The California Attorney General and the Connecticut Attorney General have recently taken enforcement actions against organizations for violations of comprehensive state privacy laws, demonstrating the importance of assessing vendor contracts, consumer-facing notices, online advertising practices, and consent mechanisms. As privacy regulators continue to target online tracking technologies, opt-outs, and privacy notice violations, organizations must ensure they are in compliance with the law.

• Recent enforcement actions highlight the need for companies to review their vendor contracts, consumer-facing notices, and online advertising practices.
• Compliance with comprehensive state privacy laws requires attention to consent mechanisms and backend processes supporting those mechanisms.
• Enforcement actions by regulators demonstrate that privacy regulators are increasingly targeting online tracking technologies and opt-outs.

In the case of TicketNetwork, the company failed to correct deficiencies in its privacy notice after a cure notice was issued by the Connecticut Attorney General in November 2023. The company did not resolve these issues within the 60-day cure period ending January 8, 2024. The Office of the Attorney General issued multiple cure notices as part of its series of “privacy notice sweeps”. The California Attorney General, Rob Bonta, announced a $1.55 million settlement with Healthline Media LLC for violations related to online tracking technology and CCPA. The company agreed to pay $1.55 million in civil penalties and comply with injunctive measures. The settlement is pending final approval from the court. In the case of Healthline Media LLC, the company failed to allow consumers to opt out of targeted advertising and improperly shared sensitive health data with third parties. The company failed to honor opt-out requests for sale or sharing, maintain required privacy contracts with its advertising vendors, and properly disable tracking cookies despite featuring a consent banner that did not actually function. The complaint alleges that Healthline failed to verify that the third parties had agreed to abide by an industry contractual framework. The California Privacy Protection Agency has also taken significant enforcement actions against various companies, including nearby data brokers. In May, the CPPA fined Todd Snyder for violations related to opt-out procedures. The CPPA found that Todd Snyder’ consent banner and cookie preferences settings did not function properly, also impacting its Global Privacy Control function, and the retailer improperly requested extensive verification steps when processing opt-outs. The enforcement action included a $345,178 fine and various compliance measures. The California Privacy Protection Agency has also joined the Consortium of Privacy Regulators in April, along with state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, with the goal of sharing resources, expertise, and coordinating investigations related to privacy enforcement. The CPPA has also signed a declaration of cooperation with the UK Information Commissioner’s Office to enhance international privacy protections. As organizations continue to prepare for the potential for increased regulatory scrutiny on financial institutions and financial data, companies should also prepare for the potential for increased regulatory scrutiny on companies that provide online services and consent mechanisms. Comprehensive state privacy laws will continue to play a crucial role in protecting consumer privacy, and organizations must ensure they are in compliance with the law to avoid regulatory scrutiny and enforcement actions.

“Privacy is a fundamental right that deserves to be respected and protected.