Since 2022, KJK has cautioned that the continued absence of federal privacy and cybersecurity legislation poses significant risks to businesses. While Congress continues to drag its feet, other governing bodies have stepped in to fill the void. We have identified other controlling governmental bodies that have created applicable jurisdictions specific laws for companies to follow, shown that a patchwork of state laws makes compliance both difficult and expensive for business entities, and that these jurisdictions are actively enforcing their particular privacy and cyber laws. Just last month, the California Privacy Protection Agency fined Tractor Supply Company $1.35 million for failing to (1) provide consumers a proper opt-out mechanism for data sharing/selling, and (2) notify them of their privacy rights under California law. Not complying with state privacy and cyber laws can be very costly.
Navigating State Laws
Most companies take the “play it safe” approach: follow the most restrictive law on each topic, hoping that covers all jurisdictions. But is that really a smart strategy?
- It might keep you compliant, but it could also mean leaving money on the table by avoiding actions that are perfectly legal, and profitable, in other states.
- And even if you’re following the strictest law, how confident are you that state laws don’t conflict? Or that a new one hasn’t quietly passed with even tighter rules?
When Compliance Becomes Unclear
What if the strict state law you’re trying to follow is so poorly written that you can’t even figure out what it requires? Sound far-fetched? It’s not.
In October 2025, the U.S. District Court for the Northern District of California faced this exact issue in Jane Doe v. Eating Recovery Center LLC. In that case, the plaintiff had visited the defendant’s website, triggering Meta Pixel, a tool that sends user data to Meta in exchange for services like ad targeting and analytics. She claimed that the undisclosed use of this tool violated the California Invasion of Privacy Act (CIPA), which provides damages of $5,000 per violation or triple actual damages. Both parties sought summary judgment arguing that the undisputed facts required a ruling in their favor under the language of the law.
The court’s response? Total exasperation.
“The language of the CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change… we’ve reached the point where it’s often borderline impossible to determine whether a defendant’s online conduct fits within the language of the statute.”
The judge ruled in favor of the defendant, but admitted doing so “without a great deal of confidence.” The Court, like others before it, found that the law, written in 1967, simply doesn’t fit for modern internet technologies.
Consequences for Businesses
Here is the biggest problem. Because this statute, from the gigantic state whose privacy and securities laws are used by many business entities as their regulatory baseline, is a “mess”, a company has no realistic way (absent not using website visitor information in any manner) to confirm compliance. Even the federal court recognized this conundrum: the Doe Court specifically recognized that “companies have no way of telling whether their online business activities will subject them to liability.”
That’s not only frustrating, but it also creates real financial risk.
Next Steps
Federal laws regulating technological privacy and cybersecurity might not be perfect, but they would be a massive step forward. Federal regulation could provide:
- Uniform standards across states
- Clear definitions of obligations and rights for both companies and individuals
- Predictable enforcement
Until then, businesses are left navigating a potential legal minefield with blindfolds on.
And still… we wait.
Contact
For guidance on navigating privacy and cybersecurity compliance for your business, contact KJK Partner Brett Krantz (BK@kjk.com) or anyone in KJK’s Cyber Security & Data Breach practice group.