https://www.techtarget.com/searchcio/news/366623335/Regulators-urge-businesses-to-cooperate-on-data-privacy-laws
Data privacy law regulators want U.S. businesses to be transparent and communicative.
That's the advice state regulators gave during the IAPP Global Privacy Summit 2025, which brought together regulators, data privacy experts and chief data privacy and compliance officers in Washington, D.C., last week. The U.S. has not adopted a federal data privacy law. However, companies still have to navigate comprehensive data privacy laws in 20 U.S. states, as well as global data privacy laws like the EU's GDPR.
Should a company receive notice of violating one of the U.S. state data privacy laws, regulators often welcome conversations with companies on the inquiry, said Michele Lucan, deputy associate attorney general at the Connecticut Office of the Attorney General. Regulators aren't "trying to play gotcha," and are open to hearing additional background information from companies, she said during a panel discussion at the conference.
Vague responses from companies "will always guarantee follow-up," she added.
"When companies put their best foot forward responding to our information requests and tell a good story and give us the information we need, those are the types of circumstances that lend toward those closures, and they do happen," she said.
Asking regulators what they're interested in and attempting to understand the scope of an investigation sets a negative tone, said panelist Michael Macko, deputy director of enforcement at the California Privacy Protection Agency (CPPA). Instead, proposing solutions to comply with a regulator's subpoena, listing compliance challenges the business faces, and asking questions about preferences or recommendations the regulator's office has for complying with the law helps in resolving problems, he said.
"That, to me, is much more constructive and less likely to aggravate a regulator," he said.
Lucan said her office primarily focuses on reviewing data breaches and improving companies' data security practices while also enforcing the state's comprehensive data privacy law. Her office led and contributed to settlement negotiations in cases against Uber, Equifax, Experian and T-Mobile. She said a good way to figure out what's on a regulator's mind regarding data security is to review settlements.
"That will show you from a data security standpoint what our priorities are," she said. "Things like governance, vendor management, patch management, access controls -- all of these terms are on display in our settlements."
For consumer data privacy law compliance, Lucan said businesses need to keep a few things top of mind, such as incorporating transparency provisions for data collection and use, providing consumer opt-out options for data sharing and minimizing the data collected.
The office's recently released enforcement report provides a "good roadmap for what we're paying attention to right now," she said.
In California, Macko said the agency has been involved in six enforcement actions over the last few months. CPPA fined Honda $632,500 in March 2025 for requiring excessive personal information from Californians for identity verification, as well as sharing consumers' personal information with ad tech companies without privacy-protecting contracts.
Pointing to the Honda case, Macko cautioned businesses against working with third-party vendors without first ensuring that those companies comply with privacy-protecting practices and laws.
"We have so many third-party platforms that exist to work with businesses," he said. "If you have a third-party vendor you are working with, you need to understand how that vendor works. You need to understand for yourself whether the solution is, in fact, compliant with the law."
Macko said he expects to see more states working together on data privacy, as there are "commonalities among these laws that are inescapable."
"A trend you'll see and a priority for us will be increasing that collaboration among states to tackle these problems," he said.
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining Informa TechTarget, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
29 Apr 2025