We have become accustomed to headline-grabbing fines of tech giants and established businesses as regulators ramp up their efforts to hold privacy law violators to account. From states' Attorneys General to GDPR regulators, including the Data Protection Authority and the UK Information Commissioner's Office (ICO), regulators across the globe are forcing all businesses to take a long, hard look at their own privacy practices to ensure they are not next.
In this article, we'll unpack key lessons from recent enforcement actions, focusing on the top priorities regulators consider when identifying potential violations. After examining each example, we'll explore key lessons for your business, leading to a practical checklist that can help you stay on the right side of the law, whichever data privacy regime you operate within.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. United States: Lessons from State Enforcement Actions
- 1.1. California CCPA Violations: Sephora
- 1.2. California AG Employer Sweeps: Tractor Supply First to Be Fined
- 1.3. Connecticut CTDPA Enforcement: TicketNetwork, Inc.
- 2. European Union: Key Priorities for Regulators
- 2.1. Austria GDPR Enforcement: IKEA
- 2.2. Ireland DPA Decision: TikTok Fined
- 3. Key Areas Regulators Check First
- 4. Compliance Checklist for Businesses
- 4.1. A. Governance and Documentation
- 4.2. B. Transparency and User Choice
- 4.3. C. Sensitive Data and Transfers
- 4.4. D. Response and Accountability
- 5. Crucial Lessons From Privacy Enforcement Actions
United States: Lessons from State Enforcement Actions
In the United States, there is no overarching federal data privacy law. Therefore, if your business targets residents of any state, you must ensure you comply with that state's regulations. The regulatory picture across the states is constantly changing, and in most states, the Attorney General's office is responsible for data privacy law enforcement.
The following examples from California and Connecticut illustrate how carefully businesses need to tread to ensure data privacy compliance across the board.
California CCPA Violations: Sephora
No discussion of privacy enforcement actions would be complete without an exploration of the 2022 Sephora case. It was the first public settlement under the California Consumer Privacy Act (CCPA), and it highlighted a key lesson: how the CCPA defines the "sale" of data.
California's Attorney General settled with Sephora for $1.2M after alleging that the company "sold" personal information (via advertising/analytics trackers) without giving clear notice. It was also alleged that Sephora did not honor GPC signals (browser signals that say "don't sell/share my data").
The settlement also required Sephora to make a number of operational changes to fix the violations.
The Sephora settlement clarified regulators' interpretations of the CCPA's stance on the following points:
- Definition of Sale/Share under the CCPA/CPRA: Its meaning is broader than just cash-for-data. Disclosing data to third parties (such as adtech/analytics) for valuable consideration or for cross-context behavioral advertising can constitute a sale or a share, triggering opt-out duties.
-
Recognition of Global Privacy Control (GPC): As seen below, the California Attorney General Rob Bonta confirmed his office's stance on GPC signals, a browser setting that tells websites you opt out of the sale or sharing of personal data. This CCPA enforcement action showed GPC signals are a valid way for consumers to opt out of data sales or sharing. In practice, that means businesses must configure their sites and apps to automatically honor the GPC signal whenever it's received, without requiring users to take extra steps.
What regulators look for first: The California AG lasered in on consent to the sharing and sale of data, specifically whether there was a functional "Do Not Sell or Share" mechanism and whether GPC was honored. They will also analyze your Privacy Policy to ensure it plainly discloses what is meant by the sale/share of data and how customers can exercise their rights to opt out.
There are a couple of lessons here. Any business targeting California residents must:
- Treat GPC as a live opt-out - wire it to your consent platform and your adtech.
- Map all third-party data flows and ensure appropriate, adequate service provider contracts are in place. If they are not genuine processors, assume they fall under "sale/share" and enable opt-outs.
- Put the "Do Not Sell or Share" link where users can actually find and use it, and test it.
California AG Employer Sweeps: Tractor Supply First to Be Fined
In July 2023, California Attorney General Rob Bonta issued a shot across the bow to all employers covered by the CCPA. As seen in the press release below, the AG disclosed that large California employers would receive letters requesting details on how they are implementing the CCPA.
In September 2025, Tractor Supply, the nation's biggest rural lifestyle retailer, was fined $1,350,000, the largest fine for non-compliance with the CCPA issued by the CPPA so far. The decision and fine were issued by the California Privacy Protection Agency (CPPA), the state's privacy regulator (along with the Office of the AG). While the AG's office has not linked the Tractor Supply decision to the sweeps it carried out, one of the privacy rights violated focused on job applicants' rights.
Additionally, Tractor Supply was found to have fallen into the same trap as Sephora: it did not provide an easy way for customers to opt out and did not honor GPC signals.
In addition to paying the fine, Tractor Supply was required to implement "broad remedial measures" and have its CCPA compliance certified annually for the next four years.
The takeaway for all businesses, as shown in the CPPA's press release below, is to ensure that Privacy Policies and opt-out mechanisms are fit for purpose. Under the CCPA, data privacy regulations now apply to consumers, employees, independent contractors, and job applicants. So each business must review its practices to ensure there are no weak spots.
Connecticut CTDPA Enforcement: TicketNetwork, Inc.
In August 2025, Connecticut Attorney General William Tong fined TicketNetwork $85,000 and required it to change its practices to comply with the Connecticut Data Privacy Act (CTDPA). This included maintaining records of how it handles consumer privacy requests and providing regular reports to the Attorney General's Office.
As shown below, the Office of the Attorney General first sent a "cure notice" to TicketNetwork in November 2023, just four months after the CTDPA went into effect. The company failed to resolve the deficiencies in time.
What regulators look for first: As another excerpt from the Connecticut AG press release about the TicketNetwork case shows below, Privacy Policies are a particular area of focus. The regulator highlighted the lack of readability of TicketNetwork's Privacy Policy, describing it as "largely unreadable, missing key data rights…" and containing "rights mechanisms that were misconfigured or inoperable."
A secondary area of focus is consumer rights mechanisms. This largely refers to how easy your business makes it for consumers to exercise their rights to opt out of the sale or sharing of their data, to set cookie preferences, and to exercise other rights.
Key Lessons: It pays to heed the following if you do business with Connecticut residents:
- Readable, complete Privacy Policies matter: Regulators will flag policies that are confusing, incomplete, or missing details about consumer rights. Your Privacy Policy should be written in plain English, easy to navigate, and clearly explain how people can access, delete, or opt out of data use.
- Rights mechanisms must actually work: It's not enough to include opt-out links or request forms; they have to function correctly. Broken or hard-to-find tools for exercising privacy rights are treated as non-compliant.
- Documentation and reporting are part of compliance: Under the CTDPA, businesses may be required to keep records of privacy requests, track how they're handled, and share those metrics with regulators.
European Union: Key Priorities for Regulators
While the US does not have a single data privacy regulation, the European Union has: the General Data Privacy Regulation (GDPR). It applies to all member states, plus countries that form the European Economic Area (EEA), which includes Iceland, Liechtenstein, and Norway. If you do business with residents of these countries, the GDPR applies to you, no matter where you are located.
The following recent examples highlight how you can prepare for auditing and stay on the right side of regulators.
Austria GDPR Enforcement: IKEA
In October 2025, the Austrian Federal Administrative Court confirmed the findings of the Data Protection Authority (DPA) and fined IKEA €1.5 million for video surveillance of shoppers that did not comply with the GDPR. While significant, the fine could potentially have been much higher, with a maximum potential fine of €1.8 billion under GDPR regulations. IKEA is planning to appeal the ruling.
In 2022, IKEA installed cameras that monitored customers at the entrance and checkout of its Vienna store. Following an anonymous complaint, it was found that the cameras filmed public areas in violation of the GDPR and also recorded PIN entries when customers made payments.
What regulators look for first: As the report below from the Vienna-based media company The International indicates, IKEA's big mistake appears to have been activating the video surveillance system before completing a mandatory data protection assessment.
Whether your business is conducting video surveillance or handling personal, potentially sensitive data in any other format, the lesson is clear: Don't do anything until you have completed the data protection assessment process.
Ireland DPA Decision: TikTok Fined
A key principle of the GDPR is that data transfers outside the EEA must be afforded a level of protection that is essentially equivalent to that provided by the GDPR. In May 2025, the Irish Data Protection Commission (DPC), responsible for enforcing the GDPR in Ireland, decided that TikTok had breached the GDPR by transferring EEA user data to China.
Background: The DPC found TikTok transferred user data from the European Economic Area (EEA) to China (including via remote access by staff in China) without verifying, guaranteeing, or demonstrating that the personal data of EEA users was afforded a level of protection essentially equivalent to that in the EU.
The Irish DPA fined TikTok €530 million and gave it 6 months to bring its practices in line with the GDPR.
What regulators look for first: The TikTok case shows all organizations must be ready to answer the following questions:
- Does your organization treat remote access from outside the EEA as a "transfer" of personal data under GDPR? This decision confirms that you must.
- Do your disclosures name all third-country destinations and explain the nature of the processing (including access from outside the EU)?
- Have you conducted and documented a Transfer Impact Assessment (TIA) or equivalent that addresses third-country surveillance laws and ensures "essential equivalence" of protection?
- Are your safeguards (SCCs and supplementary measures) effective and demonstrated, not just on paper?
Key lessons: Similar to the Austria IKEA case, TikTok's mistake began with failing to verify its data transfer procedures before handling user data. As shown in the excerpt below, this meant it could not guarantee or demonstrate that the personal data of EEA nationals was protected.
Therefore, before beginning to process personal data, it is essential to ensure that any planned data transfers to other jurisdictions have been risk-assessed, verified, and documented.
Key Areas Regulators Check First
Across all the cases above, whatever the jurisdiction, certain red flags appear again and again. Regulators rarely start with your legal fine print; they start with what users actually see and experience, and whether your internal documentation supports those public promises.
Here are the top areas regulators tend to review first:
- Transparency and Notice: Is your Privacy Policy clear, complete, and accurate? Regulators consistently cite policies that are vague, hard to read, or fail to explain how data is collected, shared, or transferred.
- User Rights Mechanisms: Are your "opt-out," "delete," or "access" tools easy to find and functional? A broken form or disabled link can be enough to trigger an enforcement action.
- Consent and Opt-Out Flows: Is rejecting tracking as easy as accepting it? Banners that hide or complicate refusal (known as dark patterns) are now high on regulators' radar.
- Sensitive and High-Risk Data: Health, financial, location, and children's data are treated as high risk. Regulators look closely at whether these categories are used for advertising, analytics, or profiling.
- Vendor and Third-Party Contracts: Are your analytics, marketing, or service vendors properly classified and bound by compliant contracts? Gaps here often expose hidden sales or shares of data.
- Data Transfers and Cross-Border Controls: If data leaves its home jurisdiction, are the right safeguards in place, such as Transfer Impact Assessments (TIAs), Standard Contractual Clauses (SCCs), or equivalent protection measures?
- Recordkeeping and Accountability: Finally, regulators want proof. They expect documented data maps, assessment reports, and compliance audits that show your policies aren't just words on a page.
Compliance Checklist for Businesses
Regulator actions reveal that most fines could have been avoided by following basic data protection principles. Use this checklist to test your own readiness:
A. Governance and Documentation
- Maintain a current data map showing what data you collect, where it's stored, and who you share it with.
- Conduct Data Protection Impact Assessments (DPIAs) for any high-risk activity (surveillance, profiling, or children's data).
- Keep a record of processing activities (RoPA) and review it annually.
- Document vendor assessments and verify contractual clauses limit use and require deletion after service ends.
B. Transparency and User Choice
- Ensure your Privacy Policy matches what your systems actually do. No overpromises or vague claims.
- Make opt-out and data rights tools easy to find and test them quarterly to ensure there are no broken links, which the Connecticut AG flagged as a violation in the TicketNetwork case.
- Honor Global Privacy Control (GPC) and other universal signals automatically.
- Provide cookie consent banners with equal "accept" and "reject" options, and block non-essential cookies until consent is given.
C. Sensitive Data and Transfers
- Identify all sensitive data (health, financial, biometric, children, location) and apply stricter access and retention rules.
- Perform Transfer Impact Assessments for any cross-border data flow outside the EEA or UK for GDPR.
- Use Standard Contractual Clauses (SCCs) or equivalent safeguards when exporting data.
- Implement clear internal policies on data retention and deletion.
D. Response and Accountability
- Maintain a privacy request log and track metrics for access, deletion, correction, and opt-out requests.
- Run regular training for staff handling personal data or customer support inquiries.
- Review and update your compliance program at least once a year, or sooner after major regulatory developments.
Crucial Lessons From Privacy Enforcement Actions
The common thread running through every recent enforcement case, from California to Ireland, is simple: regulators enforce what they can see and verify.
If your Privacy Policy, consent flows, and opt-out mechanisms don't match how your systems actually handle data, you're exposed. Paper promises no longer work; regulators now test whether your processes function in practice and whether consumer rights can genuinely be exercised.
The first lesson is that compliance must be operational, not cosmetic. Regulators want to see evidence that privacy protections are built into daily business operations, not added as an afterthought.
The second is that user experience directly affects regulatory risk. The easier it is for consumers to find, understand, and control their personal data, the less likely you are to draw scrutiny. Complex or hidden settings, unreadable privacy notices, or malfunctioning opt-outs are now enforcement triggers.
Finally, proactive governance saves money and reputation in the long run. Every fine, from Sephora's $1.2 million to TikTok's €530 million, could have been reduced or avoided with earlier audits, functional opt-outs, and accurate documentation.
The lesson is clear: think like a regulator. Verify your data flows, simplify your disclosures, and make privacy compliance part of everyday operations rather than a one-time policy update.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.