California Sends Message With Privacy Enforcement Actions, Lawyer Says

Big fines levied recently under the California Consumer Privacy Act are “clearly intended to send a message,” Halama said Monday. Seven public CCPA enforcement actions focusing on ad tech from the California Privacy Protection Agency or state attorney general’s office “do not tell the full story,” she said. “We are working on these investigations day in and day out.”

California’s $1.55 million Healthline decision earlier this year surprised Halama. The company shared data with third parties without CCPA-mandated privacy protections, including information suggesting individuals had serious health conditions, the AG's office said (see 2507010074). “California does not require consent to process sensitive information, unlike many of the other states, and therefore, I certainly did not have on my 2025 bingo card the possibility that California was going to be the first to act on sensitive data,” said Halama.

Maryland’s unique data minimization requirement adds to the compliance challenge, the Perkins lawyer said. The Maryland Online Data Privacy Act (MODPA), which took effect Oct. 1, limits the amount of data businesses can collect. It states they may only collect personal data that's "reasonably necessary and proportionate to provide or maintain” a service, and sensitive data that's "strictly necessary." MODPA also says that controllers may not sell sensitive data (see 2509290023).

Companies that “did everything right” under previous state privacy laws could “still be in trouble” under MODPA’s stricter data minimization requirement, said Halama. That said, “it's TBD as to how seriously Maryland … means this and how much enforcement we see.”