State Regulators Intensify Privacy Law Enforcement
With 19 state privacy laws now in effect, regulators are increasing enforcement with a focus on clear opt-out mechanisms and cross-device compliance. A recent case saw Disney fined $2.75 million under the CCPA for requiring consumers to navigate multiple platforms to opt-out. Regulators are prioritizing transparent privacy notices and the protection of minor and health data, raising the stakes for automated compliance.
- Agentic AI systems, which act autonomously to achieve goals, introduce new privacy risks by potentially accessing or repurposing sensitive personal data without sufficient context, complicating accountability when breaches occur. Enterprises are exploring these architectures, but their ability to operate across different data systems heightens the risk of misuse if not governed by strict access controls and continuous security monitoring. - The Texas Data Privacy and Security Act (TDPSA), effective since July 2024, is being aggressively enforced by the state's Attorney General, with investigations targeting a wide range of industries for violations like unauthorized data sales. Penalties for non-compliance after a 30-day cure period can reach up to $7,500 per violation. - In 2025, the Connecticut Attorney General's enforcement actions have focused on chatbot transparency, timely data breach notifications, and clear opt-out choices. A notable case involved an $85,000 settlement with TicketNetwork for an unreadable privacy notice and non-functional consumer rights links. - As of January 1, 2025, businesses subject to the Connecticut Data Privacy Act must recognize universal opt-out mechanisms like the Global Privacy Control. This trend is expanding, with states like Delaware, Nebraska, Minnesota, New Jersey, and Maryland also requiring the adoption of universal opt-out signals. - State attorneys general are increasingly collaborating on enforcement, with a particular focus on protecting minors online from deceptive practices and the misuse of their data by social media and gaming platforms. In 2025, Connecticut launched multiple investigations into platforms and AI chatbots that pose risks to minors. - The California Privacy Protection Agency (CPPA) is actively enforcing data broker registration under the Delete Act, issuing fines for failure to register. The agency is also advancing rulemaking on cybersecurity audits, risk assessments, and consumer rights related to automated decision-making technologies. - Upcoming regulations like the Colorado AI Act, effective in 2026, will mandate greater transparency from AI developers and establish an "affirmative defense" for companies that comply with risk management frameworks like the one from NIST. - In 2025, eight more states, including Maryland and New Jersey, are implementing comprehensive privacy laws, each with unique requirements. Maryland's law, for instance, imposes stricter data minimization rules, limiting collection to what is "reasonably necessary" for a requested product or service.
