It’s not just the summer temperatures that are rising; privacy enforcement is heating up across the nation, too. As states ramp up their monitoring and regulatory actions, businesses are finding themselves at the crossroads of compliance and consequence.
In this client alert, we’ll unpack the latest trends and enforcement actions shaping the state privacy landscape, and additional insights on enforcement priorities. You’ll find practical insights and guidance for navigating key frameworks, including the California Consumer Privacy Act (CCPA), Connecticut Data Privacy Act (CTDPA) and Texas Data Privacy and Security Act (TDPSA). In today’s climate, staying informed is as essential to your privacy strategy as checking the forecast before you step outside.
Recent Key Enforcement Actions
California: The California Attorney General announced a $1.55 million settlement on July 1st with a health information website operated by Healthline Media LLC for alleged CCPA violations, marking the largest CCPA settlement to date. Such allegations included failure to honor opt-out requests (including Global Privacy Control signals), use of personal information beyond stated purposes, inadequate vendor contracts and deceptive practices related to consent tools and cookie banners. Separately, on May 6th, a menswear retailer, Todd Snyder, Inc., agreed to pay $345,178 and update its privacy practices following alleged CCPA violations, including ineffective cookie banners, excessive data collection for privacy requests and improper verification procedures.
The California Privacy Protection Agency (CPPA), which is responsible for enforcing and implementing the CCPA, decided to crank up the heat another notch this week when it turned to courts to enforce its regulatory investigation, marking the agency’s first public disclosure of an ongoing investigation and first judicial action to enforce an investigative request. On August 6th, the CPPA took Tractor Supply Co. to court to compel the Fortune 500 company to comply with CPPA’s January 2025 investigative subpoena seeking information between January 1st, 2020 (when CCPA become effective) and current day. Tractor Supply Co. declined to produce information predating January 1st, 2023, arguing that because the CPPA’s enforcement authority began in July 2023, it could not compel production of information predating July 2023. In its court filing, the CPPA disagreed and argued that the shift in CCPA enforcement authority, previously held by the California Attorney General, to the CPPA does not limit the CPPA’s ability to investigate earlier conduct. “We will not hesitate to seek the court’s assistance when necessary to advance our investigations and protect Californians’ privacy rights,” said Michael Macko, the CPPA’s head of enforcement. “We look forward to addressing the merits of this dispute in court.”
Connecticut: On July 8th, the Connecticut Attorney General reached a settlement with a ticketing company, TicketNetwork, Inc., for CTDPA violations, which included a $85,000 fee, marking the first monetary penalty under the CTDPA. The company failed to address deficiencies in its privacy notice and after receiving notice of such deficiencies, not only failed to cure such deficiencies during a permitted cure period but also misrepresented its remediation efforts.
Texas: The Texas Attorney General issued noncompliance notices to several Chinese-owned companies under the TDPSA on May 6th, providing a 30-day cure period and indicating potential legal action for continued violations. Earlier this year, on January 13th, the Attorney General filed the first enforcement action under TDPSA against Allstate and its subsidiary, Arity alleging unlawful collection and sale of personal data from over 45 million Americans via embedded software in mobile apps. Prior to the TDPSA taking effect, the Attorney General also previously launched investigations into car manufacturers’ collection and sale of driver data under consumer protection laws.
Additional Insights
In addition to enforcement actions, states are also pushing their privacy agendas in other ways as their enforcement activity scales up. Below we highlight several methods that regulators have provided additional insight into enforcement priorities.
Regulatory Reports, Investigations & Enforcement Advisories
Several states have published reports outlining enforcement priorities and compliance challenges. Connecticut, Texas and Oregon have each released reports within months of their respective privacy laws taking effect, highlighting enforcement priorities and the complexities of reconciling varying state requirements. California has conducted multiple investigative sweeps targeting specific sectors and privacy rights, including location data, streaming services, connected vehicles, employer data, mobile applications and loyalty programs. Connecticut has prioritized privacy notice compliance, issuing numerous cure notices for consumer notice deficiencies.
In April, eight state regulators formed a bipartisan Consortium of Privacy Regulators to coordinate enforcement and share priorities, suggesting a trend toward greater regulatory cohesion despite differences among state laws. And although not new, the CPPA has issued Enforcement Advisories on topics such as data minimization and avoiding dark patterns, reflecting foundational enforcement concerns that have repeatedly appeared in CCPA enforcement activity.
Regulatory Developments
California: On July 24th, the CPPA Board approved updates to CCPA regulations addressing automated decision-making and cybersecurity audit requirements, pending final approval. These updates will introduce new compliance obligations and deadlines for covered businesses.
Connecticut: In June 2025, Connecticut enacted SB 1295, amending the Connecticut Data Privacy Act (CTDPA), which has been in effect since July 2023, to significantly expand its scope and redefine key applicability thresholds. Beginning on July 1st, 2026, the law will apply to entities that meet any of the following criteria: control or process personal data of at least 35,000 consumers; control or process sensitive data (excluding data used solely for payment transactions); or offer personal data for sale. This marks a shift from the original thresholds, which applied only to entities processing data of 100,000 consumers or 25,000 consumers while deriving 25% or more of their gross revenue from the sale of personal data. The definition of sensitive data has also been broadened to encompass new categories such as a mental or physical health condition disability or treatment information (previously just diagnosis), neural data, nonbinary or transgender status, and government-issued identification numbers.
Minnesota: On July 31st, the Minnesota Consumer Data Privacy Act (MCDPA) took effect. Lawmakers of the MCDPA noted that: “One of our unique provisions is the one which grants consumers the right to question the results of ‘profiling’ that scores us based upon our personal data to make automated decisions affecting our access to jobs, housing, education, insurance or other essential services, regardless of whether ‘artificial intelligence’ is used in the profiling process.”
Compliance Takeaways for Businesses
These cases and advisories serve as valuable roadmaps, highlighting practical lessons and common themes for organizations striving to stay ahead of evolving requirements. Drawing from these regulatory activities, here are several key takeaways that can help guide robust compliance efforts:
- Exercise Caution When Relying on Privacy Vendors: Even when businesses utilize privacy vendors or automated tools, they remain ultimately responsible for compliance. In the Healthline settlement, the company was held accountable for CCPA violations despite relying on a privacy vendor, demonstrating that vendor solutions should support robust internal compliance measures, rather than replacing them.
- Keep Your Privacy Policy Updated: Maintaining an up-to-date privacy policy remains critically important, as it is a public-facing document susceptible to regulator review and is often a focus of enforcement actions.
- Backend Support Must Match Promises: Privacy measures must be substantive and effective, not merely procedural. The Todd Snyder case highlighted that ineffective cookie banners and improperly configured privacy mechanisms can result in enforcement actions, even if vendor-provisioned privacy tools are in place.
- Know Your Data: Understanding data collection and use is critical, particularly regarding purpose limitation and advertising practices. It is very important to know what data your business has, as regulators are increasingly launching investigative sweeps focusing on specific types of data, such as location data. Healthline’s use of personal information beyond stated purposes was a key alleged violation in its settlement, emphasizing the importance of purpose limitation.
- Understand Regulatory Priorities: Regulatory reports and collaborative initiatives provide insight into enforcement priorities and concerns. Staying abreast of regulator initiatives, including those that reference a particular type of data or industry, will allow businesses to be aware of, and take required action, to ensure compliance related to such specific issues.
- Compliance Now does not Insulate You from Historical Noncompliance: The CCPA’s statute of limitations is five years, and the CPPA is issuing investigative subpoenas dating back the full five years, which sends a clear message that compliance now does not insulate businesses from potential liability for historical noncompliance. To stay off regulators’ radar, many organizations focus on highly visible tasks, including keeping website privacy notices current and ensuring a reliable process for receiving data subject rights requests. However, internal compliance measures and records that reflect the same are equally as important. Organizations should keep thorough and auditable records that document various aspects of their privacy compliance program over time. These records demonstrate not only current practices but also an ongoing commitment to meeting regulatory standards as they evolve.
- Recognize Privacy as a Core Strategic Priority: Privacy compliance cannot simply be a set-it-and-forget-it exercise or a checklist item. Effective privacy programs require ongoing attention, proactive planning, and the agility to adapt quickly as regulations and business needs evolve. By prioritizing privacy as an integral part of organizational strategy, businesses can better position themselves to anticipate changes and respond efficiently to new challenges.
