State Privacy Enforcement Often 'Nitpicky' and Non-Public, Says Lawyer
Much state enforcement is not publicly announced, said privacy lawyer Elliot Golding during a McDermott Will webinar Wednesday. “For every public enforcement we see, there's … dozens and dozens of ones that are not yet public.”
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“We are seeing a lot … of enforcement letters out of California, Oregon, Texas and many other states looking at things that a lot of us might think are nitpicky, but that [are] leading to much broader investigations,” said Golding.
For example, Oregon’s privacy law gives consumers a right to request a list of specific third parties to whom data is sold and shared, he noted. “If it doesn't say that in your privacy notice, I would expect a letter,” he told webinar attendees.
States have also gone into the weeds with publicly announced enforcements, such as the California attorney general’s action against Healthline. The website agreed to pay the state $1.55 million after a highly technical and in-depth investigation that found Healthline failed to limit use of personal information to the purposes it was collected for, among other violations (see 2507030026 and 2507010074).
“It really extended how the California AG considers data to be sensitive in ways that, I think, go way beyond what a lot of people were thinking.” Other enforcement actions have shown the state focused on other “nitpicky things,” like counting how many steps it takes users to opt out versus to opt in.
A California Privacy Protection Agency official revealed in September that the CPPA has “hundreds” of open investigations, and in most cases the targeted businesses don’t know about them yet (see 2509260039).