Dan, our CEO, and I just got back from the CLA Privacy Summit, in Los Angeles. It’s one of the best privacy conferences out there – it brings together some of the finest legal minds in privacy, security, and consumer protection from around California and beyond. The content and conversations were truly insightful, and I left buzzing with information that I want to share with those who couldn’t attend.

One of the most valuable sessions was a panel discussion with several US regulators, where members of the enforcement divisions and agencies across California, Colorado, Texas, and New Jersey shared important insights about their world, including their approach to investigations and priorities. 

I hear misconceptions about regulatory enforcement all the time when speaking with companies – misconceptions that lead to gaps that leave companies open to actions that could, in some cases, negatively impact their brands and hurt their bottom lines.

In a lot of cases, these gaps can be easily corrected with a little attention upfront and a robust automated monitoring program in place to avoid unforced errors from issues like bug releases and human error.

‍

Myth 1: Regulator teams are narrowly focused

All of the states represented on the panel have dedicated privacy enforcement teams that sit within broader consumer protection groups within their states’ Attorney General’s office. 

The panelists emphasized that privacy enforcement is fundamentally a form of consumer protection. Cases that involve a violation of a privacy law also often involve violations of other consumer protection laws, such as those covering data breaches, unfair competition, consumer fraud, as well as unfair, deceptive, and abusive practices (UDAP).

As one panelist explained, “We don’t just live in privacy law – in an investigation, we look at all laws that have been violated.”

Further, the one regulator represented on the panel that is specifically focused on privacy – the California Privacy Protection Agency (CPPA), the nation’s first enforcement agency dedicated to consumer privacy – is enforcing a set of rules that are likely to soon also encompass requirements for cybersecurity audits, to ensure that companies are taking appropriate security measures to protect consumers’ personal information. 

Do not make the mistake of looking at privacy laws as separate and distinct from other consumer protections required under the laws of the state(s) you are doing business in.

‍

Myth 2: Regulators don’t understand technology

All states represented on the panel are actively hiring technologists. California and Texas already have teams of technologists on staff, and are currently hiring more. 

Do not make the mistake of assuming that just because these are government organizations, they don’t understand the modern digital economy and they don’t have state-of-the-art technical tools to help them inspect what’s happening on your properties.

‍

Myth 3: My company can hide in the herd, because regulators are focusing on big companies

While big headlines may feature big names, investigations can actually begin in several ways, including complaints to states’ consumer hotlines. Regulators also keep an eye on news and social media reports for potential consumer abuses, and they monitor lawsuits filed against companies as indicators of potential violations. Companies of all sizes can easily find themselves on the receiving end of an investigation.

Do not make the mistake of assuming that your company’s placement in the Fortune list has any bearing on the likelihood of your receiving a letter from a regulator.

‍

Myth 4: Enforcement isn’t really happening yet

This is perhaps the biggest myth I hear. And I hear it every day. 

Most people think that the splashy headlines about settlements and lawsuits represent the entirety of enforcement. In truth, most actions remain confidential from beginning to end. This confidentiality protects both the integrity of the investigation, as well as the reputation of companies that may have made an honest mistake and then cured the violation. 

In 2024, every regulator on the panel except New Jersey (due to the timing of when their law went into effect) initiated at least 50 investigations. And we will never hear about the vast majority of them. 

Do not make the mistake of thinking the Regulators are asleep at the switch, just because you don’t see them in the news.

‍

Regulators’ Priorities for 2025

Consumer complaints dictate a lot of where investigations focus, and a lot of consumer complaints are around fundamentals:

1. Privacy notices that are missing, incomplete, confusing, or outdated

“This is the number one consumer complaint in Colorado.”

‍

2. Manipulative patterns and deceptive designs in consent banners

“Businesses should be reviewing consent banners to ensure they are clear and understandable, and that there is symmetry in choices. Consumers shouldn’t have to jump through hoops.”

‍

3. Opt Out mechanisms that don’t function correctly or at all, including opt out via the Global Privacy Control (GPC) signal

“Opt out is one of the most important parts of CCPA. There needs to be a clear method, and it needs to work.”

‍

In 2025, regulators will be continuing to focus on these foundational pieces of companies’ privacy programs, especially in relation to sensitive personal information, including children’s data, health data, and location data (which can be considered sensitive, depending on the level of precision and context).

‍

What You Can Do

The overarching message from the panel was clear: regulators know what they’re doing, they are paying attention, and they have a number of tools at their disposal, both technical and legal.

One easy thing companies can do is simply to put on their consumer hat, and look at their own websites and products through that lens:

1. Are your privacy notices clear, complete, and easy to understand? 
2. Do your consent banners use any manipulative patterns, such as requiring fewer clicks to opt in to data sharing than to opt out?
3. When a consumer does opt out, including via the GPC signal, does that opt out actually work?

Once you’ve assessed your consumer experience to make sure it’s consumer friendly and functional, consider how easy it is for something in that experience to break, either through a bug release, human error, or simple miscommunication among teams. It’s not enough to check your properties once, and then assume that everything will simply stay that way over the coming weeks and months.

As one of the panelists remarked, “The regulators are testing sites. You should be testing your own site. We should not be finding out before you do that you have a problem.”

Boltive can automate the process of monitoring your sites, apps, and ad campaigns to help you avoid surprises.

Request a free assessment today, to see what we can do for you.

‍