State Privacy Law Advisory: Enforcement Priorities and Best Practices

Representatives from the California, Oregon, and Colorado Attorney General (AG) offices participated on a panel last week at the IAPP’s Global Privacy Law conference in Washington, DC. During the panel, they gave insights into their office’s privacy enforcement priorities. The three states signaled that they are aligned with regard to their enforcement priorities, particularly around children’s privacy and precise location data. The regulators emphasized that businesses should expect increasingly coordinated enforcement efforts across states and stressed the importance of transparent, responsive engagement when dealing with regulatory inquiries. 

State-Specific Privacy Developments 

Colorado 

The Colorado AG’s office announced that the state’s cure period has ended. Businesses operating in Colorado should be fully compliant with all elements of the law, as the state signaled that enforcement actions will begin soon.  

Oregon 

Oregon clarified its enforcement timeline, noting that its cure period remains effective until January 1, 2026. During this cure period, the AG’s office will approach violations with an educational focus, sending notification letters to companies about violations and providing them with information about Oregon’s privacy law. Companies typically have thirty (30) days to correct violations, such as failing to honor a consumer’s deletion request. The Oregon AG also highlighted the publication of advisories designed to help industry compliance and mentioned upcoming amendments to the state’s privacy law that will ban the sale of data about children under 16 and prohibit the use of precise location data. Oregon has also published a short report discussing current enforcement priorities and concerns. The AG’s office emphasized the importance of thorough documentation of compliance efforts. It also noted that industry can gain insights by reviewing the marked version of its privacy law in the legislative history, which includes comments explaining the Oregon DOJ’s purpose for each privacy law provision. 

California 

California noted that its enforcement priorities focus on violations that harm vulnerable groups, especially when those violations involve using sensitive information. The California AG emphasized that the state has well-established privacy laws and regulations, making it difficult for companies to claim ambiguity in compliance requirements. In addition, the AG’s office shared that its initial inquiry letters regarding consumer complaints are intentionally designed to evaluate how companies respond to inquiries before determining whether a formal investigation is necessary. This approach means that even seemingly informal communications should be treated with seriousness and prompt attention. 

Common Enforcement Priorities 

Children’s Privacy Protection 

All three state AGs expressed significant concern about children’s privacy, indicating this will be a central enforcement priority. The regulators actively discuss how to better protect children through amendments to existing laws and coordinated enforcement efforts. Oregon specifically highlighted upcoming amendments to ban the sale of data about children under 16, demonstrating the increasing regulatory focus in this area. Companies that collect, process, or share data relating to children should expect particular scrutiny and review their practices accordingly. 

Precise Location Data Limitations 

The AGs consistently identified precise location data as an enforcement priority. Oregon noted forthcoming amendments specifically banning the use of precise location data, and all three states indicated active discussions about addressing concerns in this area. Businesses should review their collection and use of location data, particularly when that data is precise enough to identify specific movements or behaviors of individuals. 

Cross-State Coordination 

The regulators announced a consortium of privacy collaborators last week, formalizing their cooperation across state lines. This coordination includes information sharing and resource allocation, enabling states with fewer resources to benefit from the expertise and findings of better-resourced states. Companies should be aware that a privacy investigation in one state may easily lead to inquiries from others, as the AGs are increasingly working together on enforcement priorities and approaches. 

Technical Expertise Development 

The AGs noted they are hiring data technicians specifically better to understand ad tech and other complex data ecosystems. This investment in technical expertise signals an increasing sophistication in how regulators approach privacy investigations, particularly in complex technical environments. Companies should prepare for more technically informed questions and a deeper understanding of data practices from regulators. 

Regulatory Response Best Practices 

1. Monitor for AG Communications. Check your emails and respond promptly when you receive communication from an AG’s office. Regulators typically send inquiries to the privacy email address listed in your privacy notice, so ensure this address is monitored regularly and that communications are promptly directed to appropriate personnel. Establishing a clear protocol for handling regulatory communications can help prevent missed deadlines or overlooked inquiries.
2. Engage Constructively. The AGs emphasized their desire for dialogue with companies rather than adversarial interactions. When engaging with regulators, adopt a collaborative approach rather than a defensive or hostile posture. Direct and honest communication builds credibility, while misrepresentations or evasiveness can significantly complicate regulatory relationships and potentially escalate enforcement actions.
3. Demonstrate Responsiveness. Establish regular check-in schedules with regulators when addressing their inquiries and answer questions thoroughly and directly. Failing to address specific questions will likely result in follow-up requests and potentially increased scrutiny. Maintaining clear communication channels and demonstrating a willingness to engage with regulators’ concerns can help build a productive working relationship.
4. Plan for Deadlines. Don’t wait until the day before a deadline to respond to an AG’s inquiry. Provide advance notice if you anticipate delays and demonstrate reasonable efforts to comply with requests. Proactive communication about timeline challenges is viewed much more favorably than last-minute delays or requests for extensions.
5. Take All Communications Seriously. Even informal letters requesting information should be treated as significant. The California AG noted that initial letters about consumer complaints are designed to evaluate how companies respond before determining whether a formal investigation is necessary. The seriousness and thoroughness of your response to initial inquiries may significantly influence whether more formal enforcement actions follow.
6. Be Transparent. Communicate what documents you have and when you can produce them. Setting realistic expectations about document production helps build trust with regulators and demonstrates your commitment to cooperation. If certain requested documents do not exist or will take significant time to compile, communicate this rather than creating uncertainty or unrealistic expectations.
7. Address Consumer Complaints Proactively. Monitor patterns in consumer complaints, as these often trigger AG investigations. The regulators noted that reviewing consumer complaints provides insight into potential compliance issues, and proactive remediation may prevent regulatory action. Establishing effective systems for tracking, analyzing, and addressing consumer complaints can serve as an early warning system for potential compliance concerns.
8. Prepare for a Holistic Review of the Issue. The AGs emphasized that they examine issues holistically rather than in isolation. Privacy violations may also trigger Unfair or Deceptive Acts or Practices (UDAP) claims, which have no cure period. Recognizing the interconnected nature of privacy compliance with other consumer protection requirements can help companies prepare more comprehensive responses to regulatory inquiries.
9. Assume Good Intentions Initially. When an AG sends a letter, they are typically in fact-finding mode rather than prosecution mode. The regulators emphasized that initial communications are usually designed to understand the facts and work with the company rather than immediately pursuing enforcement actions. Companies should avoid prejudging the situation or the regulator’s intentions and instead focus on providing clear, accurate information.
10. Ensure Practices Align with Policies. The AGs actively review privacy policies and terms and conditions to evaluate whether stated practices align with actual behaviors. Misalignment between public statements and actual practices creates privacy concerns and potential UDAP violations. Regular reviews of privacy policies and terms against actual practices can help identify and address potential compliance gaps before they become regulatory issues.
11. Document Compliance Rationales. If you have made good-faith efforts to comply with state law, explain your reasoning and approach. Thoroughly documenting risk analyses and compliance decisions helps demonstrate diligence even if regulators ultimately disagree with your interpretation. Oregon specifically recommended documenting compliance efforts thoroughly and suggested reviewing legislative history materials for insight into regulatory intent.
12. Apply a Broad Interpretation to “Selling Data.” Consider monetary and non-monetary data exchanges as “sales” for compliance purposes. The AGs emphasized that sharing data in exchange for something of value, even without direct payment, constitutes selling data under most state privacy laws. Evaluating data-sharing practices through this expanded lens can help identify compliance requirements that might be overlooked.
13. Prioritize Readability in Privacy Policies. Use readability checkers and ensure that privacy policies are accessible and understandable to average consumers. The AGs view incomprehensible privacy policies as potential UDAP concerns separate from specific privacy law requirements. Investing in clear, accessible privacy communications serves compliance and consumer trust objectives.
14. Recognize State’s Collaboration. States actively share information and resources, meaning a violation in one state may trigger multi-state scrutiny. The recently announced consortium of privacy collaborators formalizes coordination that was already occurring informally. Companies should approach compliance with recognition that practices affecting consumers across multiple states will likely face coordinated regulatory examination.

Key Takeaways for Businesses 

1. Enforcement is accelerating. Businesses should expect increased regulatory activity and should prioritize compliance efforts accordingly. 
2. Children’s privacy and location data are priority concerns. Businesses should conduct specific reviews of practices involving children’s data (under 16) and precise location information, as these areas are receiving particular regulatory attention. 
3. Documentation is crucial. Maintaining clear records of compliance decisions, risk analyses, and the rationale behind specific approaches provides valuable evidence of good-faith compliance efforts during regulatory inquiries. 
4. Response protocols matter. Developing clear procedures for handling regulatory communications, including monitoring designated contact points and establishing escalation pathways, can significantly improve regulatory outcomes. 
5. Alignment between policies and practices is essential. Regular audits comparing public statements with actual data practices help prevent the most common violations that trigger both privacy law and UDAP concerns. 
6. State coordination is increasing. Forming a privacy enforcement consortium means businesses should expect more consistent enforcement approaches and information sharing between state regulators. 
7. Technical sophistication is growing. States are investing in technical expertise to understand complex data practices better, requiring businesses to be prepared for more technically informed investigations. 
8. Transparency builds credibility. Open, honest communication with regulators about compliance approaches and challenges establishes trust that can positively influence regulatory outcomes. 

The CommLaw Group Can Help!   

Responding to inquiries from state Attorneys General about privacy and consumer protection issues can be tricky and daunting. We are experienced in working with federal and state regulators and can help your organization successfully navigate informal inquiries and investigations.   

The CommLaw Group specializes in data privacy and consumer protection law compliance and helps businesses interpret regulations and develop pragmatic compliance plans to mitigate the risk of receiving inquiries from regulators like state Attorneys General.  

CONTACT US NOW; WE ARE STANDING BY TO GUIDE YOUR COMPANY’S PRIVACY COMPLIANCE EFFORTS 

Susan Duarte: 703-714-1318 | sfd@commlawgroup.com  

Diana James: 703-663-6757 | daj@commlawgroup.com