State Enforcement Actions Pick Up Steam in 'Active' 2025, Says Troutman Lawyer
The number of enforcement actions under state consumer privacy laws is “building” and could soon explode, said Troutman privacy attorney David Stauss on his firm’s webinar Thursday. For companies, injunctive relief could be just as costly as the monetary penalty, he cautioned.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
2025 was an "active year,” with states announcing eight enforcement actions citing comprehensive privacy laws, said Stauss. Compare that to two in 2024, zero in 2023 and one in 2022, he said. While “we’re not at a crazy point yet,” Stauss predicted that next year at this time, lawyers will be buzzing more about enforcement actions than “tweaks to bills.”
Stauss noted that the California Privacy Protection Agency's enforcement head commented recently that it has hundreds of open investigations (see 2509260039). "There's no methodology for figuring out whether you're under investigation," said Stauss, but the 100 open-investigations statement is another signal that "there's more coming, and there's a lot more in the works right now."
Eight of the 11 enforcement actions from 2022-2025 came from California, which enacted the California Consumer Privacy Act in 2018, the Troutman lawyer noted. All eight California actions had "something to do with selling or sharing personal information,” he added. The top subjects across states with enforcement actions have been improper consumer request procedures, deficient disclosures or privacy policies and lack of data processing agreements, said Stauss.
State penalties have ranged in size, from as low as $85,000 for a Connecticut action against TicketNetwork to $1.35 million in California’s action against Tractor Supply. But Stauss cautioned: “Do not stop at the fine amount when you're thinking about these enforcement actions. The injunctive relief provisions of these enforcement actions are just as significant and just as costly."
Types of injunctive relief in the enforcement actions included mandates to fix disclosures and consumer request mechanisms and enter into data processing agreements, as well as reporting or monitoring requirements, the lawyer said. The latter, which could mean three years of auditing to prove compliance, “is a significant cost and expense on companies, and it's a hidden cost of these enforcement actions,” he said. “And it's one of those things that … really should drive upfront compliance.”
Other lawyers have also noted the growth of state enforcement. Earlier this week at the Association of National Advertisers ad law conference, Perkins Coie privacy attorney Meredith Halama said state comprehensive privacy laws are not "paper tigers" and are being enforced rigorously, especially in California (see 2511040057). She added that the publicly announced enforcements don't "tell the full story" of how many investigations are ongoing.
Similarly, McDermott Will's Elliot Golding said in an Oct. 29 webinar that much state enforcement isn't publicly announced. He said there are many "nitpicky" enforcement letters coming from California, Oregon and Texas, among other states (see 2510290037).
Meanwhile, a panel last week at IAPP's privacy and security conference said that states are bolstering their privacy and consumer protection enforcement by onboarding additional attorneys and technologists (see 2511030036).