Privacy Law Recap 2025—State Enforcement

While 2025 saw no new state comprehensive privacy laws enacted, state enforcement activity accelerated—individually and collaboratively—reflecting trends likely to intensify in 2026. 

Key enforcement focus areas included youth privacy and online safety, consumer rights, and data brokers/data sales. This post discusses highlights from 2025 and looks at expected trends in 2026.

Youth privacy and online safety. Like the FTC, the states have focused on children’s privacy and protecting minors. Examples include:

• Jam City. The California Attorney General alleged that Jam City, a mobile gaming app developer, violated the California Consumer Privacy Act (CCPA) by selling and sharing the personal information of users it knew were aged 13-16 without their consent, failing to maintain effective age gates for several games, and providing child versions of its games only to self-identified under-13 users. In addition to $1.4 million in civil penalties, the settlement requires Jam City to provide in-app methods for consumers to opt out of the sale or sharing of their data and prohibits the company from selling or sharing the personal information of consumers at least 13 and younger than 16 years old without their consent.
• Kik. The Nevada Attorney General filed a lawsuit against MediaLab.Ai and subsidiary Kik for operating an anonymous messaging app alleged to be detrimental to children, in violation of the Nevada Deceptive Trade Practices Law and Nevada product liability law. Litigation is ongoing.
• Sling TV. The California Attorney General settled with internet-based live and streaming TV service Sling TV LLC and Dish Media Sales LLC (collectively, Sling TV), over alleged inadequate privacy protections for users under age 16 in violation of the CCPA. According to the complaint, Sling TV did not disable sales or sharing of personal information when parental controls were turned on or otherwise when children likely were watching Sling TV. Sling TV did not admit any liability, but to settle the allegations agreed to an order requiring it to pay $530,000 in civil penalties and implement changes, such as allowing parents to designate user profiles as a “kid’s profile” that turns off the sale or sharing of personal information and targeted advertising (cross-context behavioral advertising). Further, Sling TV must enable programmers to designate their channels as “made for children or minors,” and for any channels so designated, not make available the option to advertise based on, or inferred from, personal information. 

Exercise of opt-outs and other statutory rights. Opt-out and other consumer rights continue to be a high priority of state regulators, including universal opt-out signals. State regulators increasingly targeted companies that they alleged made it unduly burdensome or confusing for consumers to exercise their rights. For example:

• Honda. In March, the California Privacy Protection Agency (CalPrivacy) announced a CCPA settlement with Honda stemming from its alleged requirement of unnecessary information to verify identity for consumer requests to opt out of the sale or sharing of personal information or to limit the use or disclosure of sensitive personal information. The CCPA does not permit verification for these rights (in contrast to rights of access, deletion, and correction). Honda did not admit liability for any CCPA violations, but to resolve the allegations, it agreed to a $632,500 penalty and to simplify its privacy process, consult a UX designer, train staff, and update contracts for data sharing.
• TicketNetwork. In July, the Connecticut Attorney General announced the first settlement under the Connecticut Data Privacy Act (CTDPA) against TicketNetwork. According to the Connecticut Attorney General, the company’s privacy notice contained rights mechanisms that were “misconfigured or inoperable,” omitted key rights, and was largely unreadable. The settlement requires TicketNetwork to pay $85,000, comply with the requirements of the CTDPA, maintain metrics for consumer rights requests under the CTDPA, and provide a report on the metrics to the Attorney General.
• Sling TV. The California Attorney General’s complaint against Sling TV, mentioned above, alleged that the company violated the CCPA by failing to provide easy-to-execute opt-out methods and understandable consumer disclosures explaining opt-out choices. Sling TV allegedly required customers to locate an embedded link and use a multistep confirmation process to complete opt-out requests, required unnecessary information from logged-in customers when exercising their opt-out requests, and did not provide opt-out methods within apps on connected devices.
• Tractor Supply Co. In September, CalPrivacy announced a $1.35 million settlement with Tractor Supply Company to resolve various alleged violations of the CCPA. CalPrivacy alleged that the business had failed to properly disclose consumers’ California privacy rights in its privacy notice and failed to implement required privacy terms in contracts with its service providers. The agency also claimed that Tractor Supply Company’s web opt-out mechanism did not effectuate the opt-outs. Further, Tractor Supply Company’s website allegedly failed to process opt-out preference signals. Finally, CalPrivacy asserted that Tractor Supply failed to notify job applicants of their privacy rights.
• Global Privacy Control (GPC) sweep. Also in September, CalPrivacy and the attorneys general of California, Colorado, and Connecticut announced a joint investigative sweep in which they sent letters to businesses they had identified as potentially in violation with these states’ respective global privacy control requirements. 

Data brokers and data sales. Several states, most notably California, focused on registration and related requirements for data brokers (often broadly defined) and the sale of sensitive data to data brokers. 

• The Delete Act. In California, there was significant enforcement activity under the Delete Act, which requires data brokers to pay an annual fee and register in CalPrivacy’s Data Broker Registry, with penalties for noncompliance of up to $200 per day plus the cost of registration and the CPPA’s investigation and enforcement costs. Enforcement against a number of companies includes cases such as Accurate Append, Inc., Jerico, Key Marketing Advantage, LLC, and Background Alert, Inc. for alleged failure to register as data brokers under the statute. Further, in November, CalPrivacy announced a data broker enforcement “strike force.” This array of actions makes clear that data broker registration and transparency are top priorities of CalPrivacy.
• Location data sales. States also prioritized the sale of “sensitive” data to data brokers. For example, in Texas, the Attorney General sued Allstate, and its subsidiary, Arity, for allegedly collecting, using and selling the geolocation and movement of Texan drivers in violation of the Texas Data Privacy and Security Act. 

Purpose Limitation: New Enforcement Tool. California has begun enforcing compliance with the “purpose limitation” provision in the CCPA. This principle, which has analogues in a number of state privacy laws such as the Colorado Privacy Act, requires that a business limit its use of personal information to the purposes for which the information initially was collected or processed or to another disclosed, compatible purpose “consistent with the reasonable expectations of the consumer.” In the complaint against Healthline, the California Attorney General alleged that Healthline shared that consumers had viewed article titles suggesting potential medical conditions—such as “The Ultimate Guide to MS for the Newly Diagnosed”—with “unseen advertisers and their vendors.” This disclosure of health-related data for “targeted advertising and third-party inferences based on what a consumer was reading” was alleged to violate the CCPA’s purpose limitation principle. Under the settlement, Healthline paid a $1.55 million civil penalty, the largest CCPA settlement to date. The settlement also prohibits Healthline from selling or sharing personal information combined with information about articles read relating to medical diagnoses, such as by disclosing the title of the article or URL, and requires Healthline to notify consumers if it discloses sensitive personal information for advertising purposes and of their right to limit the use of their sensitive personal information and implement a CCPA compliance program and provide the California Attorney General annual assessments for a three-year period. 

National security concerns/data transfers to China. Some states have also focused on national security, particularly in their scrutiny of companies that transfer personal data to or that otherwise have a strong connection with China. 

• In February, the Texas Attorney General announced an investigation into Chinese AI developer DeepSeek regarding its privacy practices and claims about the level of advancement of its AI models, citing the company’s alleged ties to the Chinese Communist Party.
• Nebraska’s Attorney General filed suit against Lorex, alleging the company deceptively marketed its security cameras by failing to disclose that they were manufactured by Zhejiang Dahua Technology Co., Ltd., a Chinese company responsible for both the hardware and software of the devices.

Collaboration among states. As first announced by CalPrivacy, nine states (California, Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon) have joined a formal consortium of privacy regulators to coordinate their investigation and enforcement efforts across their state privacy laws. While states have a long history of behind-the-scenes collaboration on investigations and in forming multistate coalitions to bring privacy and other consumer protection cases under their Unfair or Deceptive Acts or Practices (UDAP) laws, the announcement of such collaboration suggests that such joint endeavors will be an important feature of enforcement of state omnibus privacy laws, and that CalPrivacy will be an active participant in such initiatives.

What the New Year May Bring

In 2026, we expect California to focus on compliance with the Delete Request and Opt-Out Platform online tool by which California residents can ask multiple data brokers to delete their personal information, which goes live in January. Similarly, we expect the focus on compliance with data broker registration requirements under the California Delete Act to continue. Nearly across the board and on a bipartisan basis, we expect to continue their focus on youth privacy and online safety, with ongoing attention to issues like age verification and on companion AI chatbots, which both received increasing attention from legislators and regulators in 2025. States that have been especially active in the last several years, such as Texas, California, and Connecticut, are likely to intensify those efforts, with a broad number of states coordinating their investigative activity. 

This post is part of a series recapping privacy law developments in 2025. Please see the following posts for additional recaps of developments in 2025:

Privacy Law Recap 2025—FTC Enforcement

Privacy Law Recap 2025—State Comprehensive Consumer Privacy Laws

Privacy Law Recap 2025—Data Security

Privacy and Data Security Recap 2025—National Security