Recent Privacy Enforcement - Summer & Fall 2025

Recent Privacy Enforcement – Summer & Fall 2025

Between state privacy regulators aiming enforcement actions at now not just the largest companies in the world, continued threats from the privacy plaintiffs’ bar, and recent narrowing of pre-existing privacy law exceptions, the summer of 2025 saw an increase in risk to businesses related to data privacy, which shows no sign of slowing as we look ahead to fall.

Below, we highlight certain recent activity from privacy regulators, state legislatures, and plaintiffs’ firms that your business should note as it assesses privacy risk and exposure.

Enforcement Actions

• Privacy regulators from seven states recently formed a task force for privacy enforcement and data sharing (California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon). See more here.
• Three state regulators from the above group (California, Colorado, and Connecticut) announced in September a “Joint Investigative Privacy Sweep” regarding consumer opt-out requests, including recognition of Global Privacy Control automated opt-outs. See more here.
• On July 1, 2025, the California Attorney General announced the largest ever fine in the state for violations related to online surveillance and tracking technologies. The AG fined Healthline Media $1.55 million for alleged violations of the California Consumer Privacy Act (“CCPA”), including alleged failure to honor opt-out requests of data “sales” and data “sharing” for targeted advertising, as well as improperly sharing sensitive health data with third parties. The settlement requires Healthline to audit certain contracts, maintain a CCPA compliance program, and update its privacy notices.
• The California Privacy Protection Agency (“CPPA”) announced on September 30, 2025 a $1.35 million settlement with retailer Tractor Supply Co. for alleged violations of the CCPA. This is the CPPA’s largest fine to date. The CPPA alleged that the company failed to adequately notify customers and job applicants of their privacy rights, maintain adequate agreements with service providers, and provide and honor opt-out requests for data “sales” and “sharing” as required under the law.
• On July 8, 2025, Connecticut Attorney General Tong announced a $85,000 settlement with TicketNetwork, Inc. for alleged violations of the state’s comprehensive privacy law, the “CTDPA.” In addition, the settlement required TicketNetwork to comply with the CTDPA, maintain metrics for consumer rights requests, and provide a report of those metrics to the Attorney General. AG Tong has issued over two dozen cure notices to businesses, all aimed at addressing privacy notice deficiencies under the CTDPA.
• The California CPPA fined clothing design company Todd Snyder $345,178 in May 2025 for allegedly failing to process opt out requests for the “sale” and “sharing” of personal data under the CCPA, requiring consumers to submit more information than necessary to process rights requests, and requiring consumers to verify their identity before they could opt out of data “sales” or “sharing.”

Demand Letters

To accompany state regulator scrutiny of data sales/sharing and opt-out requests, plaintiffs’ lawyers continue to send demand letters related to data sharing via cookies and other online trackers (including in particular the Meta Pixel), alleging violations of state wiretapping laws. The California Senate noted in April 2025 that in the previous 18 months, plaintiffs’ firms had sued over 1,500 businesses citing a California wiretapping law.^[1] These firms also continue to send demand letters alleging violations of the Video Privacy Protection Act.

Narrowing of GLBA Exceptions

Montana and Connecticut passed legislation in May and June of 2025, respectively, that narrows former wholesale exceptions in each states’ comprehensive privacy law for entities covered by the Gramm-Leach-Bliley Act.^[2] Montana’s changes go into effect on October 1, 2025, and the majority of Connecticut’s changes go into effect July 1, 2026. These states now join other states including California, Minnesota, and Oregon as states without a blanket, entity-level GLBA carve out from their respective comprehensive privacy laws.

______________________________________________________________________________

The Morris, Manning & Martin Privacy, Cybersecurity, and AI Practice Group is happy to help your business assess and develop defensive strategies around these (and other) emerging enforcement and compliance risks. 

October 1, 2025

MMM contacts:

• Michael Young, Partner, at myoung@mmmlaw.com or 404.495.8481
• Roy Hadley, Special Counsel, at rhadley@mmmlaw.com or 404.364.3179
• Beau Braswell, Senior Associate, at bbraswell@mmmlaw.com or 404.364.4574

The above information is provided by Morris, Manning & Martin, LLP for general information purposes only and does not constitute legal advice or establish an attorney-client relationship. Morris, Manning & Martin, LLP notes that the above list may not be exhaustive or complete. 

[1] See Senate Committee on Public Safety Bill Analysis, Senate Bill 690, 2025-2026 Reg. Sess. (April 25, 2025). 

[2] See Montana SB 297 here: https://bills.legmt.gov/#/laws/bill/2/LC0372?open_tab=bill and Connecticut SB 1295 here: https://www.cga.ct.gov/2025/ACT/PA/PDF/2025PA-00113-R00SB-01295-PA.PDF.