Regulator priorities: notice, consent & opt outs | Data Privacy This Week

The California Lawyers Association annual privacy summit surfaced clear signals from state regulators: notice failures remain the single biggest consumer complaint — people still cannot figure out how to exercise their privacy rights — and regulators view notice as the essential gateway to all downstream consent obligations. Despite being a foundational requirement, policy updates frequently lag behind the proliferation of new state laws, each carrying unique specifics such as Colorado’s requirement to disclose whether a company honors the Global Privacy Control. Regulators emphasized these gaps are easy to spot, making notice a natural starting point for any enforcement sweep. Opt-out mechanics drew equally sharp attention from the regulator panel. Five years into CCPA enforcement, state attorneys general said opt-out failures appear in every single investigation — and expressed frustration at still needing to issue reminders. Practitioners were urged to personally test their opt-out flows end to end, understand the actual back-end operational consequences when a consumer exercises that right, and retest periodically, since updates to third-party vendor configurations can silently break a previously compliant process without anyone intending it. Two further themes rounded out the event. A growing call emerged to hold privacy tech vendors accountable for overstating capabilities — particularly around persisting consent signals across every device, browser, and system — as buyers become more sophisticated and move decisively beyond cookie-banner thinking. Separately, a CPPA representative on a clean-room panel made clear that regulators will look inside the clean room itself, not just at what data enters and exits: the nature of the processing, the identity of the provider, and the contractual evidence underpinning the relationship are all fair game for regulatory review.

**Colleen:** Hi, Alyssa. How are you doing today? **Alysa:** Hi. Good to see you again. **Colleen:** Looks like you're back at home. I'm sure that's nice after all your travel. **Alysa:** Oh, I so appreciate it. I so appreciate it. Road warrior that I am. **Colleen:** I'm still on the road. The Ketch team is in New York City today. We have a nice dinner with customers and new faces tonight, so it should be fun to get together in person. I thought for today, we could talk a little bit about last week's California Lawyers Association annual privacy summit. It was Ketch's first time attending. You were absolutely right. I see why you called it the best kept secret. It was a great little conference. You know, for two days, I have to say, it packs so much on point content that drives the discussion forward as opposed to just recapping things we know already. And then the who's there, like, just the hallway conversations, you couldn't talk to just a better community of privacy practitioners. **Alysa:** No doubt. And I think I heard organizers say they capped it at two hundred, which is just such a nice size to get to speak with everyone. It was awesome. Yeah. Absolutely. **Colleen:** Yeah. So let's just dive into some of the best takeaways. And I think the regulators is one of the places to start. Right? Because they kicked off the first day with just an all star panel, from multiple states talking about what's important to these US state attorneys. I think the number one thing I've heard them talk about is the importance of notice. Right? It's the most public and easy to see priority. They still say it's the number one complaint they get from consumers. People can't figure out how to exercise their rights. So I thought that was interesting because it's just such a basic fundamental thing, but regulators are still saying not every t is crossed on this topic. **Alysa:** Not every t is crossed. Sometimes there's just so many obligations that folks are trying to tackle that the annual update can get missed, but also just so many new state laws and really thinking about some of these states have unique requirements and making sure that your policy really directly addresses those requirements and your privacy portal. There's just a lot of opportunity, I think, where some of that can get missed. And as you noted, it's visible. It's the easiest thing for the regulators to check. **Colleen:** Yeah. I recall the Colorado regulator being very specific about one of those examples, which is, right, different from California. For Colorado, you have to know whether or not you accept GPC, and not everybody's taking the time to update that in their policies. **Alysa:** Or, yeah, you could just test GPC across companies, and I think you would find there are probably some gaps there. **Colleen:** Yeah. Absolutely. They talked about notice really being the gateway issue to consent, which is still something that's a challenge. Right? They talked about, in California, the requirements for minors, certain uses of sensitive and personal data. Also, a lot of discussion on the design and dark patterns. And maybe some confusion, I think, around that from the audience, right, where only California and New Jersey are defining dark patterns in the law, and it's not actually super crystal clear for a practitioner on how to think about that. **Alysa:** All the state AG's offices, they talk to each other. They talk to each other monthly. So even if in one state it doesn't say dark patterns, dark patterns is the modern word for deceptive practices, which they all have under their UDAAP laws. And that is how they're looking at it, but really from a modern eye. And so I think sometimes we're using a block disclosure or things that we've done in the past without taking a 2025 look at that flow and user experience and saying, does this meet what today's requirements are as opposed to requirements maybe from several years ago? **Colleen:** The other thing that really caught my eye was just the amount of time the regulators spent talking about opt outs. Right? I think one of them said, we've been enforcing CCPA for five years. We shouldn't be having to remind anyone that their opt out mechanism is insufficient. But based on their tone, it seems like they still are having to remind people, and they said it's a focus in every single one of their investigations. **Alysa:** Yeah. That's the common thread, and we've talked about that a lot. It continues to be the most actively enforced issue in California, but I would say it comes up in all of my other states. And I think the practitioner's note there is test your own process and understand what the operational consequences are when somebody does opt out. Right? What is happening on the back end specifically, not just what you're told what happens, but what is actually happening. And then every few months, test it again because the stuff is dynamic, and often it's unintentional lapses that end up getting me in trouble. Unintentional for sure. **Colleen:** And I recall on another panel of law firms, they talked a lot about the importance of understanding your vendor. Right? It was nice to hear one of them say, hey. It's time for us to hold privacy tech vendors accountable. Not every one of them can really help you persist these opt out choices and consent choices across every device, across every browser, across every system. And so it seems like, frankly, vendor claims and overstating capabilities is hurting the privacy professionals' understanding of how tech can actually help. **Alysa:** Yeah. I mean, I think this is just the evolution of the market and buyers getting more sophisticated. What problem am I trying to solve, and does this solution solve that problem? I think we're just beyond cookies at this point, and people are starting to understand that and press to make sure that what they're paying for really works for what they need. **Colleen:** Yeah. And that makes me think at the Ketch table, right, the little exhibit table area of the conference, that was a very common thread of conversations. Folks coming up to us talking about beyond cookies. Like, sounds like you guys understand website data collection. Can you actually tell me about, like, pixel versus tag? And then we were having a lot of conversations. In fact, our head of product, Max Anderson, was even sketching a couple diagrams on the back of our sell sheets. And we've talked about this in the past too, which is just you kinda gotta get a little technical to understand these concepts. **Alysa:** I think that's such a good point, but think of where we were maybe a year, year and a half ago. It was only about cookie banners. That is what people wanted to talk about. They didn't wanna talk about anything beyond cookie banners. And now I think there's an understanding that you do have to talk about more than cookies. And getting into the details and figuring out, oh, okay. It also covers that. So let me think about my back end practices. How would I account for that if I'm trying to manage an opt out for a consumer? You can maybe just think about cookies in the cookie banner if all you need is just the checkbox here. Now the kinds of conversations regulators are having on that stage shows the sophisticated way they're looking at this, and so that's why we have to go back and say, hey. The banner might not be enough. **Colleen:** Yeah. I think that's so right. I think the C+ version is no longer acceptable. And there's — I don't know if there's grade inflation, but there's certainly attention to making sure that your best foot is put forward. Right. Right. We'll see if they grade on a curve. Right? We don't know. **Alysa:** I will say on my panel, I had a representative from the CPPA, and she was fantastic. And I had two publishers. We really got into just use cases of clean rooms, but I'll say the one takeaway. Yes. What happens in the clean room is going to be looked at. That was emphasized. It's not the magic of clean room and only focus on what goes in what goes out. The what is happening in terms of what the clean room is actually doing matters. Who the clean room provider is, what is the contract. Essentially, what are the receipts? What is the evidence you would use to be able to defend your position as to that processing or that relationship? So I thought that clarity was really helpful. **Colleen:** Well, Alisa, great to catch up with you. Any final thoughts on the couple days in LA with this great group of professionals? **Alysa:** Even if the secret is out, I just look forward to this conference each year, and I do think it will continue to get bigger. And if you zoom out, what does that say in terms of overall demand for knowledge about privacy? I think that that's positive. I'm really optimistic about the future and what that holds as a result. **Colleen:** Me too. Great way to end it. Well, thanks, Alisa. Have a great week. Talk to you soon.