Privacy Protection Agency to target violations related to online tracking technologies, opt-outs, and privacy notice violations. Organizations should assess their vendor contracts, consumer-facing notices, online advertising practices and consent mechanisms, as well as the backend processes supporting those mechanisms, as website violations continue to provide low-hanging fruit for privacy regulators.

Connecticut AG Fines TicketNetwork for Privacy Notice Violations

On July 8, 2025, Connecticut Attorney General ("AG") William Tong announced an $85,000 settlement with TicketNetwork, Inc. for violations of the Connecticut Data Privacy Act (CTDPA). In addition to the fine, the settlement requires TicketNetwork, an online ticket marketplace, to comply with CTDPA requirements, maintain consumer rights request metrics, and report the metrics to the Attorney General.

Settlement details and violations: According to the settlement, TicketNetwork failed to correct deficiencies in its privacy notice after a cure notice was issued by the AG in November 2023, including unreadable content in the privacy notice, missing data subject rights and misconfigured rights mechanisms. The company did not resolve these issues within the 60-day cure period ending January 8, 2024.

AG enforcement efforts: As part of its series of "privacy notice sweeps" the Office of the Attorney General ("OAG") has issued multiple cure notices. The OAG noted that TicketNetwork failed to comply and respond in a timely manner, while most other companies promptly corrected deficiencies. The AG plans to aggressively enforce the CTDPA, which has been in effect since July 1, 2023, and the AG emphasized that there is "no excuse for continued non-compliance".

CA AG Issues Largest CCPA Fine to Date for Violations Related to Online Surveillance and Tracking Tech

On July 1, 2025, California AG Rob Bonta announced a $1.55 million settlement with Healthline Media LLC ("Healthline") for violations of the California Consumer Privacy Act (CCPA) related to online tracking technology, marking the largest CCPA settlement to date. As part of the proposed settlement, Healthline agreed to pay $1.55 million in civil penalties and comply with injunctive measures. The settlement is pending final approval from the court.

According to the AG, Healthline is a health and wellness information website, is one of the top 40 most visited websites in the world, and generates revenue by showing ads to readers, including personalized ads generated by third parties with whom readers' health-related data was collected and shared via online trackers.

CCPA violations: According to the AG, Healthline failed to allow consumers to opt out of targeted advertising and improperly shared sensitive health data with third parties, including data revealing consumers' medical conditions through article titles, such as "You've Been Newly Diagnosed with MS. What's Next?". The complaint alleges that Healthline failed to honor opt-out requests for sale or sharing, maintain required privacy contracts with its advertising vendors, and properly disable tracking cookies despite featuring a consent banner that did not actually function. With respect to CCPA-required contracts, the AG highlighted that Healthline "had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework."

Settlement requirements: Healthline is required to ensure effective opt-out mechanisms, stop sharing data linking consumers to specific health-related articles, maintain a CCPA compliance program including contract audits, and update and maintain accurate privacy notices and online disclosures. Among the settlement's more specific terms related to data-sharing, Healthline must stop disclosing information that can link a specific consumer to a specific article title that suggests that a consumer has been diagnosed with a disease.

Healthline is required to ensure effective opt-out mechanisms, stop sharing data linking consumers to specific health-related articles, maintain a CCPA compliance program including contract audits, and update and maintain accurate privacy notices and online disclosures. Among the settlement's more specific terms related to data-sharing, Healthline must stop disclosing information that can link a specific consumer to a specific article title that suggests that a consumer has been diagnosed with a disease. AG enforcement efforts: This settlement is AG Bonta's fourth CCPA enforcement action, following actions against a media company, a food delivery service, a global beauty company, and others over children's privacy and/or opt-out violations. In March, the AG announced ongoing investigations into location data practices, in particular related to advertising networks, mobile app providers, and data brokers. The AG has also undertaken investigative sweeps related to employee data and streaming apps.

CPPA enforcement efforts: The California Privacy Protection Agency ("CPPA") has also taken significant enforcement actions against various companies, including numerous data brokers. In May, the CPPA fined clothing retailer Todd Snyder for violations related to opt-out procedures. As in the Healthline complaint, according to the CPPA, Todd Snyder's consent banner and cookie preferences settings did not function properly, also impacting its Global Privacy Control function, and the retailer improperly requested extensive verification steps when processing opt-outs. The enforcement action included a $345,178 fine and various compliance measures.

The CPPA's recent initiatives include increased coordination on cross-border enforcement:the agency joined the Consortium of Privacy Regulators in April, along with state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, with the goal of sharing resources, expertise, and coordinating investigations related to privacy enforcement. Later in April, the CPPA and the UK Information Commissioner's Office ("ICO") signed a declaration of cooperation to enhance international privacy protections. This the CPPA's third such collaboration with international regulators, having announced a similar collaboration with the Republic of Korea's data protection authority (PIPC) in January 2025 and the French data protection authority (CNIL), in June 2024.

Narrowing exemptions: Companies should also prepare for the potential for increased regulatory scrutiny on financial institutions and financial data, as roughly 25 percent of states with comprehensive privacy laws will soon lack a broad entity-level exemption for financial institutions subject to GLBA. California has never provided such an exemption, Connecticut and Montana will eliminate the GLBA entity-level exemption starting in October 2025, and Oregon and Minnesota have drastically limited the exemption.

AI enforcement on the horizon: Rounding out the current enforcement landscape, companies should also prepare for potential AG enforcement related to AI practices in states with comprehensive AI laws, as a hotly debated federal moratorium on state AI laws ultimately failed to be passed by the U.S. Congress.

