Event Recap – Hot or Cold? A Privacy Enforcement Update

Like spring weather in Minnesota, privacy enforcement is difficult to predict—sometimes slow-moving, sometimes striking fast. In his presentation, Hot or Cold? A Privacy Enforcement Update, Gardner Law attorney Paul Rothermel unpacked a range of recent enforcement actions across HIPAA, the FTC, U.S. states, and the European Union. The result: companies can no longer assume enforcement is limited to global tech giants.

Enforcement by the Numbers

Rothermel began with U.S. enforcement trends, highlighting that HIPAA-related penalties remain a top federal risk. Recent actions showed how basic oversights—such as missed risk assessments or improperly secured servers—can lead to six- or seven-figure settlements. The HHS Office for Civil Rights continues to pursue civil monetary penalties for entities that fail to meet security rule and privacy rule obligations.

He also emphasized the FTC’s increasingly aggressive role in health data protection—especially where HIPAA doesn’t apply. Several well-known mental health platforms faced significant penalties for embedding ad trackers that secretly disclosed user health data to platforms like Meta, TikTok, and LinkedIn. In one case, the FTC added a ban on sharing certain health data for advertising purposes—going beyond the typical corrective action requirements.

Rothermel made clear that misleading statements about privacy practices—such as claiming HIPAA compliance or asserting “we never share your data”—can turn routine marketing copy into a deceptive trade practice. That’s how companies find themselves facing both financial penalties and reputational harm.

“It’s not just what you collect or share—it’s what you say about it. Enforcement bodies are laser-focused on promises made, whether on your homepage or in your privacy notice.”

Global Pressure and State-Level Shifts

On the international front, Rothermel detailed how the EU’s GDPR framework has led to thousands of fines—many mid-sized, some quite large—and that even internal missteps, like unencrypted internal data storage, can be considered a reportable breach. In medtech-specific cases, regulators in Sweden and elsewhere have penalized manufacturers for failures in breach notification timelines, due diligence of service providers, and missing impact assessments.

Back in the U.S., states like California and Washington are taking the lead with independent enforcement. The California Attorney General continues to target companies for non-consensual ad tech sharing—particularly where children's data or healthcare service interactions are involved. Washington state’s My Health My Data Act even allows for private rights of action, raising the specter of consumer-led litigation in addition to state oversight.

Takeaways for Companies in FDA-Regulated Industries

Rothermel concluded with practical advice for firms handling sensitive health data:

• Conduct regular risk assessments and data protection impact assessments
• Scrutinize any tracking tools embedded in your websites or apps
• Avoid sweeping privacy promises that overstate compliance
• Carefully vet third-party vendors and implement robust data processing agreements
• Prepare incident response plans that comply with federal and global reporting timelines

These steps are essential not only to avoid enforcement but also to build defensible programs that withstand regulatory review.

Need Help Evaluating Your Privacy Program?

Paul Rothermel works with companies at all stages of data maturity—from startups developing their first privacy notice to multinational manufacturers facing complex international obligations. Whether you're navigating HIPAA, FTC, GDPR, or state-specific laws, contact Paul to strengthen your privacy program, conduct a risk assessment, or assess your exposure under evolving enforcement priorities.