State Coordination on Privacy Enforcement Becoming the 'Norm,' Attorneys Say
A coordinated enforcement sweep by California, Colorado and Connecticut signals “the growing power of multi-state cooperation on privacy enforcement,” Perkins Coie lawyers Alison Watkins and Peter Hegal blogged Wednesday. Other privacy lawyers also flagged last week’s development in blog posts this week.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Earlier this month, attorneys general from the three states and the California Privacy Protection Agency announced an investigative sweep for companies not complying with the Global Privacy Control (GPC), a leading type of universal opt-out preference signal (see 2509090045).
“The coordinated effort signals a watershed moment in privacy enforcement, underscoring that state regulators are increasingly working together to enforce privacy rights nationwide,” said Watkins and Hegel. “While California, Colorado, and Connecticut are currently leading this effort, other states -- including Texas, Oregon, Maryland, and Minnesota -- have privacy laws that require (or will soon require) similar opt-out mechanisms. Businesses that delay implementing these opt-out mechanisms may find themselves an enforcement target as these obligations expand across jurisdictions.”
The Venable law firm agreed. “This latest joint enforcement effort underscores a broader trend: states are increasing cooperation in scrutinizing companies' compliance with opt-out mechanisms and the broader laws,” wrote its attorneys Michael Signorelli, Rob Hartwell and Matthew Stern. “Regulators are closely examining whether opt-out tools function as intended and as described to consumers. Companies should proactively review and update their compliance strategies and technical setups as needed.”
McCarter & English privacy attorneys blogged Thursday that companies whose marketing includes cross-context behavioral advertising should take notice. “A business that engages in ad tracking and does not currently recognize the GPC signal should determine whether it is subject to a state law that requires such recognition,” wrote the firm’s Kimberly Castellino Metzger and Erin Prest. “If so, it should assess how to comply with the opt-out and other provisions of applicable state law.”
The McCarter attorneys added that the enforcement sweep, when taken with an April announcement that several states formed a Consortium of Privacy Regulators (see 2504160037), indicates that "coordinated investigations are likely to become the norm."