New York is getting strict on data privacy and security. A year of fines, fights, and digital defenses has led to the Attorney General Letitia James releasing a whole directory and advice for website privacy as a guide to those who operate in or target New Yorkers. The additional content produced as a warning against dark patterns to help stop businesses from both deceptive patterns, how to setup website privacy controls and from getting sued by green eyed litigation firms.
Attorney General Letitia James cemented her office as a formidable guardian of privacy and data security last year, wielding enforcement powers with a vigor that sent ripples through corporate boardrooms and tech hubs. As companies scrambled to comply with an ever-tightening web of state and federal privacy laws like ECPA, James’s office racked up a year of high-stakes settlements, aggressive investigations, and a clear message: in the Empire State, mishandling personal data comes at a steep price. With 2025 underway, her track record offers a roadmap—and a warning—for businesses navigating the treacherous terrain of digital trust and sends a model for other states to follow to ensure that website operators act responsibly, honestly, and provide proper disclosures.
The numbers alone tell a story of escalation. In 2024, the Attorney General’s office secured over $66 million in settlements tied to privacy and data security lapses, a haul dwarfing previous years. From telecom giants to retail chains, no sector escaped scrutiny as James’s team zeroed in on breaches, deceptive practices, and failures to safeguard New Yorkers’ personal information. It’s a campaign that’s made her a standout among state attorneys general nationwide, who are increasingly stepping into the breach left by a stalled federal privacy framework.
A “Cookie” Banner Year for Breach Busting
The year’s marquee victories came in the realm of data breaches, where James’s office flexed its muscle with multimillion-dollar resolutions. Take the case of Wegmans, the Rochester-based grocery titan, which agreed in April 2024 to pay $400,000 after a cloud security snafu exposed the personal data of 3 million customers and 49,000 employees. Names, addresses, and login credentials spilled into the open due to misconfigured storage containers—an error the Attorney General’s office deemed a preventable lapse under New York’s SHIELD Act. Wegmans didn’t just write a check; it committed to a 10-year overhaul of its cybersecurity, including annual third-party audits and beefed-up encryption. So this wasn’t a case of a right to cure it was straight to fines and then the cure process.
Then there was AT&T, caught in a sprawling breach that compromised call records for nearly all its wireless customers nationwide—tens of millions of them New Yorkers. Alongside 36 other state attorneys general, James extracted a $57 million settlement in October 2024, with New York’s cut at $2.5 million. The deal mandated penetration testing and executive-level security reviews, a sign that James isn’t just chasing fines but systemic change. “Data isn’t just a corporate asset—it’s people’s lives,” she said in a statement at the time, a refrain that’s become her office’s rallying cry.
Beyond Breaches: Targeting Tech Companies
James’s 2024 wasn’t all about breaches—it was also a reckoning for tech giants over how they harvest and wield consumer data. A standout clash came with TikTok, where her office joined a bipartisan coalition of 22 states and the District of Columbia to sue the ByteDance-owned platform in October. The allegations? That TikTok knowingly let kids under 13 onto its app, violating the federal Children’s Online Privacy Protection Act (COPPA), and misrepresented its data practices to parents. New York’s complaint leaned heavily on the state’s consumer protection laws, accusing TikTok of deceptive conduct that endangered young users—a move that could set a precedent for how states tackle Silicon Valley’s darlings.
The TikTok suit wasn’t a one-off. Earlier, in June, James hit X Corp., Elon Musk’s social media behemoth, with a $305,000 settlement over its handling of New Yorkers’ personal data post a 2023 breach tied to the old Twitter infrastructure. Alongside California and New Jersey, New York argued X failed to notify users promptly under the SHIELD Act, leaving them exposed to identity theft risks. The settlement forced X to tighten its breach response protocols, a win James touted as “holding tech accountable.”
Health Data: A New Frontier
Washington state has the My Health My Data act that is the most stringent set of principles for any state or country when it comes to health data. Perhaps the year’s most striking pivot was into health privacy, a domain exploding with risk as medical data goes digital. In February 2024, James’s office settled with Healthplex, a dental benefits administrator, for $400,000 after a 2021 phishing attack compromised 234,000 New Yorkers’ Social Security numbers and health records. The deal mandated multifactor authentication and employee training—a template for future enforcement. Months later, in September, Cerebral, a telehealth startup, paid $2 million to New York (part of a $7 million multistate pact) for sharing patients’ mental health data with advertisers without consent, a breach of both state law and trust. Cerebral is also a well known name in the data privacy industry as they were also sued by Almeida Law for a data privacy violation related to the federal law ECPA.
These cases underscore a growing focus: sensitive health data isn’t just another commodity—it’s a third rail. With New York lacking a comprehensive privacy law like California’s CCPA, James has leaned on the SHIELD Act and consumer protection statutes to fill the gap, signaling that health-tech firms face the same heat as their Silicon Valley cousins.
The SHIELD Act: James’s Enforcement Hammer
At the heart of this crusade lies the Stop Hacks and Improve Electronic Data Security Act (SHIELD), a 2019 law that’s become James’s battering ram. It mandates “reasonable” safeguards for personal data and swift breach notifications—standards her office has interpreted with teeth. In 2024, SHIELD underpinned settlements like the $450,000 deal with Refuah Health Center, a Hudson Valley provider hit by ransomware in 2021, exposing 250,000 patients’ records. Refuah’s penalty included a 20-year cybersecurity mandate, a term that’s become a hallmark of James’s long-game approach.
The SHIELD Act’s flexibility lets James target a spectrum of failures—weak passwords, unencrypted files, delayed alerts—making it a catch-all for data sins. Critics, including some business groups, argue it’s too vague, leaving companies guessing at compliance. For James, it’s a tool to force accountability in a state where 20 million residents generate a data goldmine.
Will New York Set a National Trend?
James’s 2024 haul isn’t just a New York story—it’s a bellwether for state-level enforcement nationwide. With Congress stalled on a federal privacy law, attorneys general from Texas to Colorado are ramping up, but few match New York’s pace or purse. The $66 million in settlements outstrips most peers, and her multistate coalitions—like the AT&T and TikTok efforts—show a knack for rallying allies. Posts on X as of March 4, 2025, reflect this sentiment, with privacy pros noting James “leading the charge” among state enforcers.
Yet challenges loom. New York’s lack of a CCPA-style law limits her reach compared to California’s Rob Bonta, who wields broader consumer rights tools. And as tech firms lawyer up, protracted battles—like the TikTok suit—could test her office’s bandwidth. Still, James’s enforcement actions over and over again last year proves state AGs aren’t waiting for Washington and in the absence of a federal privacy law they will act on their own.
Compliance or Consequences
For businesses, the takeaway is stark: New York’s AG isn’t bluffing. The year’s enforcement blitz—spanning retail, telecom, health, and tech—shows no sacred cows. Companies must lock down data, train staff, and brace for audits, or risk joining the settlement roster. As James told reporters in December of last year, “We’re not slowing down—2025 will be about building on this momentum.”
In a digital age where trust is fragile, New York’s privacy enforcer has drawn a line. For the C-suite, it’s a call to action: shore up defenses, or pay the price when Letitia James comes knocking.
