Alert May 8, 2025

State Privacy Enforcement Ramp-Up Continues with New Actions in California and Texas

May 8, 2025

State enforcement agencies are keeping the pressure on businesses, with two new enforcement actions announced this week in California and Texas. This activity signals to companies – both within and outside of the United States – that states are actively enforcing their privacy laws. Below, we highlight the two latest actions in California and Texas and flag key takeaways for companies.  

California

On May 6, 2025, the California Consumer Privacy Protection Agency (CPPA or Agency) announced a settlement with a national menswear retailer, Todd Snyder, over allegations that the company’s opt-out and other privacy request processes did not comply with the California Consumer Privacy Act (CCPA). The company has agreed to pay $345,178 in penalties to resolve the allegations and will overhaul its privacy compliance practices. This enforcement action follows the Agency’s first enforcement action earlier this year against Honda, which included similar allegations.   

Key takeaways include:

  1. Ensure that opt-out mechanisms are properly configured and operative. This most recent enforcement action deals in part with the CCPA’s consumer right to opt out of the selling and sharing of personal information, particularly for purposes of behavioral advertising. Specifically, the Order alleges that the company’s opt-out mechanism was not properly configured. Businesses that trigger opt-out requirements under the CCPA should have clear and easily accessible mechanisms for consumers to exercise this right. Further, the Agency’s action makes clear that where businesses rely on third-party privacy management tools, they must actively oversee and ensure the proper functionality of those tools.
  2. Tailor opt-out and other privacy request mechanisms. The Agency alleged that the company collected “more information than necessary” for certain requests and imposed verification requirements for opt-out requests, both in violation of the CCPA. This warns against a “one-size-fits-all” approach to privacy requests; companies should tailor their consumer request mechanisms to ensure compliance with the CCPA’s detailed and specific rules.
  3. Mitigate risk through privacy training. Regular and comprehensive training programs are key for CCPA compliance, and the Agency has included these elements in their settlement agreements.

Texas

Since Texas’ comprehensive privacy law took effect last year, the Texas Attorney General’s (AG) office has been actively enforcing it, along with other privacy laws in the state. Most recently, on May 6, 2025, the AG issued a press release announcing that the office has put several Chinese and Chinese Communist Party-aligned companies on notice regarding potential violations the Texas Data Privacy and Security Act (TDPSA). 

Key takeaways include:

  1. Companies that receive notices of apparent violation should respond quickly. While different states have different approaches to cure periods, the TDPSA provides a 30-day notice and cure period. However, to benefit from the cure period – as the most recent press release makes clear – it is critical for companies that receive notices of apparent violation to respond quickly.   
  2. Privacy notices and consumer rights are key elements to a privacy compliance program. While the specifics of the notices sent to these companies were not released by the AG’s office, the press release reiterates that “[t]he law requires companies to disclose whether they process consumer data, allow consumers to opt out of data collection, and enable consumers to delete their personal data entirely.” All companies subject to the Texas law should review their consumer-facing notices and consumer rights to ensure compliance with the law.
  3. The TDPSA has broad reach. The Texas AG’s focus on Chinese companies indicates that the office is taking a broad view of the TDPSA’s reach. It also is consistent with concerns that are trending at the federal level around foreign adversary access to U.S. personal data.

***

Wiley’s Privacy, Cyber & Data Governance Practice has broad experience in navigating rulemakings and compliance surrounding cutting-edge technology and the evolving legal landscape. For questions about this alert, please contact the authors.

Read Time: 3 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek