News Detail Banner
All News & Events

Client Alert - Regulatory Enforcement of State Consumer Privacy Laws

December 20, 2024

I.   Introduction

            Many states have passed consumer privacy laws in recent years, and they are coming into effect in cascading waves.  But unlike many areas of law, where meat is put on the bones of new statutes by decisions in cases with private litigants, most of these laws have no private right of action, and are enforceable only by the state Attorney General or (as in California) an enforcement agency.   Although public enforcement has been modest overall, that has started to change in recent weeks.  California had already announced significant settlements of consumer privacy claims, including with Sephora in 2022, Google in 2023, and DoorDash in early 2024.  And within the span of six business days, starting September 30, 2024, the Attorneys General of sixteen states (including Indiana and, perhaps most notably, Texas) either resumed or filed actions against TikTok regarding privacy interests of minors on the platform.  While we are still in the early days of this developing body of law—many of the enacted state laws are not even in effect yet—early enforcement activity suggests clear trends in regulatory priorities, and results.  

This Alert addresses these developments in three parts: 

            First, it surveys recent enforcement activity in five leading states:  California, Texas, Colorado, Illinois, and Washington. 

            Second, it evaluates the most likely areas of significant future enforcement, including by reference to public statements by the AGs addressing their interests and priorities, and to other developments in those and related areas.  These include:

  1. Children and Technology – The very recent actions against TikTok implement a common priority and theme expressed by several Attorneys General: protecting children online.  
  2. Artificial Intelligence – AI is front-of-mind in many areas of the law, especially so in privacy, and particularly so in the privacy implications of data scraping for “training sets.”
  3. Health Information – A sizeable percentage of California’s enforcement actions have addressed data breaches of health care companies, the Colorado Attorney General has raised health information as a priority, and Washington’s My Health My Data Act applies to many areas outside the traditional landscape of doctors and hospitals. These all suggest both a focus on enforcing health-related privacy rights, and a broadening of the data protected as health information.

Third, in closing, it notes that while the newly passed consumer privacy laws are, of course, very important, enforcers are also calling out and relying on older and other new laws that also apply in their priority areas

II.  Most Significant Statutes and Enforcement Activity By State

  1. California

California is the state farthest along in both legislative development and regulatory enforcement in this area.  Its California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) were the first general-purpose consumer privacy statutes passed in the US, its California Consumer Protection Agency the first state-level administrative agency devoted to consumer privacy, and its enforcement actions among the first of their kind. 

  a.         California Statutes, Rights, and Remedies in Play

The basic parameters of the California statutes are by now familiar. 

  • The CCPA[1] provides California residents rights of access, deletion, and “opt-out” of sale,[2] and applies to businesses that collect personal information from California residents and meet at least one of three thresholds:

(1)        gross annual revenue over $25 million,

(2)        the business buys, sells, or shares personal information of at least 100,000 California residents or      households, and/or

(3)        the business derives at least 50% of its annual revenue from selling or sharing California residents’       personal information.[3] 

  • The CPRA adds rights of correction of inaccurate information, and to limit the use and disclosure of sensitive personal information.[4]
  • The statutes also apply to businesses that don’t themselves meet any of these criteria, but control or are controlled by, or share “common branding” with, a business that does.[5]
  • Primary enforcement is by the California Consumer Protection Agency and the Attorney General, both of whom can bring enforcement actions, with a limited private right of action for some cases of data breach. Both have the authority to enforce civil penalties of up to $2,500 per unintentional violation, and $7,500 per intentional violation,[6] as well as Statutory Damages for not less than $100 and not more than $750 per consumer per incident.[7]

    b.         California Enforcement Activity

            California has a history of significant privacy-related enforcement actions, even pre-dating the consumer statutes.  These include Stipulated Judgments against Anthem Blue Cross (for printing Social Security Numbers on customer mailings that were visible through the envelopes)[8]; Kaiser (for data breach of employee records via lost unencrypted USB drive)[9]; Target (for data breach of customer credit card information)[10]; Uber (for data breach concealed from customers)[11]; and Glow, Inc. (for data breach of a fertility tracking app).[12]  

            California has continued enforcement activity under the CCPA/CPRA specifically, with several enforcement actions to date.  Themes and subjects addressed include the following:

  • Opt-Out of Sale.  California’s first settled enforcement action under the CCPA was with Sephora in 2022 for failure to provide adequate notice of sale or process opt-out requests.  Sephora agreed to pay $1.2 million, amend its disclosures, and provide additional mechanisms to opt out (including the Global Privacy Control).[13]
  • Marketing/Data Brokers.  California’s second CCPA settlement was with DoorDash in February 2024, where it agreed to pay $375,000 to resolve CCPA/CPRA claims that DoorDash disclosed customer information through and then beyond co-marketing agreements, including to a data broker, without sufficient notice or opportunity for consumers to opt out of the sale.[14]  Notably, the settlement also relies on the 20-year-old California Online Privacy Protection Act—the first statute to require websites to have a posted privacy policy, and the main reason most websites now do—confirming the law’s continued status as a basis for active enforcement.
  • Location Services.  In 2023, California reached a settlement with Google for “collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent”—essentially, for continuing to track locations of users who had opted out of location tracking—including a payment of $93 million and other injunctive relief.[15]   
  • Children.  A June 2024 settlement with mobile video game developer Tilting Point Media found that its mobile app game “SpongeBob: Krusty Cook-Off,” marketed to minors, and did not prompt minors to enter their age accurately so as to be directed to the children’s version of the game, thus violating the CCPA and also the federal Children’s Online Privacy Protection Act (COPPA).  The company agreed to pay $500,000 and to certain injunctive relief to resolve the claims.[16]

            In addition to the formally settled enforcement actions, California has also taken a more informal approach of announced “sweeps” of particular industries or issues via letter-sending campaigns.  For example, in January 2024, Attorney General Bonta announced an “Investigative Sweep” of businesses with popular streaming apps and sites, sending letters to those believed to sell their users’ personal information without providing a sufficiently easy mechanism to opt out.[17]  This followed similar letter-sending campaigns from 2023 to large employers following the sunset of the exemption for employee data,[18] and to operators of mobile apps more generally.[19]

  1. Texas

            California has led the way in privacy thus far, but Texas is also staking a claim, with an ambitious announced initiative and equally ambitious first target:  TikTok.

a.         Texas Statutes, Rights, and Remedies in Play

            A June 4, 2024 Press Release from Attorney General Ken Paxton announced a major data privacy and security initiative, establishing a team housed within the State’s Consumer Protection Division and focused on aggressive enforcement of Texas privacy laws.[20]  The initiative will rely principally on the Texas Data Privacy and Security Act, which was effective July 1, 2024, and provides Texas residents with rights of notice, collection, deletion, and opt-out of sale.[21]  It applies to a business that “conducts business in [Texas] or produces a product or service consumed by residents of [Texas],”[22] and is enforceable only by the Texas Attorney General (with civil penalties up to $7,500 per violation).[23]  There is no private right of action.[24]  The initiative also, however, calls out several other state and federal laws, including Texas’ Identify Theft Enforcement and Protection Act, Data Broker Law, Biometric Identifier Act, Deceptive Trade Practices Act, the federal COPPA, and Health Insurance Portability and Accountability Act (HIPAA).

            Helpful to industry, the AG’s announcement identifies the areas of highest interest, within the scope of one or more of these laws.  The most likely future targets will be companies that, Texas will claim, (1) “collect and sell data in an unauthorized manner,” (2) “harm consumers financially,” or (3) “use artificial intelligence irresponsibly.”[25] 

       b.         Texas Enforcement Activity

            Texas’ initiative is a credible threat.  The State has shown itself willing to take action in this area already, notably securing a $1.4 billion settlement from Meta[26] regarding the capture and use of facial recognition software as “biometric data” under the state’s Capture or Use of Biometric Identifier Act (CUBI).[27]  The basic charge was that Facebook created a facial recognition database to train its AI, and didn’t get informed consent from Texans to do so (or, in the complaint’s specific terms, that Facebook “ha[d], for over a decade, built an Artificial Intelligence empire on the backs of Texans”).[28]  As with the privacy statute, CUBI has no private right of action; exclusive enforcement authority lies with the AG.[29]  Texas also piggybacked off of a federal lawsuit filed on similar grounds, In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-03747-JD (N.D. Cal. 2018), and prior actions in Illinois (under its Biometric Information Privacy Act, paying $650 million[30]) and by the Federal Trade Commission (resulting in billions in fines[31]). 

On October 3, 2024, Attorney General Paxton took the next step in what appears to be an emerging strategy, filing suit against TikTok under the Securing Children Online through Parental Empowerment (SCOPE) Act,[32] claiming that the company failed to (1) properly obtain parental consent for sharing, disclosing, or selling minors’ PII, or (2) provide tools to Texas parents to monitor minors’ online activities.[33]  Similar to the Meta action, Texas followed a 2022 lawsuit filed by Indiana’s Attorney General against TikTok on similar terms—which had been dismissed for lack of personal jurisdiction but revived on appeal on September 30, 2024, just three days before Texas’ filing.[34]  Texas also filed out in front of a coalition of 14 states in coordinated actions against the platform on behalf of minors, all brought on October 8, 2024.[35]

            Clearing a path for further future enforcement, in June 2024, Attorney General Paxton also sent letters to over one hundred companies notifying them of their apparent violation of Texas’ Data Broker Law, which requires “data brokers”—companies that buy, sell, trade, and process individuals’ personal data—to publicly register with the Texas Secretary of State by March 1, 2024.  Attorney General Paxton stated that his office is “taking action to ensure that companies comply with [Texas’] new data broker law, as well as other Texas consumer protection and privacy laws.”[36]

            Texas’ recent actions signal an interest in taking a leadership role in consumer privacy among the states, and a willingness to apply a variety of statutes to that end.[37]  While this creates a moving target on compliance, the AG Office’s stated goals and history both give some guidance.  The goals are directed at making companies more transparent with consumers about how they collect and handle consumers’ data.[38]  And in past actions, Texas generally either followed in the path of similar actions in federal court or in other states (facial recognition and children’s rights), or areas where compliance is binary and easy to check (registration with the State).  

  1. Colorado

            Colorado’s Privacy Act was effective July 1, 2023, and applies to businesses that operate in Colorado or target Colorado residents, and also either collect data from over 100,000 individuals, or monetize personal information in some way and collect personal information from more than 25,000 individuals.[39]  It provides Colorado residents with rights of access, correction, deletion, and opt-out of “sale,” and also requires businesses to obtain consent to collect “sensitive” data, and only collect personal information that is necessary.[40]  It is enforceable by the Attorney General and also District Attorneys, with civil penalties of $2,000 per violation, per consumer, up to a maximum penalty of $20,000 per violation.[41] 

            While there have been no enforcement actions, Colorado’s Attorney General Phil Weiser has been notably active and publicly vocal about the State’s privacy laws and efforts. 

            His office sent a series of letters to businesses shortly after the July 1, 2023 effective date, with reported “emphasis” on businesses collecting sensitive data, and whether businesses are allowing consumers to reasonably opt out of targeted advertising and profiling.[42]  The office made three “template” versions of these letters public, available here,[43] each stating that it is “informative and is not a notice of violation,” and then focusing on different aspects of the statute (one more on notice and consent, another on consent more specific to Sensitive Data and minors including via “Dark Patterns,” and a third for more general application). 

            Attorney General Weiser has also personally given several public statements giving insight into enforcement priorities.  In 2022 prepared remarks to the International Association of Privacy Professionals, in advance of Colorado’s initial rulemaking, he identified as areas of particular focus universal opt-out mechanisms, “dark patterns” for obtaining consent, and data protection assessments.[44]  And in 2024 remarks (sub nom. “Making Progress on Data Privacy: A Colorado Perspective”), he noted particular pride in Colorado being an opt-in state for sensitive data (including “personal data of children under 13, biometric data, mental and physical health data, and protected data related to race, religion, and sexuality”), reiterated concern with ease of opt-out and universal mechanisms, and added a focus on Artificial Intelligence—including notice and consent, bias in training sets, and consumer choice.[45]

  1. Illinois

            Illinois does not have an effective or even pending equivalent of these consumer privacy statutes.  But it does have one statute that remains very important and needs mention here:  its Biometric Information Privacy Act (BIPA).[46] 

            The recent history of BIPA is well-known.  It has detailed requirements of notice and consent for private entities that collect, use, or store biometric data,[47] and—critically—has both a private right of action and statutory damages (remedies include the greater of actual damages, or statutory damages of $1,000 per negligent violation, and $5,000 per intentional or reckless violation).[48]  The first jury verdict under the statute was in October 2022, and returned a finding of 45,600 violations, and—at $5,000 per violation—a damages award of $228 million.[49]  That first award was vacated following post-trial motions, with the district court finding that damages awards must be discretionary (referencing an intervening decision of the Illinois Supreme Court in Cothron v. White Castle, which confirmed that a judge has discretion over damages awards to avoid “annihilative liability”),[50] but was still ultimately settled for $75 million ($1,000 per class member).[51] 

            Even with that tempering, available remedies remain significant, and class actions continue to be filed apace.  As just a few “snapshot” examples, on September 27, there were three BIPA class actions filed in Cook County Circuit Court,[52] two more on October 2,[53] and three more on October 3.[54]

  1. Washington State

            Washington State’s My Health My Data Act, which went into effect in phases beginning in July 2023, marks an effort to expand protections for health data beyond those offered by HIPAA, and to give consumers more agency in controlling access to and use of their health data.[55] 

            My Health My Data applies to entities that (a) conduct business in Washington or provide products or services targeted to consumers in Washington and (b) determine the purpose and means of collecting, processing, sharing, or selling of consumer “health data”[56]—broadly defined to include any personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.[57]  The Act requires companies to prominently display a consumer health data privacy policy, maintain strict data security practices, obtain consumer consent prior to collecting or sharing health data, and collect and share only as much data as is necessary.[58]  Under the Act Washington residents and consumers whose health data is collected in Washington have the right to confirm the nature and use of health data collected and request its deletion.[59]

            While My Health My Data does not lay out specific penalties, it provides that any violation of the Act is a per se violation of the Washington Consumer Protection Act (CPA),[60] which is enforced by the Attorney General as well as through private action.[61]

            While Washington is the first State to pass a privacy-focused law specifying protections for health data falling outside the ambit of HIPAA, with the rise in new apps that track personalized health data, and also growing concerns about the use of health-related data leading to, among other things, discrimination and/or legal action against consumers, companies should expect to see more legislation and enforcement in this area.

III. Future Areas of Enforcement

  1. Minors and Technology

            Initial enforcement interests and efforts of multiple states have focused on the application of technology platforms to their most vulnerable citizens—children.  California’s June 2024 settlement with Tilting Point Media addressed minors.  The Colorado AG’s remarks have identified minors under age 13 as a particular focus.  And the October 2024 actions by Texas and 14 other states against TikTok are all focused on minors.  Protecting children’s interests against new threats online is statutorily favored, supported by research, and, of course, good politics.  Companies that market or otherwise provide services to children should anticipate further enforcement interest—and action—in this area.

  1. Artificial Intelligence / Data Scraping

            Future enforcement efforts will likely not avoid the inevitable pull of Artificial Intelligence.  Many of the leading AI companies are based in California—as are, consequently, many of the leading litigations addressing AI under privacy as well as copyright and other laws.  AI is also one of three topics specifically flagged in Texas as major priorities for its privacy initiative—and credibly so, given the State’s prior action against Meta’s facial recognition efforts. 

            Of particular interest across regulators, courts, commentators, and in general the world at large, is scraping data to train AI, and the application of the new state laws to data scraping remains unsettled.  

Existing litigations have generally been based on privacy rights defined by background state law (common, statutory, and/or constitutional) and have generally not been successful.[62]  The new consumer privacy laws remain untested in this way—including because most do not have private rights of action.  But if they are tested in public enforcement, the claims and defenses may be different. 

  • Each state statute excludes protection for publicly available information in some form, but with variations.  California’s law excludes “publicly available” information, but includes information that has been disclosed but “restricted to a limited audience.”  Virginia’s, Utah’s, and Texas’ laws likewise do not exclude as “public” information that has been disclosed, but “restricted” to a “specific audience.”  That is not, however, the case in Colorado, Connecticut, Oregon, or Montana, where “publicly available” information does not have this additional category, and is defined to include information that a controller “has a reasonable basis to believe” or “has understood to have been lawfully made available” to the public by a consumer.
  • Each law also excludes de-identified data—generally defined as data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such a person.  And California and Utah exclude one additional form of data: aggregated data.  Both laws exclude information “that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer,” or, as further detailed under California’s law, reasonably linkable to any “household, including via a device.”

            The likely battleground of this “public” vs. non-public distinction will, of course, be social media—including the determination whether specific kinds of posts on specific platforms are “public” or maintain “private” status because “restricted” to a “specific audience.”  The outcome of a scraping claim in public enforcement may well turn on the interpretation and implementation of these categories, and those questions will be resolved in the public enforcement context, rather than the more familiar (and often more balanced) context of private litigation. 

  1. Health Care

            Health data continues to be a priority for regulators as well as consumers.  Because of its sensitivity and detail, consumer health data has been a frequent target of hackers—and, consequently, the health industry has been a frequent target of enforcement actions following that breach.  California, for example, has entered into public settlements with each of Anthem (2012 and 2020), Kaiser (2014 and 2023), Cottage Health (2017), Aetna (2019) and Glow (2020).[63]  Washington’s My Health My Data law will only encourage further enforcement focus on this industry

IV. The New Laws—But Not Only the New Laws

              As a closing point, it is notable that recent enforcement actions and initiatives in consumer privacy have not been limited to the “new” consumer privacy statutes.  These laws do create new rights and remedies for consumers, that consumers will exercise, and Attorneys General will enforce.  But for their part, Attorneys General have shown themselves willing to base enforcement decisions on privacy-related laws other than the “new” consumer statutes—for example, California’s settlements have relied on California’s Online Privacy Protection Act and the federal COPPA as well as the CCPA, and Texas’ initiative has also named Texas laws addressing identity theft, data brokers, biometric information, and children’s rights, among others.  In assessing the regulatory environment and legal risk management, companies should of course focus on compliance with the “new” requirements for notice, opt-outs, and the like, but not to the exclusion of other laws, particularly those addressing the subject matters on which Attorneys General have expressed the most interest. 

***

If you have any questions about the issues addressed in this memorandum, or if you would like a copy of any of the materials mentioned in it, please do not hesitate to reach out to:

Thomas Nolan
Email: thomasnolan@quinnemanuel.com
Phone: 213-443-3225

Alexandria Madjeric
Email: alexandriamadjeric@quinnemanuel.com
Phone: 206 905 7079

Miranda Hulka
Email: mirandahulka@quinnemanuel.com
Phone: 312-705-7406

To view more memoranda, please visit www.quinnemanuel.com/the-firm/publications/

To update information or unsubscribe, please email updates@quinnemanuel.com

[1]  Cal. Civ. Code §§ 1798.100–1798.199.100.

[2]  Id. §§ 1798.105, 1798.110, 1798.120.

[3]  See id. §§ 1798.140(d)(1)(A)–(C).

[4]  Id. §§ 1798.106, 1798.121.

[5]  Id. § 1798.140(d)(2).

[6]  Id. §§  1798.155(a), 1798.199.90(a).

[7]  Id. § 1798.150(a)(1)(A).

[8]  Press Release, Attorney General Kamala D. Harris Announces Settlement With Anthem Blue Cross Over Data Breach, (Oct. 1, 2012), https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-settlement-anthem-blue-cross-over.https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-settlement-anthem-blue-cross-over

[9]  Stip. for Entry of Final Judgment & Permanent Injunction, California v. Kaiser Foundation Health Plan, Inc., No. RG14711370 (Cal. Super. Ct. Feb. 10, 2024), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/kaiser_stipulation.pdf.

[10]  Press Release, Attorney General Becerra: Target Settles Record $ 18.5 Million Credit Card Data Breach Case (May 23, 2017), https://oag.ca.gov/news/press-releases/attorney-general-becerra-target-settles-record-185-million-credit-card-data.

[11]  Press Release, California Attorney General Becerra, San Francisco District Attorney Gascón Announces $148 Million Settlement With Uber Over 2016 Data Breach and Cover Up (Sept. 26, 2018), https://oag.ca.gov/news/press-releases/california-attorney-general-becerra-san-francisco-district-attorney-gasc%C3%B3n.

[12]  Press Release, Attorney General Becerra Announces Landmark Settlement Against Glow, Inc. – Fertility App Risked Exposing Millions of Women’s Personal and Medical Information (Sept. 17, 2020), https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93.

[13]  Press Release, Attorney General Bonta Announces Settlement With Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.

[14]  Press Release, Attorney General Bonta Announces Settlement With Door Dash, Investigation Finds Company Violated Multiple Consumer Privacy Laws (Feb. 21, 2024), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-doordash-investigation-finds-company.

[15]  Press Release, Attorney General Bonta Announces $93 Million Settlement Regarding Google’s Location-Privacy Practices (Sept. 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-93-million-settlement-regarding-google%E2%80%99s.

[16]  Press Release, Attorney General Bonta, L.A. City Attorney Feldstein Soto, Announces $500,000 Settlement With Tilting Point Media for Illegally Collecting and Sharing Children’s Data (June 18, 2024), https://oag.ca.gov/news/press-releases/attorney-general-bonta-la-city-attorney-feldstein-soto-announce-500000.

[17]  Press Release, Attorney General Bonta Announces Investigative Sweep, Focuses on Streaming Services’ Compliance With the California Consumer Privacy Act (Jan. 26, 2024), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-investigative-sweep-focuses-streaming-services%E2%80%99.

[18]  Press Release, Attorney General Bonta Seeks Information From California Employers on Compliance With California Consumer Privacy Act (July 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance#:~:text=OAKLAND%20%E2%80%93%20California%20Attorney%20General%20Rob,of%20employees%20and%20job%20applicants.#:~:text=OAKLAND%20%E2%80%93%20California%20Attorney%20General%20Rob,of%20employees%20and%20job%20applicants.

[19]  Press Release, Ahead of Data Privacy Day, Attorney General Bonta Focuses on Mobile Applications’ Compliance With the California Consumer Privacy Act (Jan. 27, 2023), https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99.

[20]  Press Release, Attorney General Ken Paxton Launches Data Privacy and Security Initiative to Protect Texans’ Sensitive Data From Illegal Exploitation by Tech, AI, and Other Companies (June 4, 2024), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-launches-data-privacy-and-security-initiative-protect-texans-sensitive.

[21]  Tex. Bus. & Com. §§ 541.101, 541.102, 541.051.

[22]  Id. § 541.002.

[23]  Id. § 541.151.

[24]  Id. § 541.156.

[25]  Supra note 20 (AG Paxton Press Release).

[26] Press Release, Attorney General Ken Paxton Secures $1.4 Billion Settlement With Meta Over Its Unauthorized Capture of Personal Biometric Data in Largest Settlement Ever Obtained From an Action Brought by a Single State (July 30, 2024), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-secures-14-billion-settlement-meta-over-its-unauthorized-capture.

[27]  Tex. Bus. & Com. § 503.001.

[28]  Complaint at 1, Texas v. Meta Platforms, Inc., No. 22-0121 (Tex. 71st Judicial Dist. Ct. Feb. 14, 2022), available at  https://texasattorneygeneral.gov/sites/default/files/images/child-support/State%20of%20Texas%20v.%20Meta%20Platforms%20Inc..pdf.

[29]  Tex. Bus. & Com. § 503.001(d).

[30]  See Jennifer Bryant, Facebook’s $650M BIPA Settlement ‘A Make-or-Break Moment’, IAPP (Mar. 5, 2021), https://iapp.org/news/a/facebooks-650m-bipa-settlement-a-make-or-break-moment.

[31]  See Lesley Fair, FTC’s $5 Billion Facebook Settlement: Record-Breaking and History-Making, Fed. Trade Comm’n (July 14, 2019), https://www.ftc.gov/business-guidance/blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-and-history-making.

[32]  Tex. Bus. & Com. §§ 509.001–509.002, 509.051–509.059, 509.101–509.104, and 509.151–509.152.

[33]  Press Release, Attorney General Ken Paxton Sues TikTok for Sharing Minors’ Personal Data in Violation of Texas Parental Consent Law (Oct. 3, 2024), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-tiktok-sharing-minors-personal-data-violation-texas-parental.

[34]  Indiana v. Tiktok Inc., Nos. 23A-PL-3110 & 23A-PL-3111 (Ind. 2024), available at https://public.courts.in.gov/Decisions/api/Document/Opinion?Id=bzvctIEa1piP7LQm6TLz7kDoOE5nIfsoQfx7RRvU4lRD-S32bDI_5fdu6BM3PbvO0.

[35]  Press Release, Attorney General James Sues TikTok for Harming Children’s Mental Health (Oct. 8, 2024), https://ag.ny.gov/press-release/2024/attorney-general-james-sues-tiktok-harming-childrens-mental-health (coalition of California, Illinois, Kentucky, Louisiana, Massachusetts, Mississippi, New Jersey, New York, North Carolina, Oregon, South Carolina, Vermont, Washington, District of Columbia).

[36]  Press Release, Attorney General Ken Paxton Notifies Over 100 Companies of Their Apparent Failure to Comply With the Texas Data Broker Law That Protects Consumer Privacy (June 18, 2024), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-notifies-over-100-companies-their-apparent-failure-comply-texas-data.

[37]  See Joe Duball, How Texas Strives to be US State Privacy Enforcement Leader, IAPP (Aug. 20, 2024), https://iapp.org/news/a/how-texas-strives-to-be-us-state-privacy-enforcement-leader.

[38]  See supra note 20 (AG Paxton Press Release) (“‘Companies that collect and sell data in an unauthorized manner, harm consumers financially, or use artificial intelligence irresponsibly present risks to our citizens that we take very seriously.  As many companies seek more and more ways to exploit data they collect about consumers, I am doubling down to protect privacy rights,’ said Attorney General Paxton.  ‘With companies able to collect, aggregate, and use sensitive data on an unprecedented scale, we are strengthening our enforcement of privacy laws to protect our citizens.’”).

[39]  Colo. Rev. Stat. §§ 6-1-1301–1313.

[40]  See id.

[41]  Id. § 6-1-1311.

[42]  Press Release, Attorney General Phil Weiser Launches Enforcement of Colorado Privacy Act (July 12, 2023), https://coag.gov/press-releases/attorney-general-phil-weiser-launches-enforcement-of-colorado-privacy-act/.

[43]  https://coag.gov/resources/colorado-privacy-act/.

[44]  Prepared Remarks: Attorney General Phil Weiser at the International Association of Privacy Professionals (Apr. 12, 2022), https://coag.gov/blog-post/prepared-remarks-attorney-general-phil-weiser-at-the-international-association-of-privacy-professionals-april-12-2022/.

[45]  https://coag.gov/blog-post/prepared-remarks-3-5-24/#_ftnref5.

[46]  740 Ill. Comp. Stat. 14/1–14/9.

[47]  Id. 14/15.

[48]  Id. 14/20.

[49]  Rogers v. BNSF Railway Co., 19 C 3083, 2022 WL 854348 (N.D. Ill. Mar. 22, 2022).

[50]   Rogers v. BNSF Railway Co., 680 F. Supp. 3d 1027, 1042, 1049 (N.D. Ill. 2023).

[51]  Stephen Joyce & Skye Witley, BNSF Settles Illinois Biometric Privacy Case for $75 Million, Bloomberg Law (Feb. 27, 2024).

[52]  Sellers v. Beggars Pizza Franchise LLC, 2024-CH-9103 (employer fingerprint scans to clock in and out of work); Richardson v. GP Transportation Co. dba GP Transco, 2024-CH-9109 (biometric cameras in trucks); Warren v. Stratas Foods LLC (physical exam pre-condition of employment).

[53]  Cross v. Kehe Distributors LLC, 2024-CH-9211 (biometric cameras in trucks); Hollins v. Bison USA Corp, 2024-CH-9212 (same).

[54]  Shaffer v. SRS Distribution Inc., 2024-CH-9226 (biometric cameras in trucks); Wallace v. Sargent Logistics Inc., 2024-CH-9236 (same); Riggi v. All 1 Service Inc., 2024-CH-9232 (employer face scans to clock in and out of work).

[55]  Wash. Rev. Code  §§ 19.373.005–19.373.900.

[56]  See id. § 19.373.005.

[57]  Id. § 19.373.010.

[58]  Id. §§ 19.373.020–19.373.030, 19.373.050–19.373.080.

[59]  Id. § 19.373.040.

[60]  Id. §§ 19.86.010–19.86.920.

[61]  Id. § 19.373.090.

[62]  See, e.g., X Corp. v. Ctr. for Countering Digital Hate, Inc., No. 23-CV-03836-CRB, 2024 WL 1246318 (N.D. Cal. Mar. 25, 2024); J.L. v. Alphabet, No. 23-CV-3440-AMO, 2024 WL 3282528 (N.D. Cal. June 6, 2024) (motions to dismiss granted, and privacy claims dropped from putative class action).

[63]  Privacy Enforcement Actions, Cal. Dep’t of Justice, https://oag.ca.gov/privacy/privacy-enforcement-actions.