5 Key Privacy Enforcement Insights Shared by State Regulators at IAPP’s #GPS25

April 24, 2025

IAPP’s Global Privacy Summit in DC this week has featured panels with several state regulators charged with enforcing their state’s privacy laws, including regulators from California, Colorado, Connecticut, and Oregon. The regulators have provided insights on privacy enforcement at the state level, including different states’ enforcement priorities; the various steps for investigations at the state level; how the various state laws compare and contrast with each other; and how companies should navigate compliance and potential investigations. As state privacy enforcement has been increasing – and more state privacy laws have become effective – these insights are timely for any company trying to navigate the patchwork of state privacy laws. 

Below, we recap five key insights we heard from the state privacy regulators.

  1. Even though there are fundamental similarities across state privacy laws, each state law has unique provisions, which are being enforced. The regulators emphasized key similarities between various state privacy laws. For example, a representative from the Oregon Attorney General’s office noted that Oregon’s privacy law was closely based on the laws in Connecticut and Colorado and explained that the Colorado regulations can be relevant to interpreting the Oregon law. That said, the regulators made clear that where there are material differences or unique provisions in their state laws, they will enforce those. For example, the Oregon representative discussed that state’s unique consumer access provision that discusses controllers disclosing the names of specific third parties to whom personal data has been shared.
  2. There are tools and best practices to deal with complexity or ambiguity in state privacy laws. Acknowledging that new state privacy laws can introduce complexity and ambiguity, the regulators discussed various tools to help with compliance, including implementing regulations (e.g., in California and Colorado); FAQs and compliance guidance (e.g., in Oregon); and enforcement reports (e.g., in Connecticut). From an enforcement perspective, regulators encouraged companies to document implementation assessments and decisions in order to be prepared to explain to regulators why the company took a particular position in the event of an investigation. However, companies will want to carefully assess whether such assessments and compliance efforts should be done through counsel covered by attorney-client privilege.
  3. Regulators pay close attention to consumer complaints. The regulators highlighted that consumer complaints are important factors in their investigation and enforcement decisions. Different states take different approaches with respect to mediation or complaint resolution, but the speakers appeared to agree that consumer complaints – especially when multiple complaints concern a single company – can be the starting point for regulators to take a closer look at a company’s compliance.   
  4. Regulators encourage companies to be proactive and cooperative in response to outreach. The speakers discussed at length how companies should react when they receive outreach from state regulators, and a key theme from all of the regulators is that companies should be proactive and cooperative. Specifically, regulators warned against being unresponsive or defensive. Instead, they encouraged companies to establish open communications with the regulator early, pay attention to the specifics of the request and be responsive; help to establish and meet reasonable timelines (e.g., with respect to productions); and be transparent.
  5. Different states have different approaches to cure periods, which impact the enforcement process. Some state laws have cure periods, which give companies a certain amount of time to address and fix compliance issues before the issue becomes a violation. These cure periods are variable, which impact a state’s approach to enforcement. For example, Connecticut’s mandatory cure period has expired, while Oregon’s mandatory cure period is still in effect. But importantly, regulators highlighted that they enforce statutes other than the state privacy laws, which often do not have corresponding cure periods. So while a company may be able to rely on a cure period for an alleged privacy notice violation, for example, it still should be mindful of other legal frameworks, like laws against unfair and deceptive practices, that do not have such mechanisms.      

***

Wiley’s Privacy, Cyber & Data Governance team is at IAPP this week. Reach out to one of the authors if you would like to connect, or if you have any questions about state privacy laws and enforcement.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek