New State Privacy Consortium Signals Stronger Enforcement Efforts Amidst Shifting Federal Approach

Insights

Our insights are intended to discuss in a general nature the legal developments relating to our core areas of practice. Insights should not be construed as legal advice or legal opinion. Furthermore, these matters are continually subject to change, and therefore the information below may not reflect the most current legal developments. Readers should not act or rely upon the information without seeking specific advice relating to their facts and circumstances from legal counsel.

Privacy Law Harry Richt April 24, 2025

Contents show

A significant development in the U.S. privacy landscape has emerged with the formation of a bipartisan consortium of state regulators dedicated to collaborating on the implementation and enforcement of state privacy laws. This move, spearheaded by agencies including the California Privacy Protection Agency (CPPA)—the nation’s only state-level agency solely dedicated to privacy enforcement—suggests a potential shift towards more focused and robust state-driven consumer protection efforts.

Formation of the Consortium

Eight state regulators, comprising the CPPA and the Attorneys General of California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, have entered into a memorandum of understanding to establish the Consortium of Privacy Regulators. The primary goal is to enhance consumer protection through shared efforts in enforcing state privacy laws. This collaboration aims to leverage pooled expertise and resources, facilitate discussions on privacy law developments and shared priorities, and coordinate investigations into potential violations.

The consortium recognizes the immense value of consumer data but also acknowledges its potential for misuse in ways that can be dangerous and costly to individuals. By working together, the member regulators aim to address these risks more effectively.

Pooling Resources for Stronger Enforcement

The collaboration is made possible by the fundamental similarities across the various state privacy laws, such as consumer rights to notice via a privacy policy, access, delete, and stop the sale of personal information, along with comparable obligations placed on businesses. These commonalities enable a more unified application of privacy protections across jurisdictions.

Michael Macko, the CPPA’s head of enforcement, highlighted the importance of this collaboration, stating, “We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms”. The consortium will hold regular meetings and coordinate enforcement actions based on members’ common interests.

This coordinated approach, involving the unique expertise of the CPPA and its enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), such as in their recent action against Honda, signals a potentially more potent state-based enforcement regime. With numerous states enacting new privacy laws in 2025, this year is expected to be significant for state-level privacy enforcement actions. Experts predict a surge in enforcement, particularly concerning sensitive data processing and responses to consumer complaints.

State Action in the Context of Federal Approach

The strengthening of state-level collaboration comes as the federal approach to privacy regulation appears to be undergoing a shift. Under new leadership, the Federal Trade Commission (FTC) has indicated a move towards a “more balanced approach”. FTC Commissioner Melissa Holyoak stated the agency aims to balance privacy enforcement with promoting technological innovation. The focus will be on enforcing existing laws passed by Congress, such as the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA), and AI, rather than “stretching” legal authorities under Section 5 of the FTC Act.

The FTC’s priorities also include targeting the sale of Americans’ sensitive data to foreign adversaries, working with the Department of Justice on new rules restricting such transfers due to national security concerns. While the FTC intends to continue protecting consumer privacy, its stated emphasis on balancing risks against benefits and fostering innovation suggests a potentially less expansionist enforcement strategy compared to previous years.

Implications for Businesses

The formation of the State Privacy Consortium represents a significant step towards harmonized and potentially more vigorous enforcement of privacy laws at the state level. As state regulators pool resources and coordinate actions, businesses operating across multiple jurisdictions face an increasingly complex compliance environment. This development, combined with the expected lighter touch from federal regulators on some fronts, underscores the growing importance of state law compliance and the need for robust privacy programs that can adapt to evolving state-specific requirements and enforcement priorities. Companies should closely monitor the activities of this consortium and ensure their practices align with the increasingly stringent state privacy landscape.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights