Since 2011, I’ve attended the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C. Each year one session gets everyone talking; this year the honor went to “Direct Insights from U.S. State Privacy Enforcers.” The officials did not hold back on sharing what was top of mind for their organizations and how each would enforce their state’s comprehensive privacy law.

IAPP’s managing director, Cobun Zweifel-Keegan, moderated a panel discussion, which featured:

• Michele Lucan, Deputy Associate Attorney General, Connecticut Office of the Attorney General
• Michael Macko, Deputy Director of Enforcement, California Privacy Protection Agency
• Jill Szewczyk, Assistant Attorney General, Data Privacy and Cybersecurity, Colorado Attorney General’s Office
• Kristen Hilton, Senior Assistant Attorney General, Consumer Privacy & Data Security, Oregon Department of Justice

The following are the top insights from these U.S. State Privacy Enforcers:

1. They know a bad privacy statement when they see one, and they are looking. I often tell clients that a top-notch privacy statement is one of the best risk-mitigating strategies. After hearing from this panel, I intend to double down on this advice. The officials emphasized that at the first signs of trouble, whether in response to a complaint or during research, they look at an organization’s privacy statement. Enforcers noted the following privacy statement red flags:

• Outdated information that has not been updated since their state law was enacted
• Broken or missing hyperlinks embedded in the statement
• Obvious inconsistencies with the data collection in plain view: A prime example is the statement: “We only collect personal information with your consent,” when dozens of cookies are embedded on an organization’s website without any consent mechanisms in place

2. The enforcers have a long list of enforcement priorities, but none of them should be a surprise. The state officials shared extensive lists of enforcement priorities, which align with what we see and hear from federal agencies, including the FTC, HHS, and DOJ:

• Consumer Health Data
• Kids and Teens Data
• Precise Location Data
• Dark Patterns (Deceptive Design)
• Electric Vehicles
• Facial Recognition
• Biometrics
• Algorithmic Bias

3. Each of the enforcers’ set of state privacy laws is unique for good reason. The officials reflected on the drafting choices made for their respective state privacy laws and stressed that unique aspects of each are intentional and signal an area of particular importance to them. For example, Kristen Hilton highlighted the broad rights provided to consumers by the Oregon Consumer Privacy Act, which includes the ability to obtain from an organization subject to the law a list of specific third parties to which the business has disclosed the consumer’s personal data or any personal data.
4. Privacy enforcers are a tight-knit group. They collaborate, share information, and work closely together to protect consumer privacy. This might signal that we’ll see more multi-state privacy-related enforcement actions.
5. The enforcers offer practical tips to consider to help you comply and avoid penalties, such as the following.

• First, ascertain whether the state law applies to your organization.
• Second, do what you need to do, including:
  • Update your privacy statement to provide accurate, clear information about your practices
  • Honor consumer data requests
  • Limit the data you collect to what is necessary
  • Obtain consent for the collection and use of personal information when required
  • Review contracts involving transfer of personal information
  • Train your employees on privacy to keep and maintain compliance
• Finally, if you receive communication from a privacy enforcement official, being proactive, collaborative, and forthcoming may work in your favor. They are obligated to adhere to certain procedures, which can take time, so it is wise to remain patient.

Since the Texas Data Privacy and Security Act and the Oregon Consumer Privacy Act are coming into force for many businesses on July 1, 2024, Montana’s Consumer Data Privacy Act will take effect on October 1, 2024, and many more will follow in 2025, you’d be smart to put these practical tips into practice right away.