March 5, 2025

Members of SafeGuard Privacy’s legal team attended the California Lawyers Association’s 3rd Annual Privacy Summit in Los Angeles last week to hear the latest privacy developments and insights from across the United States. Here, we summarize the important highlights from regulators from different states on enforcement trends and priority issues.

The Enforcement Landscape is Active

The privacy enforcement landscape is far more active than it seems, according to representatives of the California, Colorado, New Jersey, and Texas AG’s offices and the California Privacy Protection Agency. Regulators are conducting numerous investigations (from over 10 to more than 100 investigations in the various states represented) which don’t always culminate in publicly disclosed enforcement actions or settlements. Some investigations are resolved during cure periods. Others – where no violation of law is found – are concluded in a way that preserves the reputation of the company investigated. The most serious result in public enforcement actions.

All regulators on the panels emphasized the importance of prompt and open communications in response to a regulatory inquiry.

Enforcement activity is not limited to one or two states. All regulatory bodies are significantly more engaged than many realize, with Texas emerging as a particularly active enforcer. Since the Texas Data Privacy and Security Act became effective on July 1, 2024, Texas has reported 100+ investigations.

Each state represented has a hotline for consumer complaints, monitors data breaches and lawsuits for privacy violations, and has investigators to test compliance.

Priority Areas for Regulatory Scrutiny

Sensitive Personal Information, Geolocation Data, and Children’s Data

Compliance with requirements for sensitive personal information, geolocation data, and children’s data has been the focus of state enforcers and will be subject to increased scrutiny as 2025 continues.

While the CPPA noted its initial enforcement focus was on data brokers under the DELETE Act, it is now bringing the same intensity to its CCPA enforcement utilizing a fully-staffed team. Other regulators with newer privacy laws, such as New Jersey, also emphasized that they had substantial teams of enforcement attorneys working on privacy issues.

Artificial Intelligence

Regulators are not waiting for specific AI legislation. All regulators present agreed that “all laws regulate AI,” making clear existing privacy frameworks apply to AI systems, noting that “personal information is the fuel of AI and therefore subject to laws regulating PI” and “just because it involves new tech does not exempt it” from existing laws and regulations.

UDAP Enforcement Authority

In states without specific AI laws, Attorneys General have broad enforcement authority to prosecute AI privacy violations using their state’s unfair and deceptive acts and practices (UDAP) laws, data breach laws, etc. Those laws have teeth. In fact, California has added disgorgement as a potential remedy for violation of its Unfair Competition Law on top of statutory damages available under the CCPA.

Policies, Consumer Privacy Rights Communications, Opt-Out and Consent Mechanisms

Regulators made multiple references to harmonization among the state privacy laws. They emphasized that we should look at the “abundance of similarity among the laws,” validating SafeGuard Privacy’s approach in creating the Multistate Substantial Compliance Assessment to address the areas of commonality and outlier obligations in the state privacy laws.

Based on their observations, regulators provided the following specific insights and compliance practice tips. Consider these as priorities to review in your privacy program and practices.

Privacy Policies

Inadequate or confusing privacy policies trigger the most consumer complaints. Privacy policies must communicate consumer privacy rights in the body of the policy, not relegating them only to a California-specific description of rights, noted Stevie DeGroff, First Assistant Attorney General, Technology & Privacy Protection Unit of the Colorado AG’s Office. Investigations are often triggered by failing to identify consumer privacy rights available in a state or speaking to rights only in one state when they are available in others as well. This is consistent with prior statements from other AG’s offices, including Connecticut.

The practice tip here is to review your privacy policy and ensure it addresses all existing state privacy law requirements. When required items are missing from a privacy policy, it triggers further review.

Opt-Outs

California’s Supervising Deputy Attorney General for the Privacy Unit, Stacey Schesser, pointed out these laws are no longer new and that the time for regulators to remind businesses about non-functional opt-out mechanisms is over. The panel advised:

  • Regularly check privacy-related communications:
    • If you have a privacy email address listed in your policy, check that inbox frequently!
    • Regulators often initiate an investigation by sending an email to that address, and needless to say, failing to respond will set you off on the wrong foot.
    • The Texas cure period begins to run from the time they send such an email, so failing to respond in a timely manner could mean the cure period expires.
  • Test opt-out mechanisms and procedures at least monthly:
    • The user interface for opting out of sale/sharing, targeted advertising, or profiling should be easy to understand, clear, and not manipulative.
    • Ensure your mechanisms work as your policy says they do.
    • Ensure that when a consumer is signed in, an opt-out request carries across all services.
    • The regulators are conducting these tests, and so should you. You don’t want to learn your mechanisms are not working from a regulator.
Consent and Consent Mechanisms

Michael Macko, Head of Enforcement at the CPPA, noted that valid consent begins in your privacy policy. Ensure you provide consumers with sufficient information to make a valid consent choice. The panel also warned about the following in consent mechanisms:

  • Beware of dark patterns – manipulative design – that needlessly lead a consumer to give consent where they do not want to.
  • Do not pre-check boxes in a consent mechanism.
  • Symmetry of choice matters. It should not be harder to exercise the more privacy-protective choice.

Colorado’s Stevie DeGroff noted they evaluate practices cumulatively, considering factors like consent mechanisms together with other perhaps minor issues that collectively indicate non-compliance.

Emphasis on Business Partners Due Diligence

Tyler Bridegan, Director of Privacy & Tech Enforcement for the Texas Attorney General’s Office, specifically advised reviewing contracts to ensure they address all states with current privacy laws, with particular attention to Texas requirements. Other regulators agreed as to their requirements.

Regulators emphasized the importance of conducting thorough due diligence, including auditing and oversight, of your business partners, warning that businesses could be held liable for non-compliant service providers or contractors. They expect to see the same urgency in protecting consumer privacy rights as businesses apply to other operational aspects of the business.