Top Six Major Privacy Enforcement Trends: A U.S. Legislation Retrospective

Enforcement activity intensifies as U.S. consumer privacy laws continue to evolve and come into effect. In 2023 and 2024 alone, there have been dozens of enforcement actions at the U.S. federal and state levels, some of which reveal or touch on significant throughlines for privacy policy issues, such as what constitutes a privacy violation or the expanding regulatory interest in the risks of collecting, inferring, and using sensitive data. This Retrospective focuses on six major enforcement trends that have recently spoken to key questions or policy issues in the privacy landscape:

1. DoorDash: The Right to Cure Under State Law is Not Absolute: The California Privacy Protection Agency’s second enforcement action provides insight into what constitutes a “sale” under state privacy laws, as well as the limitations of businesses’ statutory ‘right to cure’ alleged violations. 
2. GoodRx, BetterHelp, Premom: Unauthorized Disclosures of Health Information as Breaches: The FTC enforced the Health Breach Notification Rule for the first time since it was finalized in 2009, arguing that unauthorized disclosures of health data can constitute a breach.
3. Betterhelp and Vitagene: Health Information (and Its Sensitivity) is Contextual and Situational: When it comes to companies that process health information that is outside the scope of HIPAA, the FTC demonstrated that personal health information may be created based on context and situation.
4. Epic Games: FTC Focuses on Impact of Design Choices on Teen Privacy: The FTC is wielding its Section 5 authority to protect the privacy of teenagers as Congress continues to consider amending COPPA to establish federal privacy protections for teens. 
5. Cothron v. White Castle: Multiple Actionable Harms from Single Privacy Violations Spur Legislative Change: In Cothron v. White Castle, the Illinois Supreme Court addressed the critical question of when privacy claims accrue under the Illinois Biometric Information Privacy Act, prompting the Illinois legislature to amend the Act’s private right of action. 
6. FTC v. Kochava: How Location Data Sales Impact Privacy Interests: In FTC v. Kochava, the Commission argues that the collection and disclosure of location data can constitute an injury under Section 5 of the FTC Act. 

As an increasing number of state comprehensive privacy laws come into effect and the right to cure sunsets in many state laws, enforcement activity will continue to intensify. The Texas Attorney General has already telegraphed a desire to strictly enforce protections regarding sensitive data. The insights we can glean from existing enforcement trends can allow privacy professionals to better understand the policy environment, prepare proactively, and build resilient privacy programs.

Download the six major enforcement trends Retrospective.