State Privacy Enforcement Ramps Up

As of April, 20 states have adopted comprehensive consumer data privacy laws, with seven more adopting more narrow privacy laws. This legislative patchwork is creating a varied regulatory environment, forcing companies to adapt to multiple data privacy frameworks. For those who don’t comply, enforcement actions are rolling in, and Wiley writes about two new enforcement actions filed in California and Texas:

“State enforcement agencies are keeping the pressure on businesses, with two new enforcement actions announced this week in California and Texas. This activity signals to companies – both within and outside of the United States – that states are actively enforcing their privacy laws.”

In California, the Consumer Privacy Protection Agency (CPPA) settled a case with online retailer Todd Snyder. The CPPA alleged that Todd Snyder failed to comply with opt-out and privacy request requirements of the California Consumer Privacy Act. In Texas, the Attorney General put several Chinese and Chinese-aligned companies on notice, alleging violations of the Texas Data Privacy and Security Act, and gave them 30 days to cure the violation. These two enforcement actions demonstrate the varied nature of state privacy enforcement. Different states not only have different privacy laws, but also varying enforcement priorities. Additionally, these laws often apply to companies doing business in the state, not just those headquartered there. This means that state enforcement can reach national, and even international, companies. Therefore, companies must comply in all jurisdictions where they operate and build robust compliance programs that track state privacy developments.