Skip to Content
Client Payment

Events In the News

New Year, New Enforcement

on Tuesday, 28 January 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

With several state data privacy laws taking effect this year, including in both Iowa and Nebraska, enforcement of these laws is on the horizon.  As organizations build out their compliance frameworks, enforcement in other states with privacy laws already in effect provides insight into enforcement priorities. While both Iowa and Nebraska have cure periods of 90 and 30 days, respectively, violations leading to enforcement may be difficult to cure within these periods, making active compliance all the more important.  

California

California has been the most active with enforcements, and with the initiation of issuing Enforcement Advisories in the latter half of 2024 has indicated where it plans to focus future enforcement:

  • Data Minimization. A principle of the CCPA (and Iowa and Nebraska’s laws) is the concept of data minimization, which means that no more information than necessary is collected to carry out the purpose of the processing. This minimization principle also applies to effectuating a consumer’s data rights.  The CPPA, the CCPA’s enforcement authority, has observed that businesses are collecting more information than necessary in connection with data requests.  For example, in verifying an individual’s identity for deletion purposes, the business should generally avoid collecting any new elements of personal information to verify the individual’s identify. 
  • Dark patterns. Another foundational principle of the CCPA (and Iowa and Nebraska’s laws) is avoiding dark patterns in connection with any user interfaces that require consent. In practice this means that the option of choosing a more privacy protective choice should be symmetrical to the choice of a less protective option.  Put another way, a consumer should not be confused into making a less protective choice, nor additionally burdened in connection with a privacy protective choice.  For example, in opting out of the sale of personal data, it would be a dark pattern for the consumer to have to take more steps to opt-out than to opt-back in to the sale.

Colorado

While we do not yet have any public enforcement actions in connection with the CPA, the Colorado Attorney General, in 2023, mailed letters to businesses educating them on their obligations under the law.  These letter named the following obligations, which is an indication of where enforcement may be centered:

  • Obtaining consent before processing sensitive data (this is similarly a requirement of Nebraska’s law);
  • Providing consumers their data rights (these are requirements of Iowa and Nebraska’s laws);
  • Providing consumers with reasonably accessible, clear, and meaningful privacy notice (these are requirements of Iowa and Nebraska’s laws);
  • Utilizing data minimization principles in collecting personal data (these are requirements of Iowa and Nebraska’s laws).

While enforcement is not constrained to these items, they are noteworthy as they provide a glimpse of those items that enforcement authorities see as a priority for enforcement.  Nebraska and Iowa enforcement may follow a similar path, so organizations should consider focusing on these principles of compliance.

AriAnna C. Goldstein
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design