States’ Privacy Law Enforcement Moves Echo Pre-SOX Environment

The California Privacy Protection Agency’s settlement with PlayOn Sports is the latest privacy enforcement action focused on operationalizing enterprise privacy compliance. But this decision goes beyond the executive team by assigning responsibility for privacy governance to the board of directors—which may indicate a need for other companies to evaluate and revise their privacy practices.

On Feb. 27, CalPrivacy settled with PlayOn Sports to resolve alleged violations of the California Consumer Privacy Act, claiming that the media and technology company deployed digital trackers on its ticketing platform without providing appropriate privacy notices or compliant mechanisms for users to opt out of tracking.

In addition to a $1.1 million fine, the settlement requires PlayOn Sports to implement remediation measures, including having its board of directors review and approve risk assessments and identifying the individual directors who reviewed and approved them.

The Federal Trade Commission and other regulators have imposed board-level obligations in previous privacy and cybersecurity enforcement actions and even named officers in orders. But no state regulators have yet included board-level requirements under comprehensive privacy law enforcement actions.

A SOX Parallel

The trajectory of privacy enforcement today bears a striking resemblance to the events that preceded the Sarbanes-Oxley Act of 2002. In the early 2000s, a series of corporate accounting scandals at Enron, WorldCom, Tyco, and Adelphia exposed self-dealing, willful misconduct and systemic failures in corporate governance, internal controls, and financial reporting.

Congress responded with SOX, which required CEOs and CFOs to personally certify the accuracy of financial statements, mandated robust internal controls over financial reporting, and established the Public Company Accounting Oversight Board to end more than a century of self-regulation in the accounting profession. SOX’s core insight was that compliance could no longer be delegated to back-office functions; it required executive-level ownership and board-level oversight.

The PlayOn Sports settlement signals that privacy enforcement is following a similar arc. The requirement that PlayOn Sports’ board of directors review and approve risk assessments—with individual directors identified by name—echoes the SOX framework in which executives must personally certify compliance rather than merely delegate it.

Drumbeat of Enforcement

Eight state regulators, including CalPrivacy and the California attorney general, formed the Consortium of Privacy Regulators last year to coordinate the implementation and enforcement of state privacy laws across the country.

Members of the coalition and other state regulators have since targeted businesses that allegedly failed to implement opt-out processes. This pattern of escalating, overlapping enforcement mirrors the pre-SOX environment.

In September 2025, CalPrivacy and the state attorneys general of California, Colorado, and Connecticut launched a joint investigation targeting businesses that may be violating state privacy laws by failing to honor opt-out requests submitted through the Global Privacy Control.

About two months later, California Attorney General Rob Bonta announced a $1.4 million settlement with a mobile game app company to resolve allegations that the company’s mobile apps didn’t have compliant opt-out methods.

Some states have identified concerns around operationalizing compliance more generally. The Oregon Department of Justice released an enforcement report last August noting “a trend of technical problems resulting in compliance issues,” such as malfunctioning rights request webforms.

Minnesota Attorney General Keith Ellison reported in February that his office sent warning letters to companies that “identified problems with privacy policies, procedures for honoring consumer data requests, consent mechanisms for collecting sensitive data, and responses to universal opt-out signals.”

Operational Privacy Compliance

There are several ways that businesses can adapt to the changing privacy enforcement landscape.

Invest in recruitment and training. Businesses need directors and senior leadership who are technologically savvy and can help mitigate privacy risks by operationalizing compliance. The SOX experience is instructive: Section 407 required companies to disclose whether they had a “financial expert” on their audit committee, recognizing that effective oversight requires substantive expertise. Companies should consider whether their boards possess comparable artificial intelligence, privacy, and technology expertise.

Data map and maintain data inventories. Privacy compliance is rooted in fundamental governance practices, including data mapping. Regulators expect businesses that leverage data across platforms to also enforce privacy requests across those same platforms. Understanding where data is traveling is key to correctly scoping your privacy program.

Consider privacy rights compliance at the design stage. It’s easier to build privacy compliance into new systems and products than to add it later. Before launching new products and services or implementing systems, consider the steps necessary to comply with consumer privacy rights.

Implement vendor management practices. Third-party vendors don’t relieve businesses of their responsibility to comply with privacy laws. Although processes may shift to vendors, liability may not. Businesses should select compliant vendors, enter into appropriate agreements, and audit vendor compliance. SOX enforcement similarly showed that companies can’t outsource accountability.

Be audit forward. Auditing isn’t a solely backwards-looking process. Maintain logs, policies, contracts, and other governance artifacts that you will need to demonstrate compliance to regulators. SOX’s emphasis on contemporaneous documentation and internal control testing similarly reflects the need to demonstrate compliance in real time, rather than reconstructing it after the fact.

Monitor enforcement priorities and actions. Staying current on enforcement developments can help businesses assess and adjust privacy programs to avoid emerging risks. Enforcement guides and consumer complaint reports signal regulators’ priorities and enforcement risk. Algorithmic pricing remains a state regulatory focus, for example.

Looking Ahead

Privacy enforcement is growing and becoming more coordinated, technical, and demanding. The PlayOn Sports order may indicate the beginning of regulators imposing board-level requirements on companies that violate states’ comprehensive privacy laws.

The SOX analogy offers both a warning and a road map. SOX was born from the recognition that corporate governance failures weren’t isolated but systemic, and that restoring public confidence required pushing accountability to the highest levels of corporate leadership. The privacy enforcement landscape is reaching a similar inflection point.

Companies that internalize this lesson and proactively build board-level privacy governance structures will be better positioned than those that wait for regulators to mandate them.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Cynthia J. Cole is a partner on Alston & Bird’s privacy, cyber, and data strategy team, where she advises clients across multiple sectors on AI, data privacy, and security.

Dorian W. Simmons is counsel on Alston & Bird’s privacy, cyber, and data strategy team, advising on data privacy, cybersecurity, and AI matters.

Anna von Spakovsky is an associate on Alston & Bird’s privacy, cyber, and data strategy team, focusing on data privacy and cybersecurity matters and technology transactions.

Write for Us: Author Guidelines