In an era of escalating data breaches, organizations must be vigilant in protecting consumer information. A comprehensive federal data privacy law would streamline compliance efforts, but Congress has yet to pass one, leaving states to fill the gap.
As of early 2025, 20 states had enacted consumer data privacy laws. Now, state attorneys general are ramping up on enforcement action.
Two recent examples show how these laws are being applied: a record-setting $1.55 million penalty against Healthline under the California Consumer Privacy Act, and Connecticut’s first enforcement action under its new privacy law, the Connecticut Data Privacy Act.
California’s CCPA settlement with Healthline
In July, the California Office of the Attorney General announced a settlement with Healthline Media LLC, publisher of a popular medical and health information website. The enforcement action stemmed from alleged violations of the CCPA and resulted in a record-setting $1.55 million agreed penalty – the largest CCPA settlement to date. As part of the settlement, Healthline must undertake a comprehensive CCPA compliance program and other corrective measures.
Key allegations in the enforcement action included the following:
- Improper data sharing through tracking technologies (for example, use of cookies and pixels).
- Inadequate consumer disclosures in privacy notices.
- Failure to provide and honor effective opt-out mechanisms.
The focus on Healthline’s use of tracking tools, a routine online data practice, should be a concern to businesses.
Connecticut’s CTDPA settlement
Just days after the California settlement, Connecticut announced that it had reached a settlement of its first enforcement action under the CTDPA, with TicketNetwork, a live entertainment ticketing and resale company. The state Attorney General contended that the company’s privacy notice was deficient in the following respects:
- It was difficult to read because of poor formatting and dense language.
- Required disclosures about consumer data rights were missing.
- The notice had misconfigured or nonfunctional rights request mechanisms.
In the settlement, TicketNetwork will pay $85,000 and will comply with the CTDPA, and “maintain metrics for consumer rights requests received under the CTDPA [and] provide a report of these metrics to the Attorney General . . ..” The case and settlement indicate that even first-time violators are not exempt from penalties or required remediation.
Recommendations for businesses
If your organization is subject to the CCPA, the CTDPA, or any other state privacy law, you should consider the following:
- Have we audited our use of cookies, pixels, and other tracking technologies?
- Have we mapped our data flows to understand what we collect, use, and share?
- Is our privacy notice accurate, easy to understand, legally compliant, and regularly reviewed?
- Are our consumer rights request mechanisms (for example, access deletion, opt-out) available, fully functional, and regularly tested?
Addressing these issues will help to reduce the risks of enforcement actions and class action privacy litigation.
How to prepare
Many businesses may not realize that they’re already subject to multiple state privacy laws. If your organization operates in multiple jurisdictions, you will need to understand and comply with each state’s obligations. A good first step is to conduct a multi-state privacy risk assessment. The assessment will help you identify areas of weakness and allow you to make corrections before you become the target of an enforcement or class action.
