From Policies to Practice: What Regulators Expect from Privacy Programs

During a panel at the IAPP’s Global Privacy Summit, privacy regulators offered candid insights into how they are enforcing privacy laws and laid breadcrumbs for building a compliance program that minimizes legal risks. The panel included participants from CalPrivacy (aka the California Privacy Protection Agency) and the California, Connecticut, Delaware and Indiana Attorneys General offices.

Three Enforcement Signals In-House Teams Should Not Ignore

Regulators delivered a consistent message: enforcement is getting tougher, broader and faster.

  1. Fines will likely increase. Regulators may increase fines because they want to avoid settlements just becoming the “cost of doing business.”
  2. Investigations are expanding beyond public failures. Regulators are scrutinizing how companies internally operationalize privacy compliance, not just the public-facing issues that have dominated prior settlements.
  3. Enforcement activity is accelerating. Regulators are working across states and with larger staffs to supercharge their enforcement work.

What are regulators doing now?

Regulators described an increasingly coordinated, better resourced enforcement environment that examines both consumer facing compliance and internal operations.
  • Collaborating Across States. States are talking with each other. They work together, formally and informally, on enforcement and legal interpretation.
  • Staffing Up Rapidly. Privacy headcounts have exploded. Most offices have at least doubled their staff and are adding technologists.
  • Digging Deeper into Operations. Regulators are getting into the weeds. States are looking beyond the publicly viewable aspects of privacy compliance (e.g., privacy policies) to assess whether companies are implementing required internal practices as well.
The panelists noted that a lot of activity is happening behind the scenes and hinted at more announcements to come.

Where are regulators focusing their investigations?

Regulators stressed that their focus areas are generally reflected in settlements and public reports, but investigations routinely expand to new areas once they start.
  • Transparency. Vague, incomplete or misleading disclosures remain a red flag.
  • Sensitive Data. Children's data, genetic data and geolocation data continue to receive greater scrutiny.
  • Opt-Out Rights. California called this the "hallmark" of privacy law, and a frequent source of enforcement actions.

What practical steps can companies take now?

  • Write Simply. Draft privacy policies that non-lawyers can understand.
  • Test Opt Outs. Regulators emphasized that compliance depends on real world effect, not design intent. Ensure opt outs work across devices and browsers.
  • Operationalize Others’ Settlements. Regulators expect companies to learn from recent enforcement actions—even if they were not a party. Use settlements to prioritize privacy-program updates.
  • Stress-test Consent Flows. Companies should ensure consent mechanisms are appropriate for sensitive data, especially involving minors or precise geolocation.
  • Engage Regulators Strategically. Panelists cautioned against vague responses, over assertion of privilege, or procedural obstruction in response to preliminary fact finding. Substantive disputes can wait.
  • Monitor Privacy Inboxes. Regulators noted difficulty locating responsive compliance contacts—an avoidable problem that can escalate risk.
  • Conduct Impact Assessments. Panelists noted they often request the assessments, and it is a red flag when the company sends a report dated after the request.

Conclusion

Regulators are signaling that privacy compliance must be operational, tested and owned—not just documented. In-house teams should expect deeper inquiries, higher stakes and fewer opportunities to explain problems away after the fact.