On April 16, regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the creation of the Consortium of Privacy Regulators, a new collaborative effort focused on the implementation of state privacy laws and the protection of consumers across jurisdictions.
The Consortium includes the state Attorneys General of all seven member states, as well as California’s Privacy Protection Agency, and aims to share expertise, facilitate discussion of privacy law developments and shared priorities, and coordinate efforts to investigate potential violations of applicable state laws. The Consortium is likely to have an outsized effect on the development of privacy enforcement moving forward: members include states that are host to large consumer markets, tech companies, and financial sector firms.
More broadly, the formation of the Consortium demonstrates a few key trends driving privacy enforcement in 2025:
As we have previously reported, in the absence of robust federal enforcement of data privacy laws, state enforcement agencies have filled the gap, launching enforcement actions focused on youth social media addiction, data broker registration, cybersecurity failures, data sales, and other data-related issues.
We expect the Consortium to result in increased focus and frequency to this enforcement activity as states share best practices, pool resources, and share data. Collaboration between state attorneys general is common, but is typically limited to a particular matter or case. The Consortium aims to establish a long-term focus, deep technical expertise, and strategy to enforcement across an entire area of law.
That said, companies should not count federal enforcement out completely: the FTC has signaled that enforcement against tech companies, notably in the realm of antitrust and youth social media addiction, are priorities for the coming year. We expect data privacy concerns to continue to play into the FTC’s agenda going forward.
Notably absent from the Consortium are states that have been active in enforcing their own comprehensive data privacy regimes. 12 of the 19 states with comprehensive data privacy laws have not joined the Consortium. Texas in particular is a notable absence: Attorney General Ken Paxton launched a major data privacy and security initiative in June 2024, establishing a dedicated team for aggressive enforcement of Texas privacy laws, including civil penalties and data protection assessments.
Though the Consortium may eventually expand to include these and other states, their absence from the initial membership roster underscores an important reality: companies must continue to watch, and prepare for enforcement action from, multiple state agencies with different priorities. The Consortium brings together both traditionally “blue” and “red” states, demonstrating that regulating privacy and security transcends partisan divides. While the focus of individual state attorneys general may shift somewhat depending on the characteristics of their legal regimes – as well as the nature of violations they choose to target – robust enforcement is likely to be an enduring feature of the landscape in 2025 and beyond.
To date, the Consortium has not signaled whether it will focus on filing joint lawsuits. That said, the announcement states that the Consortium’s activities will focus on commonalities within the privacy laws of each member. While each member state’s statute has unique features, they all grant consumers core rights and impose similar obligations on businesses to uphold transparency and accountability. These shared elements form the foundation for coordinated investigations and enforcement actions, allowing regulators to leverage common playbooks while respecting jurisdictional nuances.
The Consortium promises to increase the sophistication, coordination, and frequency of state-led enforcement action on data privacy issues. Against a backdrop of increased legislative action in consumer data protection, an uptick in enforcement promises to affect many companies in the years ahead.
At the same time, state cooperation such as the Consortium may lead more companies to advocate for a uniform federal legislation.
