March Privacy Forecast: U.S. State and Federal Enforcement Trends

March 28, 2025

This week in our March Privacy Forecast, we discuss privacy and data security enforcement trends at the state and federal levels.

Particularly as state privacy laws continue to expand and evolve, companies should understand how they are being implemented and enforced. Below we answer frequently asked questions about recent enforcement trends and their implications.

As states enact and implement more and more privacy laws, how are they being enforced?

A growing number of states are adopting and implementing laws designed to protect data privacy. Currently, 13 comprehensive privacy laws are in effect; that number will grow to 16 by the end of 2025 and 19 by January 2026. And many states have also adopted targeted privacy laws focused on specific data or specific sectors, including laws that address consumer health data, children’s data, biometric data, or entities acting as data brokers.

These laws have varying enforcement frameworks. The vast majority of state privacy laws, including privacy provisions under most state comprehensive privacy laws, can only be enforced by government regulators. However, some targeted privacy laws, such as the Washington My Health My Data Act (MHMDA) and the Illinois Biometric Information Privacy Act (BIPA), also include a private right of action (PRA).

In recent months, we have seen an uptick of enforcement actions in both regulatory enforcement and private litigation. In March 2025, the California Consumer Privacy Protection Agency settled its first enforcement action under the California Consumer Privacy Act (CCPA). The Texas AG has been particularly active in terms of enforcement and, among other efforts, is investigating companies for their privacy practices related to minors pursuant to the Securing Children Online through Parental Empowerment (SCOPE) Act and the Texas Data Privacy and Security Act (TDPSA), and has filed the first lawsuit under the comprehensive TDPSA earlier this year. Other states, such as Connecticut and Delaware, have also put out statements advising consumers and businesses of their rights and obligations under their respective laws.

On the private litigation front, on February 10, 2025, Washington state residents filed the first class-action complaint under the MHMDA’s PRA. This litigation is ongoing and will provide further insight as to the scope of the MHMDA.

Are there specific trends or areas of focus to be aware of at the state level?

New state privacy laws – as well as established state consumer protection laws – cover a wide range of practices and kinds of data. That said, there are some areas that appear to be priorities for state regulators:

  • Artificial intelligence. While states consider AI-specific laws, states also may use existing consumer protection laws to bring enforcement actions when they allege that AI has been misused. For example, in September 2024, the Texas AG settled with an artificial intelligence health care technology company for alleged false and misleading statements about the accuracy and safety of its products. Additionally, in December 2024, the Oregon AG issued guidance with a clear message: “If you think the emerging world of Artificial Intelligence (‘AI’) is completely unregulated under the laws of Oregon, think again!” The Oregon AG went on to explain that the state’s existing “Unlawful Trade Practices Act, Consumer Privacy Act, and Equality Act, among others, all have roles to play [in regulating AI].”
  • Sensitive data. State regulators have increased scrutiny and enforcement related to children’s online privacy and health data. For example, in October 2024, the Texas AG office announced the first enforcement action under the SCOPE Act. States have also been active in enforcement regarding sales of vehicle-related data.
  • Data sales. In 2022, the California AG announced a $1.2 million settlement with a cosmetics company for failing to disclose to consumers that it was selling their personal information, failing to process user requests to opt out of sale via user-enabled privacy controls, and failing to cure such violations within the 30-day period allowed by the CCPA. Additionally, the California Privacy Agency announced a $632,500 settlement with an auto manufacturer for alleged violations of the CCPA, including sharing consumers’ personal information with ad tech companies without requisite contracts.
  • Data broker activity. As we covered in our last forecast, a number of states, including California, Oregon, Texas, and Vermont, have enacted data broker laws that govern the collection and sale of certain consumer data, and several states have been proactive in enforcing such laws. For example, California has reached settlements with a number of data brokers, and Texas has issued letters to over 100 companies for their apparent failure to comply with registration and other requirements.

How should businesses prioritize compliance efforts, given the complex patchwork of laws and broad enforcement trends?

With the proliferation of state privacy laws, businesses should familiarize themselves with how these laws are similar and distinct from each other. Companies should pay careful attention to exemptions, applicability thresholds, and other provisions that will determine whether and how a company will need to comply with a particular state’s law, and they should document their good-faith efforts to comply, particularly in areas in which the law is unclear.

If companies receive a notice of investigation or apparent violation, they should engage with state enforcers quickly and proactively. Indeed, many state frameworks grant cure periods for companies to address alleged violations within a limited time period. And regardless of a cure period, companies will benefit by demonstrating good-faith efforts at compliance.

What about federal privacy enforcement? With all the changes at the FTC, what can we expect regarding privacy and security enforcement activity?

While there have been significant changes recently at the FTC, with respect to data privacy, the agency will likely continue to enforce cases involving privacy based on a deception theory. The Commission may also continue to support cases involving the sharing of sensitive data without consent and pursue health-related privacy claims.

Thank you for following along with our March Privacy Forecast! We hope you’ve found the insights shared each week to be informative and helpful.

***

Wiley’s Privacy, Cyber & Data Governance team assists a broad range of clients in implementing the ever-growing patchwork of state privacy laws. Contact one of the authors if your organization needs assistance in assessing compliance or responding to a state enforcement action.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek