In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.
Connecticut: TicketNetwork Settles Over Privacy Violations
The Connecticut Data Privacy Act (CTDPA), 2022 Conn. Pub. Acts No. 22-15 (Reg. Sess.), has been in effect since July 1, 2023, and requires covered entities to provide clear, accessible privacy notices and functional mechanisms for consumers to exercise their rights. The law initially included a cure period, allowing businesses 60 days to remedy violations after receiving notice, but it was phased out as of January 1, 2025.
Acting under the CTDPA, the Connecticut Attorney General issued a cure notice to company in November 2023, finding that its privacy notice was unclear and incomplete and failed to disclose key consumer rights codified under the statute (e.g., the right to access, correct, delete, and opt-out of the sale of personal data and targeted advertising). The notice also flagged that mechanisms for exercising consumers’ statute rights (such as opt-outs) were misconfigured or nonfunctional. TicketNetwork eventually settled, acknowledging that, despite representing that it had corrected the identified issues, the company, in fact, failed to correct these deficiencies within the 60-day window and failed to timely respond to follow-up correspondence from the state government. As part of its settlement with the Connecticut Attorney General, TicketNetwork agreed to pay an $85,000 civil monetary penalty, comply with the CTDPA, and maintain and report metrics for consumer rights requests received under the statute.
This case illustrates that the use of templates containing overly generalized privacy notices and non-functional mechanisms to protect consumers’ privacy rights will no longer fly under the radar in Connecticut. Indeed, following expiration of the CTDPA’s cure period on January 1, 2025, companies should now expect that future violations may in immediate enforcement action at the state level.
Nebraska: General Motors Sued Over Driving Data Collection
For its part, Nebraska recently took a different tack, electing not to rely on its comprehensive privacy law, the Nebraska Data Privacy Act (“DPA”), Neb. Rev. Stat. § 87-1103 et seq. (2024), but rather its consumer protection law. Specifically, on July 8, 2025, the Nebraska Attorney General announced a lawsuit against General Motors LLC (“GM”) and OnStar LLC, alleging the deceptive and unlawful collection and sale of personal driving data that violated the state’s Consumer Protection Act (“CPA”), Neb. Rev. Stat. § 59-1601 et seq., and the Uniform Deceptive Trade Practices Act (“UDTPA”), Neb. Rev. Stat. § 87-301 et seq. The suit claims that GM installed telematics systems in certain vehicles to track driver behavior, including location, speed, and seatbelt usage, and then sold this data to third parties who calculated “Driving Scores” used by insurers.
Key allegations in the complaint include:
- Consumers were not properly informed that using the mobile app or OnStar services would authorize ongoing data collection;
- Dealerships enrolled drivers into data-sharing programs without appropriate disclosure or consent; and
- The scope and purpose of the data collection were misrepresented or hidden from vehicle owners.
Although the Nebraska Attorney General is relying on the CPA and UDTPA—rather than the DPA—to challenge potentially deceptive data practices, the takeaway is the same: companies must be transparent about how data is collected, used, and shared, regardless of whether a formal privacy law applies.
Compliance Should Be a Strategic Priority
These recent enforcement actions at the state level show that state Attorneys General are actively investigating and responding to data privacy violations and using all available tools. As a result, businesses operating in multiple jurisdictions must treat privacy obligations as an integral part of their compliance framework.
As such, to reduce their legal exposure, companies should:
- Conduct internal reviews of how personal data is collected and shared
- Update privacy policies to ensure clarity and completeness
- Implement effective systems for managing consumer rights requests
- Train front-line staff to communicate data practices accurately
Proactive Steps Make All the Difference
With privacy expectations rising across the legal and public landscape, companies that prioritize consumer trust and regulatory compliance position themselves ahead of the curve. Whether you are navigating new state laws or revising legacy data practices, guidance from experienced counsel can make the path forward much clearer.
