Top Risks & Latest Enforcements in the US

In today’s digital world, every business has a privacy footprint. As more state privacy laws come into force, regulators are turning their attention toward websites and the technologies running behind the scenes.

In the first session of the Website Privacy Series by Privado AI, Ali Jessani, Counsel at WilmerHale, joined CEO Vaibhav Antil, CEO and Founder, Privado to break down where businesses are getting privacy wrong and what they need to focus on to reduce legal exposure.

Ali leads the cybersecurity and privacy practice at WilmerHale in Washington, D.C., advising clients on compliance, litigation risk, and regulatory response. In this blog, we summarize the most practical insights shared in the webinar and help you understand what enforcement trends you need to care about in 2025.

Key Takeaways

• California and Texas are setting the tone for aggressive state-level privacy enforcement in the U.S.
• Laws like the My Health My Data Act and new DOJ rules are expanding what “sensitive data” means and who is responsible for it.
• Privacy teams need more visibility into website trackers and must collaborate across marketing and engineering to stay compliant.

Watch the complete video | Listen to the podcast

Why Privacy Compliance Can’t Be an Afterthought

Vaibhav Antil kicked off the webinar with a simple reminder: most companies are flying blind when it comes to privacy risks on their websites. Pixels, cookies, and SDKs are often deployed by teams that never loop in privacy or legal.

Ali Jessani confirmed this from his own practice:

“We’re seeing lawsuits and regulator action where the business didn’t even realize what was being collected. But that’s not a defense anymore.”

Today’s enforcement landscape includes new rules, updated interpretations of old ones, and growing attention from regulators across multiple states. The days of “we’re not a data company” are over.

California: Leading the Charge on Enforcement

California has long been the privacy trendsetter in the U.S., and 2025 is no exception.

Ali broke down how the California Privacy Protection Agency (CPPA) a dedicated data privacy regulator created by the CPRA is already enforcing the law. Notably:

• Honda was cited for using dark patterns and improperly sharing data with ad tech companies.
• Todd Snyder, a fashion retailer, was penalized for failing to honor user opt-out requests.

The takeaway? Even common UX design choices can become legal liabilities.

Looking Ahead in California:

• Expect more CPPA investigations in addition to action from the California Attorney General.
• New rules on automated decision-making and cybersecurity audits are in the works.
• A universal opt-out mechanism is set to roll out in 2026 via the Delete Act.

Texas: An Unexpected Privacy Enforcer

Texas has quietly become one of the most aggressive privacy enforcers:

• $1.4B settlement with Google for alleged misuse of biometric data.
• Investigations into connected car companies and children’s data handling.
• Use of unfair and deceptive practices law to go after AI and health data misuse.

Ali pointed out that Texas is combining multiple legal tools - biometric laws, children’s privacy, and UDAP statutes to build cases. It’s a reminder that even companies that think they're operating within the law can be exposed on multiple fronts.

Maryland & Washington: Raising the Bar for Sensitive Data

Maryland’s Law:

• Goes into effect in late 2025.
• Sets a “strict necessity” standard - data use must be essential to deliver a service.
• Prohibits selling sensitive data and bans discriminatory uses.

This is a big deal for AI use cases, targeted ads, and anything outside of basic service delivery.

Washington’s My Health My Data Act:

• Covers non-HIPAA health data like fitness tracking, inferences from shopping data, or even browsing behavior.
• Comes with a private right of action, meaning consumers can sue directly.
• Already triggered a class action suit against Amazon over its SDK’s use in third-party apps.

Expect copycat laws in other states, like Nevada and Virginia, which are passing their own rules on health and reproductive data privacy.

Legal Risk from Pixels, SDKs, and Trackers

If your site uses a tracking pixel, web analytics, or video advertising SDK, you’re on the radar.

Plaintiff’s lawyers are leaning on old laws like:

• California Invasion of Privacy Act (CIPA)
• Video Privacy Protection Act (VPPA)
• State wiretap laws that require two-party consent

Ali highlighted that even “background” tools like tag managers or misconfigured cookie banners can trigger compliance problems if they fire before consent is collected.

And it’s not just theory - massive settlements and class actions are happening in real time.

DOJ Bulk Data Transfer Rule: A New Kind of Risk

This new Department of Justice rule, effective April 2025, prohibits bulk sensitive data transfers to countries deemed national security concerns (e.g., China, Russia, Iran).

Here’s what makes it different:

• “Data brokerage” is defined broadly. Even a U.S. website sending visitor data to a server in China could be in violation.
• Includes vendor relationships, employment contracts, and investment deals.
• Comes with criminal penalties—not just civil.

The DOJ has said it will only pursue willful violations for now, but most companies aren’t willing to bet on that leniency lasting.

Common Questions from Privacy Teams

What about GPC (Global Privacy Control)?

Yes, California regulators have mentioned this in enforcement. If your site doesn’t honor it, you could face scrutiny.

Can I skip a “Do Not Sell” link if my privacy policy says we don’t sell?

If you’re truly not selling or sharing under CCPA definitions, no link is required. But Ali emphasized the need for due diligence—definitions are broader than most expect.

How do I harmonize a global privacy policy?

Ali recommended grouping the U.S. states (except California) together and treating GDPR separately. Washington and health-specific laws might require their own disclosures.

Final Thoughts

Ali wrapped the session with a clear call to action: privacy risk isn’t isolated to one team or department anymore. If you’re handling employee data, running a website, or using AI, you’re in scope.

The rules are getting more detailed, the enforcement more aggressive, and the definition of “sensitive data” broader than ever.

Whether you’re in legal, privacy, marketing, or engineering—visibility into your website’s data flows and consent behaviors is no longer optional.

FAQs

1. Is pixel tracking a compliance risk?

Yes, especially if used without proper consent. Pixels that collect location, health, or user behavior data can trigger wiretap, CIPA, or VPPA violations.

2. What is “strict necessity” under Maryland’s law?

It means data can only be used if essential to deliver a product or service. Secondary uses like ad targeting or AI training may be banned.

3. What’s the DOJ’s stance on vendor contracts?

Vendor contracts must include clauses to prevent onward data transfers to countries of concern, or the entire transaction could be in violation.

4. Can GPC be ignored?

No. California regulators expect it to be honored, and ignoring it has already appeared in enforcement actions.

5. Is GDPR compliance enough for U.S. companies?

No. While it helps, U.S. laws like the CCPA require different disclosures, links, and consent structures not covered by GDPR.

Summary

U.S. privacy enforcement is expanding rapidly, with California, Texas, and Washington leading the charge. Companies can no longer afford to treat website privacy as a one-time setup or legal formality. With increasing pressure from litigation, state regulators, and even national security rules, visibility and proactive monitoring are critical.

This session—led by Ali Jessani from WilmerHale and Vaibhav Antil from Privado AI—offered a real-world breakdown of the privacy landscape in 2025 and how legal, privacy, and marketing teams can better align on risk management.

If you’re managing a website or app, this isn’t a future problem. It’s already here.