State Privacy Enforcement and Litigation in 2025: What Every Business Needs to Know

In 2025, privacy compliance is no longer optional, it’s a business imperative. Regulators aren’t just watching tech giants anymore. From retailers and healthcare startups to streaming platforms and SaaS companies, any business that collects personal data is on the radar.

This year, enforcement isn’t just about fines, it’s about strategy. States are teaming up with private law firms, shortening cure periods, and coordinating multi-state actions. That means outdated policies, weak vendor oversight, or gaps in internal controls can lead to multi-million-dollar settlements, aggressive investigations, and lasting reputational damage.

In part one of this series, we’ll break down 2025 privacy settlements and enforcement actions, what they reveal about regulators’ priorities, and what lessons businesses can take away to stay compliant.

2025 Enforcement Cases Across States

California

• $1.55 million settlement with Healthline Media (July 2025) 

Violations: Failed to honor consumer opt-out requests (including via cookie banners and the Global Privacy Control signal), used personal data beyond disclosed purposes such as sharing article titles that could imply sensitive health information, and had deficiencies in contracts with third-party vendors.

Takeaway: Health-adjacent companies and those handling sensitive personal data need to pay close attention to how opt-out signals are honored and that data is only shared as disclosed. Don’t underestimate vendor contract obligations, they’re a repeated enforcement focus.

• $632,500 settlement with Honda Motor Co. (March 2025)

Violations: Made it difficult for Californians to exercise privacy rights by requiring excessive personal information (e.g., to opt out of sale/sharing), presenting privacy choices in a non-symmetrical way, limiting authorized agents from acting on consumers’ behalf, and sharing data with ad tech vendors without CCPA-compliant contracts.

Takeaway: Privacy choices must be clear and symmetrical. Consumers should be able to reject tracking or opt out just as easily as they can click “Accept All.” Designs that favor acceptance over opting out can trigger enforcement.

• $345,000 settlement with Todd Snyder, Inc. (May 2025) 

Violations: Cookie banners failed to work properly, technical infrastructure misconfigurations (including third-party tracking software) caused a 40-day delay in processing opt-out requests. Consumers were to provide more information than necessary to process privacy requests.

Takeaway: Enforcement is not limited to tech giants or Fortune 500 companies.  Just having a cookie banner isn’t enough, test that it works. Requiring consumers to provide excessive information, including a government-issued ID for opt-out requests is not permitted by CCPA. 

• California Privacy Protection Agency’s (CPPA) first judicial petition to enforce a subpoena (August 2025) 

Violations: Tractor Supply Company failed to update privacy policies annually, provided inadequate consumer notices, ignored opt-out requests, and lacked mechanisms to facilitate consumer CCPA rights.

Takeaway: Regulators can look back several years, so outdated policies or ignored opt-out requests can trigger enforcement even long after the original violations. Businesses should keep policies current and ensure mechanisms for consumer rights are consistently functioning.

Connecticut

• $85,000 penalty against TicketNetwork, Inc. (July 2025) 

Violations: Failed to provide a clear, compliant privacy notice and did not adequately address regulator concerns during the statutory cure period under the Connecticut Data Privacy Act (CTDPA).

Takeaway: First-time enforcement under CTDPA shows regulators won’t hesitate to penalize businesses that ignore compliance gaps. Simply having a privacy notice isn’t enough, companies must make sure notices are clear, accurate, and actively respond to regulator feedback during cure periods to avoid penalties.

Texas

• $1.375 billion settlement with Google (May 2025) 

Violations: Unlawfully collected sensitive Texans’ personal data, including geolocation, incognito search history, and biometric identifiers such as voiceprints and facial geometry, without providing lawful disclosure or obtaining proper consent.

Takeaway: This landmark settlement underscores that even the largest tech companies face enormous financial and reputational risk for collecting sensitive personal data without clear transparency and lawful authority. Businesses handling location, search, or biometric data must prioritize consent and privacy-first practices.

• First TDPSA lawsuit filed against Allstate and Arity (January 2025) 

Violations: Collected and sold driving data of over 45 million Americans without providing clear privacy notices, obtaining consent, or registering as a data broker under the Texas Data Privacy and Security Act (TDPSA).

Takeaway: This case signals that regulators are watching how companies monetize highly detailed consumer data, like driving behavior, and will hold non-tech industries accountable.

What Regulators Are Prioritizing

Across these cases, clear enforcement patterns are emerging. Regulators in 2025 expect businesses to:

• • Process consumer rights requests on time – Businesses must acknowledge and complete requests for access, deletion, or opt-out in a timely manner, providing clear confirmation to the consumer. Delays or unclear responses can trigger enforcement.
  • Honor consumer opt-out rights consistently – Tools like cookie banners, the Global Privacy Control (GPC) signal, and other opt-out mechanisms must work reliably for all users.
  • Limit data collection and avoid excessive verification – Businesses cannot demand more personal information than necessary to process access, deletion, or opt-out requests.
  • Obtain explicit consent for sensitive data – Using or sharing health, biometric, driving, or other sensitive data without clear consumer consent is high-risk and has led to some of the largest settlements.
  • Maintain accurate, up-to-date privacy notices – Policies must reflect actual business practices and be updated regularly, typically at least annually. Outdated or misleading notices are frequently cited in enforcement.
  • Strengthen vendor and ad tech contracts – Weak or missing contractual protections with third parties are repeatedly cited in enforcement actions.
  • Enable consumer rights without unnecessary barriers – Consumers should be able to authorize representatives or agents to act on their behalf, and businesses must enable these requests smoothly.
  • Data broker registration – Selling or sharing personal data may require registration and transparency; failure to comply is increasingly enforced.
  • Respond fully during statutory cure periods – Ignoring or inadequately addressing regulator concerns within the allowed timeframe can trigger penalties.

Looking Ahead

Enforcement in 2025 is proving that no organization is too small, too new, or too niche to escape scrutiny. Regulators are not only looking at how companies handle data today but also how they’ve handled it for years. Vendor practices, industry norms, or limited resources won’t shield a business from liability.

In part two of this series, we’ll explore expanding enforcement trends and outline key steps businesses can take to strengthen privacy compliance, reduce exposure, and build trust with customers.

With DataGrail, privacy compliance isn’t just a requirement, it’s a strategic advantage. Stay ahead of enforcement, strengthen consumer trust, and safeguard your business. Request a demo with DataGrail to see how.

For real-time insights, peer support, and discussions on the latest state privacy legislation, join Privacy Basecamp, our exclusive Slack community for privacy professionals. 

Subscribe to our newsletter to get monthly updates delivered to your inbox.