States Continue Privacy Law Enforcement Efforts

July 16, 2025

Recent enforcement activities in California and Connecticut highlight that states are ready and willing to actively enforce their comprehensive privacy laws. These recent actions – which continue the trend of states ramping up privacy enforcement activity – make clear that regulators are taking compliance with state comprehensive privacy laws seriously.

Below we highlight two recent enforcement actions and flag key takeaways for companies, including the importance of (i) building a compliance strategy that emphasizes clear communication with consumers; (ii) being responsive to regulatory inquiries; and (iii) providing clear and operative opt-out mechanisms.

California

On July 1, the California Attorney General (AG) announced a settlement with website publisher Healthline Media LLC. The settlement is based on the California Department of Justice’s allegations related to the use of sensitive data for targeted advertising purposes; specifically, the AG alleged that the company violated the California Consumer Privacy Act (CCPA) by failing to fulfill consumer opt-out requests and by sharing data with third parties without CCPA-mandated privacy protections.

Key takeaways include:

  • Consumer expectations should be considered when assessing the purpose limitation. This settlement is of particular interest because it provides insights into how the California AG interprets the CCPA’s purpose limitation provisions. Specifically, the Complaint indicates that certain data processing activities could violate the purpose limitation principle – even if they are listed in the privacy policy – if the processing is not “consistent with the reasonable expectations of the consumer,” explaining that “the law provides that invisibly sharing data of a more intimate nature to third parties, briefly alluded to in a privacy policy, may be unlawful when consumers would not expect that to happen. The law further provides that even detailed privacy disclosures regarding other intended uses of data may violate the principle if the disclosed purposes differ substantially from the consumer’s reasonable expectations.” See Complaint at ¶ 22.
  • Ensure opt-out mechanisms are in place and operative. The Complaint alleged that the company failed to honor consumer requests to opt out of the sale or sharing of their personal information for targeted advertising.
  • Ensure advertising contracts contain the required CCPA provisions. The Complaint alleged that the company’s advertising contracts did not contain privacy protections required by the CCPA.

Connecticut

On July 8, the Connecticut Attorney General announced an $85,000 settlement with online marketplace TicketNetwork, Inc. This settlement followed the alleged failure of TicketNetwork to adequately respond to a cure notice. 

Key takeaways include:

  • Ensure privacy policies are up to date and consumer rights mechanisms are operative. The Connecticut AG alleged that “the company’s privacy notice was largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable.”
  • Be responsive to communications from state AGs. The Connecticut Attorney General’s press release noted that TicketNetwork failed to adequately respond to its cure notice within the 60-day statutory cure period. On the other hand, the AG noted that other companies have timely responded to similar notices, writing that “[t]o date, the Office of the Attorney General has issued four separate ‘privacy notice sweeps’ consisting of over two dozen cure notices in total, all aimed at addressing privacy notice deficiencies...Nearly all other companies [beyond the one at issue in the settlement] took prompt steps to come into compliance.” Notably, Connecticut’s right to cure expired on January 1, 2025; however, to the extent companies receive cure notices (where applicable) or other communications from enforcement agencies, it is important to timely respond.

***

Wiley’s Privacy, Cyber & Data Governance Practice has broad experience in navigating rulemakings and compliance surrounding cutting-edge technology and the evolving legal landscape. For questions about this blog post, please contact the authors.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek