What regulators won't overlook in 2025

At IAPP Global Privacy Summit, two regulator panels — featuring Connecticut, California, the FTC, Oregon, and Colorado — sent a consistent message: the grace period is over. Regulators are actively publishing enforcement advisories and FAQs not because they have to, but because they want companies to understand what matters. Connecticut and Oregon both recently issued guidance, and Oregon's regulators pointed to a publicly available red-line legislative document that reveals the original intent behind their law. Businesses that aren't on regulatory mailing lists or tracking these publications are missing direct signals about enforcement priorities. A central theme across both panels was "show your work." Regulators want to see documented thought processes — how a company determined it was out of scope for Oregon, how it evaluated a vendor, what methodology it used for a data use decision. One Connecticut example illustrated the stakes clearly: a company gave a vague initial response about its vendor process, then later presented a comprehensive program that regulators called excellent. That vagueness cost everyone time and stress. States are coordinating closely with one another and will send inquiry letters directly to a company's privacy@ email address — a channel that also functions as a test of whether privacy operations are real or just window dressing. On established requirements, regulators were unequivocal: Global Privacy Control, opt-out links, and data sale/sharing disclosures have no wiggle room. These obligations have been in place long enough that companies should have them working correctly. The practical guidance: test your consent management platform regularly, have a real human-operated process for privacy requests, and make sure your privacy policy reflects what you actually do. "Say what you do and do what you say" was quoted verbatim from a regulator on stage.

**Colleen:** Hi, Jodie. How are you? **Jody:** I'm good. I'm a little tired if I'm totally honest. It's been a long conference. We're I mean, we're doing this on the Thursday of Summit, and, everybody knows Wednesday's the late night. **Colleen:** Right. It is. Going to be a little bit of a long day. **Jody:** It's way past my bedtime. **Colleen:** Me too. Yeah. How's it been for you, the show? **Jody:** It's been good. It's so much fun reconnecting. It's truly like privacy prom for high school reunion to to see people, but then also meet new people. **Colleen:** Yes. Absolutely. I hope everyone is enjoying the new octopus. **Jody:** I think so. Yeah. We thank you. If you didn't get one, you should hit up Colleen and maybe we can figure out how to get you one. Jody's the best. **Colleen:** Us now. I love it. Yes. Our new mascot debuted at this year's summit, so that's fun. So glad. I'm thrilled to have you here, Jody. I I think everybody knows who you are, but please, we haven't had you on a privacy huddle yet. You have to tell the viewers what do you do. **Jody:** So hi, everyone. I'm Jody Daniels. I'm CEO and privacy consultant at Red Clover Advisors, and we are a data privacy consulting company. So we're doing all the privacy operations, so all those long list of to dos and implementations and process and policy and training, that's what we're doing. And then for some companies, we're also that fractional privacy officer. And I guess the fun fact is we're here doing a privacy huddle, but I also have a privacy podcast Yes. Called She Said Privacy, He Said Security, and it drops almost every Thursday. A few exceptions. **Colleen:** Great. Thank you for sharing. Well, what I wanted to chat with you about today on this little episode, one of the sessions you attended yesterday was chock full of regulator advice and just enforcement advice. I've heard multiple people say that it's one of the best sessions at Summit, and what we try to do in these huddles is bring the info back to folks who couldn't make it. So give us the setup. What who is on the stage? **Jody:** Well, so there were actually two regulator panels. Okay. I can only imagine what's gonna happen maybe in future years because we have so many states and so many regulators. Right. But panel one was Connecticut and California and then also the FTC. And then the second one was Oregon and Colorado and California again. Really need to know about California. Twice. Twice the fun. **Colleen:** It's cool. Absolutely. Well, you did a great post on LinkedIn just recapping so many of the tidbits, and I'd like to break into a few of them. One was just the reminder that every regulatory body is putting out sweeps or FAQs and it's not just for fun. They want people to pay attention. K. So can you unpack more what their advice was about? **Jody:** So first off, if you are not in the loop or paying attention to the enforcement advisories or the FAQs, now's a really great time to get on the mailing list or set a calendar reminder, but that is their hint hint hint. This is what we care about. In fact, some of them aren't even required to create an advisory, and they're doing it because they want people to learn. Like, Connecticut isn't required to put some enforcement advisory together, but they want to be able to educate. In Oregon, they have a lot of different FAQs for consumers and businesses. And I think the consumer piece is actually really important because as much as they want companies to comply, they want consumers to understand what their rights are. Mhmm. And guess what happens when consumers know what their rights are? They actually execute them. Right. Which means then companies have to actually do whatever it is their state says they need to be doing. So number one, go find your state an FAQ and enforcement advisory for the most recent ones. Connecticut just issued a recent one. Oregon also just issued some recent ones. And Oregon is that unique one, right, where you have to have the list of third parties. Yes. So you actually get a choice, but I think about ninety nine point nine percent of companies are gonna pick the option of sharing the total list of third parties it could have gone to. And the idea is to let that consumer have a sense of what companies might have their data. In theory, that was the original point of the law to have it by the individual customer base. That is very, very challenging. I think you're gonna see it more like a GDPR approach. Here's all my subprocessors, but in Oregon and US language, we are calling them, you know, vendors and third parties. From a practical standpoint, it's great to hear that the regulators are okay with just providing that full list because speaking from the technical perspective, that's gonna be challenging for companies to give that individualized list to each consumer. **Colleen:** A hundred percent challenging. If people really find this fun and fascinating, the Oregon regulator also shared you can go find the actual red line document Oh. Where it had this conversation to understand the intent and where it moved to. So you can go Google it online. I think it was s b six nineteen. We're gonna get it in the comments in the show notes. **Jody:** Yes. I love it. Good. So pay attention to the FAQs, the sweeps, all that. They talked about showing your work. What does that mean when they say show your work? Yeah. Well, it's kinda like math class where if you just guess the answer and you got it wrong and the teacher didn't agree with you, you get no credit. So the idea of showing your work is having policies and having process and explaining maybe there was a decision being made and you documented here was our thought process on, actually, an example that the Oregon regulator used is why Oregon might have been out of scope for you. So if in the privacy notice, they're looking and they see all the states and you left out Oregon, their antennas might go up and say, well, why did you leave us out? They might have an inquiry, and you might be able to show here's the analysis. And they said we would wanna see how did you perform and determine we were out of scope. They wanna see the methodical thought process. Maybe it's the way you're processing data. What was the assessment that was performed to evaluate a vendor or to evaluate that use case? So the ability to show that work is really important. One of the other examples that Connecticut regulator shared, they had an inquiry to someone about their vendor process. Mhmm. And the response was vague. They didn't feel like that company actually had a really good vendor process. Upon further review, the company came, presented, here's our entire process. The regulator then said, oh my gosh. That's a great process. But they didn't show it initially. They could have saved all that time and all that stress for everybody involved. It might feel like, oh, the regulator's out to get you. The regulator's job is to protect consumers. And the regulator didn't pass the law, so they have to interpret the law. So if you, the company, have done something, their role is to understand what has been done, to help evaluate, is that okay, is that not okay, and have the conversation. **Colleen:** Makes a lot of sense. And I think about the responses you wanna give to regulators and the importance of not doing it in this piecemeal way. Right? If you're just giving short like a short text response to what you're doing, if it's incomplete, they're gonna figure that out. They're gonna come back. **Jody:** Hundred percent. Do not be vague. Yeah. And they said that multiple times. The states are working together. They said that multiple times in all the panels, all the regulators. We they have best friends, and they're all working together and they are talking. And then all their little antennas go up when you get an answer that's like that. That's not what they're looking for. The other thing that's really important since we're talking about responses Yeah. Calling guess where they're gonna send their inquiry letter. It's that company at privacy dot com. A hundred percent. So people, wherever you have an email, you're going to want to actually check it. That is part of their test to see how is that working. Did you just set it up and do window dressing or privacy washing on the outside and no one ever sees it? Right. So then when you might actually find it and then realize, oh my gosh, I I have till tomorrow to respond, you're not gonna get an extension. It's such a good reminder. They're trying to put themselves in the shoes of the consumer, so they're gonna find the same process. They are testing out what that process looks like. Mhmm. And a very simple solution for this is test your process regularly. And, of course, have a process. Let's back up. Have a process. You need a human to test this process. Mhmm. Review it and make sure it works. **Colleen:** Well, Jody, it's been great getting these highlights from you. Is there anything you'd like to leave our audience with? **Jody:** So the other piece I think that's just important as a reminder is in those FAQs and regulations, some of the areas we've been talking about for a really long time, there's no wiggle room. Global privacy control, no wiggle room. You need to make sure that works. That was literally said direct from a regulator. Some of the ones that are newer, they're still trying to sort it out. It's a little bit more gray zone. But things that have been here for a while, opt out links, there's really no discrepancy here. Sale and share of data, it's been pretty argued for a while what constitutes both of those. So make sure all of those pieces work. Test your CMP or consent management platform and your software. Make sure it's actually working. And the very final thing is say what you do and do what you say. Literally, one of my favorite lines, but also quoted verbatim from a regulator. **Colleen:** Well, that's a great note to end on. Jodie, it's been a pleasure chatting with you. Thank you. Thank you for stopping by, and have a great rest of the summit. **Jody:** You too.