During the first full day of panels at the IAPP Global Privacy Summit in Washington, D.C., discussions highlighted a significant turning point in state consumer privacy enforcement. On April 23, 2025, experts gathered to address the implications of nearly two dozen state-level privacy laws that have recently begun to take effect. These laws, which have been passed in various states over the past few years, are now expected to be fully enforced, marking a shift from the previous focus on building compliance programs to a more stringent expectation for companies to adhere to these regulations.
As states transition from initial cure periods, the pressure is mounting on businesses to ensure they are compliant with the growing number of privacy laws. This shift reflects a broader trend in consumer protection, where state authorities are becoming more proactive in enforcing privacy standards.
In related legal news, several high-profile lawsuits are making headlines, underscoring the growing scrutiny of corporate practices concerning consumer privacy. For instance, Rivkin Radler filed a lawsuit on December 18, 2024, in New Jersey District Court against Devco Corporation on behalf of Graco Inc. and Graco Minnesota. The suit accuses Devco of selling counterfeit Graco products, a claim that raises concerns about consumer safety and brand integrity. The case, designated as 3:24-cv-11294, is currently assigned to U.S. District Judge Zahid N. Quraishi.
Meanwhile, in New York, a lawsuit was filed by Zell, Aron & Co. on December 24, 2024, against Hanaco Venture Capital and its executives, Lior Prosor and David Frankel. This legal action alleges that the defendants negligently and fraudulently managed a $1 million investment, raising questions about fiduciary duty and corporate governance. The case, numbered 1:24-cv-09918, has been assigned to U.S. District Judge Vernon S. Broderick.
Another notable case involves the Toronto-Dominion Bank, which is facing allegations of concealing significant deficiencies in compliance with the Bank Secrecy Act and anti-money laundering controls. Filed on December 11, 2024, by Bleichmar Fonti & Auld in New York Southern District Court, this lawsuit highlights the ongoing challenges financial institutions face in maintaining regulatory compliance. The case is identified as 1:24-cv-09445 and is overseen by U.S. District Judge Arun Subramanian.
In Michigan, Crown Castle International is defending itself against a breach-of-contract lawsuit filed on November 25, 2024, by Hooper Hathaway PC on behalf of The Town Residences LLC. The lawsuit alleges that Crown Castle failed to transfer approximately $30,000 in utility payments from T-Mobile, raising important questions about contractual obligations and corporate accountability. This case, designated as 2:24-cv-13131, is currently assigned to U.S. District Judge Susan K. Declercq.
Additionally, a product liability lawsuit has been filed against Electrolux Home Products Inc. by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern. The lawsuit, initiated on November 26, 2024, claims that the company’s refrigerators have defective drawers and shelving that break and fall apart shortly after purchase. This case, numbered 2:24-cv-08204, is being heard by U.S. District Judge Joan M. Azrack.
In a separate but related issue, Shopify is facing a significant data privacy class action lawsuit in the United States that could reshape how globally active companies are held accountable for privacy violations. The lawsuit, which has been revived after a dismissal by a lower court and a three-judge panel of the 9th Circuit Court of Appeals, claims that Shopify installed tracking cookies on the iPhone of California resident Brandon Briskin without his consent. This case underscores the complexities of jurisdiction in the digital age, particularly as it pertains to consumer privacy rights.
Shopify, a global commerce platform based in Ottawa, Canada, collects a wide range of personally identifiable information (PII) from its users, including names, email addresses, phone numbers, and device information. The company asserts that it implements robust security measures to protect this data and complies with privacy laws such as the General Data Protection Regulation (GDPR). However, Briskin's allegations suggest that Shopify may not be adhering to these standards, raising critical questions about the company’s practices.
The 9th Circuit Court's recent decision to revive the lawsuit has significant implications. It rejected Shopify's argument that it should not be sued in California due to its nationwide operations. The court found that Shopify had deliberately installed tracking software on users' devices, thereby establishing jurisdiction in California. A Shopify spokesman expressed concerns that this ruling could expose online retailers to lawsuits in any jurisdiction, complicating how businesses operate in the digital marketplace.
Briskin's legal team argues that the court's decision enhances accountability for internet-based companies, challenging the notion that a business can evade jurisdiction by operating in multiple states. The majority opinion from the 9th Circuit adhered to the “traveling cookie rule,” which states that companies cannot manufacture jurisdiction by simply conducting business everywhere.
This evolving landscape of privacy enforcement and litigation reflects a growing recognition among states that they need the authority to enforce consumer protection laws against companies that engage with local markets through the internet. As the legal frameworks surrounding consumer privacy continue to evolve, businesses must remain vigilant and proactive in ensuring compliance with both state and federal regulations.
The IAPP Global Privacy Summit served as a timely reminder of the challenges and responsibilities that come with handling consumer data in an increasingly regulated environment. With state laws coming online and significant legal precedents being set, companies must navigate this complex terrain carefully to avoid potential legal pitfalls.
