Constangy Cyber Advisor 

EDITOR’S NOTE: This is Part Two of a three-part series.

As discussed in Part One of our Privacy Under Fire series, tools such as disclosures and cookie banners can no longer be treated as boilerplate. Recent lawsuits against high-profile companies show how these policies are being used by plaintiffs’ attorneys. In Part Two, we examine how regulators are intensifying scrutiny and compounding the legal risks to businesses.

Why regulators care

A privacy policy isn’t just legal “fine print.” It’s a public commitment about how a company handles consumer information. When an organization says, “We don’t share your personal data,” that statement functions as a promise—to consumers, to courts, and to regulators.

Regulatory agencies increasingly treat misleading or incomplete privacy and cyber-related disclosures as evidence of  “deceptive practices,” “material misstatements,” or regulatory violations. Here are some examples:

• The Federal Trade Commission treats misrepresentations (for example, claiming a service is “secure” when it isn’t) as unfair or deceptive under Section 5 of the FTC Act.
• State Attorneys General use Unfair or Deceptive Acts and Practices laws to target misleading privacy statements, dark patterns, and unfair data practices.
• The Security and Exchange Commission considers misleading or incomplete cybersecurity risk disclosures as potential “material misstatements or omissions” under federal securities law.

The trend is unmistakable: enforcement is shifting from what’s written on the page to whether companies actually live up to their commitments.

Regulatory actions can be costly

A sampling of recent regulatory enforcement actions show how costly it can be to be targeted for privacy- or cyber-related disclosures. 

• DOJ v. Illumina: Earlier this year, under the Civil Cyber-Fraud Initiative, the U.S. Department of Justice alleged that Illumina misrepresented its compliance with various cybersecurity requirements and standards related to various genomic sequencing devices purchased by the federal government. Although the company made affirmative statements of compliance, the DOJ zeroed in on whether those statements were true.

Outcome: Illumina agreed to pay $9.8 million plus interest to resolve claims under the False Claims Act and other federal laws.

• SEC v. SolarWinds: After a supply chain attack in 2020, the SEC charged SolarWinds and its Chief Information Security Officer with misleading investors about the company’s cybersecurity practices and potential legal exposure. The SEC alleged that from the time of the company’s initial public offering in 2018 through disclosure of the data breach in December 2020, the company hid critical information about its security risks and cyber incidents. After years of legal battles, the dispute was settled in July 2025.

Outcome: Cybersecurity assurances that arguably contain  material misstatements or omissions can result in significant legal exposure for businesses. 

• FTC v. Disney: In 2025, the FTC alleged that Disney Worldwide Services and Disney Entertainment Operations violated the Children’s Online Privacy Protection Rule by allowing the collection of children’s personal data on YouTube without parental consent. According to the FTC, the Disney companies mislabeled as “Made for Kids” videos that were “Not Made for Kids.” The distinction was critical because “Made for Kids” videos were required to comply with the COPPA Rule. The others were not.

Outcome: In September, Disney agreed to pay a $10 million penalty and implement a labeling program to prevent misclassification. The settlement, filed in federal court in California, is pending approval.

Implications for businesses

Just as courts now treat privacy policies and other privacy- and cyber-related disclosures as evidence, regulators view them as enforceable commitments. The risks of non-compliance include the following:

• Regulatory investigations and legal actions
• Fines and penalties
• Reputational harm
• Disruption and legal fees

Regulatory actions can make it easier for plaintiffs to file lawsuits. The reverse is also true: private lawsuits can draw regulator attention and provide the impetus for investigations. This creates a costly “double jeopardy” effect, where one misstep can expose a company to both the risks of litigation and regulatory penalties.

In Part Three of our series, we’ll explore how businesses can avoid and address these risks.

The Constangy Cyber Team assists businesses of all sizes and industries with compliance needs. If you would like additional information, please contact us at cyber@constangy.com.