Reprinted with permission from the September 23, 2025 edition of The Legal Intelligencer. © 2025 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
The enforcement of state privacy laws has shifted dramatically in 2025, moving from theoretical and expected compliance to active and aggressive action. Without a federal privacy law, state attorneys general and privacy agencies are setting new legal precedents through significant settlements and investigations. This has created a complex mix of enforcement priorities and legal interpretations that companies must navigate. Recent cases in California, Connecticut, and Texas offer important insights into current regulatory trends and the specific compliance duties regulators are focusing on.
In California, enforcement is led by two key agencies: the California Privacy Protection Agency (CPPA) and the state Attorney General. The CPPA has shown a strong focus on procedural compliance and the specific rules of newer laws. In February 2025, the CPPA filed a case against Jerico Pictures, Inc., which operates as National Public Data, a Florida-based data broker. The agency accused the company of failing to register and pay the required annual fee under the Delete Act. The company registered 230 days late, and only after the CPPA’s Enforcement Division contacted them. The CPPA sought a $46,000 fine for these violations. This followed an earlier claim filed by the CPPA in October 2024 in U.S. Bankruptcy Court, which stated the company owed an administrative fine for not registering as a data broker in California. Since October 2024, the CPPA has also taken action against five other data brokers, resulting in settlements, showing a continued focus on this industry.
Beyond data brokers, the CPPA is also reviewing how companies put consumer rights into practice. On May 6, 2025, the CPPA announced a settlement with the clothing retailer Todd Snyder over allegations that the company’s opt-out and other privacy request processes did not meet the standards of the California Consumer Privacy Act (CCPA). The company agreed to pay a $345,178 penalty and update its privacy compliance practices. This case, which follows a similar one against Honda, offers key lessons for businesses. First, it highlights the importance of ensuring that opt-out mechanisms, especially for the sale or sharing of personal information for behavioral advertising, are properly set up and working. The order states that the company’s system was misconfigured, emphasizing that businesses using third-party privacy tools must actively monitor and ensure they function correctly. Second, the case warns against using a one-size-fits-all approach to privacy requests. The agency alleged that the company collected too much information for some requests and added unnecessary verification steps for opt-outs, both of which violate the CCPA. Finally, the settlement underscores the need to reduce risk through regular and thorough employee privacy training.
At the same time, the California Attorney General has pursued major cases that test the boundaries of the law. On July 1, 2025, Attorney General Rob Bonta announced a groundbreaking $1.55 million settlement with Healthline Media LLC, the largest CCPA settlement to date. Healthline, a popular health information website, earns revenue through advertising, including personalized ads delivered by third-party trackers. The Attorney General’s complaint alleged that Healthline failed to honor consumer opt-out requests (including Global Privacy Control signals), used personal information for purposes beyond what was disclosed, had insufficient contracts with vendors, and engaged in deceptive practices related to its broken cookie consent banner.
The Healthline case is notable for its detailed technical analysis and its interpretation of the CCPA’s purpose limitation principle. The Attorney General argued that sharing article titles with advertisers, such as “The Ultimate Guide to MS for the Newly Diagnosed,” could reveal sensitive health information about the reader in a way that violates consumer expectations, even if this practice was mentioned in the privacy policy. The complaint stated that data processing is unlawful if it is not “consistent with the reasonable expectations of the consumer,” suggesting that even detailed disclosures may violate the law if the purposes differ significantly from what a consumer would expect. The Attorney General also emphasized that Healthline’s advertising contracts lacked CCPA-required terms, noting that the company “had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework.” In a significant shift, the Healthline settlement imposes requirements that go beyond the CCPA’s basic rules. It completely prohibits Healthline from selling or sharing data that shows a consumer is reading a “Diagnosed Medical Condition Article,” something the CCPA would normally allow with proper notice and opt-out rights. This represents a change from earlier settlements with companies like Sephora and Honda, which focused on ensuring future compliance with the law’s existing requirements. It also shows the Attorney General’s willingness to use settlements to create new, stricter de facto rules for sensitive areas. Adding to its assertive stance, the CPPA took the unusual step on August 6 of suing Tractor Supply Co. to force compliance with an investigative subpoena. The CPPA asked for information dating back to January 1, 2020, when the CCPA first took effect. The company refused to provide information from before January 1, 2023, arguing that the CPPA’s enforcement authority, which began in July 2023, did not cover earlier periods. The CPPA’s legal filing disputes this, stating that its investigative power covers the entire history of the law, not just the time since it gained enforcement authority.
Outside California, other states are also stepping up enforcement. On July 8, 2025, Connecticut Attorney General William Tong announced an $85,000 settlement with TicketNetwork, Inc., the first monetary penalty under the Connecticut Data Privacy Act (CTDPA). The settlement followed the company’s failure to address problems identified in a cure notice sent in November 2023. The Attorney General alleged that the company’s privacy notice was largely unreadable, missing key data rights, and contained broken or unusable rights mechanisms. Importantly, TicketNetwork did not fix these issues within the 60-day cure period and misrepresented its efforts to correct them. The Attorney General’s office noted it had sent out more than two dozen cure notices as part of “privacy notice sweeps,” and that most other companies had responded quickly to comply. This case highlights the importance of having clear and working privacy notices and systems, as well as responding honestly and promptly to regulators, even in states where the right to cure has expired.
In Texas, the Attorney General’s office is enforcing the Texas Data Privacy and Security Act (TDPSA) with a focus on national security concerns. On May 6, 2025, the Attorney General announced that it had sent noncompliance notices to several Chinese-owned companies, giving them a 30-day period to fix the issues and warning of possible legal action for continued violations. Although the details of the notices were not made public, the Attorney General’s office reiterated that the law requires companies to disclose their data processing activities and allow consumers to opt out of data collection and delete their data. This action signals a broad view of the TDPSA’s reach and aligns with growing federal concerns about foreign access to U.S. personal data. This follows the first TDPSA enforcement action, filed on January 13 against Allstate and its subsidiary Arity, accusing them of illegally collecting and selling personal data from over 45 million Americans through software embedded in mobile apps.
For businesses operating in this complex and changing enforcement environment, a comprehensive and proactive compliance strategy is essential. First, companies must go beyond a checkbox approach to technical compliance. The Todd Snyder and Healthline cases show that regulators will test whether opt-out systems, cookie banners, and request portals actually work. Regular auditing and testing of these systems, especially when managed by third parties, is critical. Second, privacy notices and consumer rights processes must be clear, accurate, and functional. The Connecticut case against TicketNetwork demonstrates that regulators are conducting sweeps and have little tolerance for flawed notices or broken systems, especially when companies are slow to respond to cure notices. Third, data processing activities must be evaluated based on consumer expectations, not just disclosures. The Healthline settlement introduces a reasonableness standard, meaning that even disclosed data uses may be illegal if they differ significantly from what a consumer would expect. Fourth, vendor management is a key enforcement target. Contracts must include all required privacy terms, and assumptions about vendor compliance are not enough; active verification is necessary. Finally, companies must be prepared for investigations that may reach back to the original effective date of a state’s law and must respond to regulatory inquiries quickly and thoroughly. In this new era of state-level enforcement, a well-documented, operational privacy program, coupled with periodic legal audits and reviews, is the best defense against becoming the next major settlement.
