States Other Than California Bolstering Privacy Enforcement, Lawyers Say

In July, Connecticut announced a settlement with TicketNetwork over potential violations of the state's Data Privacy Act (CTDPA) (see 2507080010), which some said signaled an enforcement crackdown in the state, despite the modest fine attached (see 2507110003). The McGuire Woods lawyers said the settlement "illustrates that the use of templates containing overly generalized privacy notices and non-functional mechanisms to protect consumers’ privacy rights will no longer fly under the radar in Connecticut."

In Nebraska, the attorney general sued GM and its subsidiary OnStar for the alleged unlawful collection, processing and sale of sensitive driving data from state residents without their knowledge or consent, in violation of the state Consumer Protection Act (CPA) and Uniform Deceptive Trade Practices Act (UDTPA) (see 2507080019). The suit was filed under those laws because the primary allegations occurred prior to January, which is when the state’s comprehensive privacy law, the Nebraska Data Privacy Act (DPA), took effect, a spokesperson for the AG’s office told Privacy Daily (see 2507080048).

While the Nebraska AG didn't rely on the comprehensive privacy law, "the takeaway is the same: companies must be transparent about how data is collected, used, and shared, regardless of whether a formal privacy law applies," the lawyers said.

Both cases show state AGs "are actively investigating and responding to data privacy violations and using all available tools," they added. As a result, "businesses operating in multiple jurisdictions must treat privacy obligations as an integral part of their compliance framework" and take proactive steps to mitigate risk. "With privacy expectations rising across the legal and public landscape, companies that prioritize consumer trust and regulatory compliance position themselves ahead of the curve."