ARTICLE
17 April 2026

From Policies To Practice: What Regulators Expect From Privacy Programs

SH
Shook, Hardy & Bacon

Contributor

Shook, Hardy & Bacon logo

Shook, Hardy & Bacon has long been recognized as one of the premier litigation firms in the country. For more than a century, the firm has defended companies in their most substantial national and international products liability, mass tort and complex litigation matters.

The firm has leveraged its complex product liability litigation expertise to expand into several other practice areas and advance its mission of “being the best in the world at providing creative and practical solutions at unsurpassed value.” As a result, the firm has built nationally recognized practices in areas such as intellectual property, environmental and toxic tort, employment litigation, commercial litigation, government enforcement and compliance, and public policy.

Explore Firm Details
Privacy regulators from California, Connecticut, Delaware, and Indiana reveal their enforcement strategies and compliance expectations at the IAPP Global Privacy Summit. The panel signals a shift toward deeper operational scrutiny, increased fines, and accelerated multi-state coordination that will fundamentally change how companies approach privacy compliance programs.
United States Privacy
Josh Hansen
Josh Hansen’s articles from Shook, Hardy & Bacon are most popular:
  • within Privacy topic(s)
  • in United States
  • with readers working within the Healthcare, Technology and Securities & Investment industries
Shook, Hardy & Bacon are most popular:
  • within Privacy, International Law and Finance and Banking topic(s)

During a panel at the IAPP’s Global Privacy Summit, privacy regulators offered candid insights into how they are enforcing privacy laws and laid breadcrumbs for building a compliance program that minimizes legal risks. The panel included participants from CalPrivacy (aka the California Privacy Protection Agency) and the California, Connecticut, Delaware and Indiana Attorneys General offices.

Three Enforcement Signals In-House Teams Should Not Ignore

Regulators delivered a consistent message: enforcement is getting tougher, broader and faster.

  1. Fines will likely increase. Regulators may increase fines because they want to avoid settlements just becoming the “cost of doing business.”
  2. Investigations are expanding beyond public failures. Regulators are scrutinizing how companies internally operationalize privacy compliance, not just the public-facing issues that have dominated prior settlements.
  3. Enforcement activity is accelerating. Regulators are working across states and with larger staffs to supercharge their enforcement work.

What are regulators doing now?

Regulators described an increasingly coordinated, better resourced enforcement environment that examines both consumer facing compliance and internal operations.

  • Collaborating Across States. States are talking with each other. They work together, formally and informally, on enforcement and legal interpretation.
  • Staffing Up Rapidly. Privacy headcounts have exploded. Most offices have at least doubled their staff and are adding technologists.
  • Digging Deeper into Operations. Regulators are getting into the weeds. States are looking beyond the publicly viewable aspects of privacy compliance (e.g., privacy policies) to assess whether companies are implementing required internal practices as well.

The panelists noted that a lot of activity is happening behind the scenes and hinted at more announcements to come.

Where are regulators focusing their investigations?

Regulators stressed that their focus areas are generally reflected in settlements and public reports, but investigations routinely expand to new areas once they start.

  • Transparency. Vague, incomplete or misleading disclosures remain a red flag.
  • Sensitive Data. Children's data, genetic data and geolocation data continue to receive greater scrutiny.
  • Opt-Out Rights. California called this the "hallmark" of privacy law, and a frequent source of enforcement actions.

What practical steps can companies take now?

  • Write Simply. Draft privacy policies that non-lawyers can understand.
  • Test Opt Outs. Regulators emphasized that compliance depends on real world effect, not design intent. Ensure opt outs work across devices and browsers.
  • Operationalize Others’ Settlements. Regulators expect companies to learn from recent enforcement actions—even if they were not a party. Use settlements to prioritize privacy-program updates.
  • Stress-test Consent Flows. Companies should ensure consent mechanisms are appropriate for sensitive data, especially involving minors or precise geolocation.
  • Engage Regulators Strategically. Panelists cautioned against vague responses, over assertion of privilege, or procedural obstruction in response to preliminary fact finding. Substantive disputes can wait.
  • Monitor Privacy Inboxes. Regulators noted difficulty locating responsive compliance contacts—an avoidable problem that can escalate risk.
  • Conduct Impact Assessments. Panelists noted they often request the assessments, and it is a red flag when the company sends a report dated after the request.

Conclusion

Regulators are signaling that privacy compliance must be operational, tested and owned—not just documented. In-house teams should expect deeper inquiries, higher stakes and fewer opportunities to explain problems away after the fact.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Josh Hansen
Josh Hansen
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More