States Team on Privacy Enforcement as Federal Action Stalls

Nearly half of the states with comprehensive privacy statutes now share resources, investigative strategies, and legal theories. This shifts privacy enforcement closer to the antitrust model, where multistate coalitions routinely negotiate joint settlements. For companies trying to manage multiple compliance regimes, the heightened state cooperation means a single violation in one state can now trigger inquiries across multiple jurisdictions, greatly raising exposure.

Opt-out compliance, such as the ability to block targeted advertising and data sales, remains the most frequently cited violation. Regulators continue to run “sweeps” of consumer-facing websites to verify that opt-out buttons are functional, conspicuous, and technically effective.

Last week, California’s attorney general announced a 530,000 settlement with Sling TV for making its opt-out process confusing and difficult to access. That followed an earlier $1.35 million settlement reached between the California Privacy Protection Agency (CPPA) with Tractor Supply after finding that its opt-out tool did not actually disable data sales and failed to honor Global Privacy Control (GPC) signals.

In the wake of that settlement, Connecticut and Oregon issued broad cure notices related to missing or ineffective opt-out mechanisms.

California, Colorado, and Connecticut also recently launched a joint investigative sweep into whether companies honor browser-based universal opt-out signals such as GPC. Some companies have taken the position that they do not recognize GPC. The latest enforcement sweep suggests that position is no longer tenable.

According to a client alert from Jenner & Block, California recently further escalated the issue by adopting the Opt Me Out Act (AB 566), which requires browser developers to include built-in opt-out functionality, effectively normalizing signal-based opt-outs across the ecosystem

Regulators are also examining whether interface design subtly nudges consumers into sharing data, a practice known as “dark patterns.” Connecticut has issued cure notices for cookie banners that make it harder to reject tracking than to accept it, and Texas has deployed its deceptive trade practices statute to challenge opaque disclosures in the auto industry. California’s CPPA has already penalized a company for providing “asymmetric” cookie options—allowing one-click acceptance but multi-step rejection.

States without comprehensive privacy statutes are filling the gap using traditional unfair and deceptive acts and practices (UDAP) laws. New York, Michigan, and Nebraska have all brought actions alleging undisclosed data monetization or misleading interface design. That trend means no company can limit privacy risk assessments to CCPA-style statutes; UDAP exposure is now nationwide.

The next enforcement wave, per Jenner & Block, could be targeted at deceptive purpose disclosures. California recently reached a $1.5 million settlement with Healthline after finding that its sharing of health-related browsing data with advertisers exceeded the “purpose” disclosed in the company’s privacy notice. This is the first major U.S. enforcement action to treat purpose limitation as a standalone legal obligation, essentially importing a GDPR-like theory into state law.

In the absence of federal preemption, state privacy enforcement is consolidating, accelerating, and expanding into new legal theories. Companies that treat privacy as a static disclosure exercise—not a living technical and legal control system—will be first in line for the next round of multi-state actions.