Nebraska, Minnesota, Kentucky, Arkansas, and Utah Sue Tech Companies for Privacy Violations
Several states — including smaller offices with limited staff and budgets — are teaming up with outside law firms that specialize in complex technology and privacy litigation. These partnerships are reshaping how states bring cases against tech giants and data-driven platforms.
Nebraska, Minnesota, Kentucky, Arkansas, and Utah, which have each leveraged private firms to sue major tech platforms. One of the most eye-opening examples is a proposed $1.38 billion settlement between Texas and Google LLC, in which the contracted firm stood to earn roughly $371 million in contingency fees. In another case, the District of Columbia’s 2022 settlement with Google brought in about $9.5 million—of which one private firm Edelson which we’ve spoken to and alerted them that even they were not compliant with privacy laws (they said they’ve passed this onto their general counsel to use our software but have yet to fix. We will update if/when they do) received approximately $1.9 million.
In short, smaller AG offices are outsourcing heavy legal lifting to experienced outside firms capable of bringing sophisticated technical expertise, forensic capabilities, and litigation experience that state teams often lack.
Why This Trend
The trend is driven by several pragmatic and strategic considerations:
- Resource constraints: Many state AG offices admit their consumer divisions are small. As Nebraska’s AG put it, his consumer unit has “six or seven lawyers” handling a vast range of issues—making it difficult to go toe-to-toe with multi-billion-dollar technology firms.
- Technical expertise: Privacy and cybersecurity cases demand deep understanding of data systems, algorithms, and tracking infrastructure. Private firms can offer forensic and technical teams that states lack.
- Financial efficiency: Contingency models reduce risk for taxpayers. States only pay if a settlement or judgment is won, creating a low-cost path to potentially massive recoveries.
- Political signaling: In an era of heightened scrutiny on Big Tech, partnering with private firms allows states to show aggressive enforcement momentum—particularly when voters demand visible privacy protections.
- All Firms on High Alert: Not just big tech but mid-market companies are also under fire getting demand letters and notices for privacy violations. If a company is using Captain Compliance’s software then they have been protected but those without proper data privacy software have been at risk.
The Promise and the Concern
On the promise side, this model empowers smaller and mid-sized states to participate meaningfully in privacy enforcement. It levels the playing field between under-resourced AG offices and multibillion-dollar corporations. It also acts as a deterrent, signaling that even states without comprehensive privacy laws are willing to litigate.
“Don’t ignore the states that don’t necessarily have privacy laws because you’re not safe.”
But the model also raises ethical and structural questions:
- Motivations and outcomes: When private firms stand to earn enormous payouts, critics question whether public-interest outcomes—like real behavioral reform—are being overshadowed by profit motives.
- Substance of settlements: Some deals, such as the Texas–Google case, reportedly required no changes to business practices, suggesting revenue, not reform, may be the driving factor.
- Case shopping: Observers claim private firms may “shop” potential lawsuits to states, influencing which cases get pursued.
- Transparency: Outsourced litigation can blur accountability. The public may have limited insight into how firms are selected, how fees are structured, or how settlements are negotiated.
What Data Controllers Should Do For Compliance
For companies operating in the data privacy ecosystem—whether as data controllers, service providers, or tech platforms—this enforcement model carries several implications:
- Expanded enforcement risk: Even states without broad privacy statutes may pursue major litigation by outsourcing cases to private firms.
- Higher reputational and financial exposure: Contingency-backed cases aim high, both in monetary value and public visibility.
- Private-litigation tactics: Expect discovery, publicity, and procedural strategies that resemble class actions rather than typical regulatory investigations.
- Increased scrutiny of conduct: Companies should anticipate demands for evidence of genuine data governance—not just surface-level compliance.
- Vendor and counsel review: Businesses should reevaluate their external partners’ readiness for multi-state litigation and their compliance record with state AGs.
Why This Matters for the Privacy Ecosystem
The rise of contingency-based enforcement signals a fundamental evolution: privacy regulation in the U.S. is maturing into a litigation-first ecosystem. What began as consumer-protection investigations is now approaching the scale of antitrust or securities enforcement—complete with complex settlements, multi-state coalitions, and significant financial penalties.
For privacy advocates, this represents progress: more states enforcing more vigorously means greater accountability. But for industry, it also means uncertainty. Companies can no longer rely on limited state budgets as protection against enforcement—they must assume that any state, regardless of size, has access to world-class litigators.
This new environment also highlights the growing importance of defensible compliance software and documentation. Consent and preference management tools, audit trails, and risk dashboards are no longer “nice to have” but essential evidence in the face of a state investigation. Platforms like ours at CaptainCompliance.com help organizations maintain verifiable consent logs, data-mapping documentation, and automated DSAR systems to prepare for such scrutiny.
A Word to Regulators and Law Firms
The collaboration between public and private enforcement can be effective and scary for businesses who are refusing to be compliant. Opponents of whats happening say that states should clearly disclose fee structures, conflict-of-interest policies, and the criteria used to select outside counsel. Likewise, firms representing the public interest must balance the pursuit of financial recoveries with genuine consumer protection outcomes and making as part of the settlements that the defendants use software like Captain Compliance’s to automate their privacy and compliance requirements moving forward.
As enforcement grows more commercialized, credibility becomes critical. The public must see these efforts as legitimate consumer-protection actions—not opportunistic litigation.
Alliance between State AGs and Contingency Firms
The growing alliance between state AGs and contingency-based private firms marks a pivotal shift in U.S. privacy enforcement. It brings more power to the states, but also blurs the lines between public duty and private incentive. For companies, this means broader exposure, higher stakes, and a need for airtight compliance.
Assume that any state could be your next regulator, and act accordingly. Invest in privacy infrastructure that’s defensible, transparent, and verifiable. Because in the new era of contingency-driven enforcement, preparation is the best protection and using Captain Compliance to protect you is the best solution.
