Enforcement of state privacy laws ramped up in 2025 and regulators are going deeper than inadequate policies and ineffective opt-out mechanisms. In recent cases, they are also focusing on vendor compliance.

Privacy Enforcement Is Increasing, and Regulators Are Looking at Vendor Relationships

Regulators are looking at businesses’ vendor contracts, especially whether their contracts address privacy requirements before sharing personal information with the vendors.

  • The California Privacy Protection Agency’s (CPPA) recent settlement with Tractor Supply Company noted that Tractor Supply had “disclosed personal information to other companies without entering into contracts that contain privacy protections,” in addition to other alleged privacy violations.
  • California Attorney General Rob Bonta announced a $1.55M settlement with Healthline in July, noting that, among other alleged privacy violations, Healthline had not ensured its advertising contracts contain CCPA-required privacy protections and had only “assumed, but not verified that third parties had agreed to abide by an industry contractual framework.” This case should interest companies in the digital advertising space, where many industry participants leverage the IAB’s Multi-State Privacy Agreement, which is an industry contractual framework designed to help signatories meet the regulatory contract requirements.
  • The CPPA entered into a $632,500 settlement with American Honda Motor Company in March, citing Honda’s sharing consumers’ personal information with ad tech companies without producing the required contracts, among other alleged violations.

As these settlements begin to pile up, it’s clear that regulators are digging deeper into the data flows and examining vendor relationships, including vendor due diligence obligations of the businesses under investigation.

Regulators Are Increasing Coordination and Collaboration Across States

The California settlements described above are likely canaries in the coalmine for other state enforcement actions given that the California AG and CPPA have engaged in coordinated multistate efforts signalling “robust nationwide collaboration” including a joint enforcement sweep on Global Privacy Control (GPC) with Colorado and Connecticut.

And that multistate sweep is in addition to the collaborative work of the Consortium of Privacy Regulators, established as a bipartisan move to formalize sharing expertise and technology resources to implement and enforce state privacy laws across the country. The Consortium has grown from 8 regulators when announced in April to 10 regulators, with Minnesota and New Hampshire joining regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.

Increasing enforcement and multistate coordination echo the way data breach law enforcement started slowly and then snowballed. Of course, costs in managing consumer privacy investigations, as in data breach investigations, are not limited to fines. Though there is not yet an annual average cost of privacy investigation publicly available, by way of analogy, the average per incident breach cost in the United States surged to a record $10.22M USD, while the average per incident global breach cost averaged $4.44M USD according to IBM’s Cost of a Data Breach Report 2025. Responding to and defending these investigations also disrupts your core business focus and even causes potential job losses.

The increase in enforcement, with regulators looking into vendor relationships, presents a challenge for companies that have not yet reviewed their vendor relationships for privacy compliance, need to review vendor contracts, and assess their vendors’ compliance. SafeGuard Privacy and the IAB Diligence Platform, with industry-standard assessments and questionnaires with secure review and sharing, are a crucial piece of the vendor solution.