Recent enforcement activities in California and Connecticut highlight that states are ready and willing to actively enforce their comprehensive privacy laws. These recent actions – which continue the trend of states ramping up privacy enforcement activity – make clear that regulators are taking compliance with state comprehensive privacy laws seriously.
Below we highlight two recent enforcement actions and flag key takeaways for companies, including the importance of (i) building a compliance strategy that emphasizes clear communication with consumers; (ii) being responsive to regulatory inquiries; and (iii) providing clear and operative opt-out mechanisms.
California
On July 1, the California Attorney General (AG) announced a settlement with website publisher Healthline Media LLC. The settlement is based on the California Department of Justice's allegations related to the use of sensitive data for targeted advertising purposes; specifically, the AG alleged that the company violated the California Consumer Privacy Act (CCPA) by failing to fulfill consumer opt-out requests and by sharing data with third parties without CCPA-mandated privacy protections.
Key takeaways include:
- Consumer expectations should be considered when assessing the purpose limitation. This settlement is of particular interest because it provides insights into how the California AG interprets the CCPA's purpose limitation provisions. Specifically, the Complaint indicates that certain data processing activities could violate the purpose limitation principle – even if they are listed in the privacy policy – if the processing is not "consistent with the reasonable expectations of the consumer," explaining that "the law provides that invisibly sharing data of a more intimate nature to third parties, briefly alluded to in a privacy policy, may be unlawful when consumers would not expect that to happen. The law further provides that even detailed privacy disclosures regarding other intended uses of data may violate the principle if the disclosed purposes differ substantially from the consumer's reasonable expectations." See Complaint at ¶ 22.
- Ensure opt-out mechanisms are in place and operative. The Complaint alleged that the company failed to honor consumer requests to opt out of the sale or sharing of their personal information for targeted advertising.
- Ensure advertising contracts contain the required CCPA provisions. The Complaint alleged that the company's advertising contracts did not contain privacy protections required by the CCPA.
Connecticut
On July 8, the Connecticut Attorney General announced an $85,000 settlement with online marketplace TicketNetwork, Inc. This settlement followed the alleged failure of TicketNetwork to adequately respond to a cure notice.
Key takeaways include:
- Ensure privacy policies are up to date and consumer rights mechanisms are operative. The Connecticut AG alleged that "the company's privacy notice was largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable."
- Be responsive to communications from state AGs. The Connecticut Attorney General's press release noted that TicketNetwork failed to adequately respond to its cure notice within the 60-day statutory cure period. On the other hand, the AG noted that other companies have timely responded to similar notices, writing that "[t]o date, the Office of the Attorney General has issued four separate 'privacy notice sweeps' consisting of over two dozen cure notices in total, all aimed at addressing privacy notice deficiencies...Nearly all other companies [beyond the one at issue in the settlement] took prompt steps to come into compliance." Notably, Connecticut's right to cure expired on January 1, 2025; however, to the extent companies receive cure notices (where applicable) or other communications from enforcement agencies, it is important to timely respond.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
