Skip to Content
Client Payment

Events In the News

Enforcement: On the Horizon

on Tuesday, 27 May 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On Wednesday, April 23, while attending the IAPP Global Privacy Summit 2025, we had the opportunity to hear Stevie DeGroff, First Assistant Attorney General, Technology and Privacy Protection Unit at the Colorado Attorney General’s Office, Kristen Hilton, Senior Assistant Attorney General, Consumer Privacy and Data Security of the Oregon Department of Justice, and Michael Macko, Deputy Director of Enforcement at the California Privacy Protection Agency (each a “Representative” and collectively, the “Representatives”) discuss enforcement developments in “Read the (Regulatory) Room: Navigating US State Privacy Enforcement Concerns.” The Representatives, sharing their own opinions not necessarily representative of the views of their respective agencies, provided insight into what businesses can expect in the realm of consumer data privacy law enforcement.

The panel was well formed with different viewpoints arising based on the length in which each Representatives’ consumer data privacy laws had been in place, with the California Consumer Privacy Act (“CCPA”) being the longest standing and the Oregon Consumer Privacy Act (“OCPA”) being the newest on the panel, still in its cure period. The common theme, however, was that businesses should expect to see enforcement efforts ramping up.

The California Representative referenced the California Privacy Protection Agency’s (“CPPA”) recent settlement with American Honda Motor Co., Inc. (“Honda”) as what businesses can expect if they find themselves out of compliance with the CCPA. In the CPPA’s first settlement, Honda was required to change its privacy practices and pay a $632,500 fine. The theory being that businesses subject to CCPA have had years, and access to regulations, to come into compliance. The Colorado Representative emphasized a similar approach, citing that businesses subject to the Colorado Privacy Act (“CPA”) and its supporting regulations have had sufficient time to bring privacy practices into compliance.

Conversely, however, OCPA is still within its “cure period” until January 1, 2026. During the cure period, the OCPA grants business a 30-day window to cure violations identified by the Oregon Department of Justice. The Oregon Representative did indicate that, with the help of its technologist, it will be monitoring business practices and sending out violation letters and requests for additional information while the cure period is in effect. Further, that businesses looking for guidance on complying with the OCPA should turn to the Colorado regulations for assistance.

Regardless the stage of the consumer privacy act in place, it sounds like businesses can expect an increase in enforcement efforts relying on interagency collaboration. We will continue to monitor for any significant data privacy enforcement developments.

Halle A. Hayhurst
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design