As we’ve been on high alert about coordinate efforts between states and the growing risk of privacy litigation now is the best time to get compliant with our help if you haven’t yet.
From Legal Foundations to Enforcement Precision
Each regulator on the panel brought a different perspective shaped by their prior experiences—whether in the private sector, law enforcement, or federal agencies. The shared takeaway: enforcement under new state privacy frameworks requires not just legal acumen but also empathy for how businesses operate and make compliance decisions in real time.
Indiana Attorney General’s Office Section Chief for Data Privacy and Identity Theft Douglas Swetnam described how his background in the private sector informs his enforcement style, particularly when assessing the internal decision-making structures of companies facing investigations.
“I understand how the decision-making process really works, and the iterations within a company where the bigger the company, the more iterations tend to exist,” Swetnam said. “I am cognizant when we talk to companies about the effort it takes to bubble something up to the right decision maker who has a thumbs-up and thumbs-down authority, because that is not always easy.”
Swetnam’s comments set the tone for the discussion—one centered on regulators’ growing sophistication and the importance of dialogue in the early stages of an inquiry.
When Regulators Reach Out: Cooperation Over Confrontation
All four panelists agreed that the initial outreach from a regulator should not be viewed as an adversarial move. Instead, early engagement can often resolve potential violations before formal enforcement begins.
Delaware Deputy Attorney General John Eakins reminded attendees that a regulator’s first letter isn’t an accusation but an opportunity for clarification.
“It’s important to remember this is not litigation,” Eakins said. “We get to ask for information, and we can compel information if we’re required. When we see counsel that takes a litigation posture, that becomes challenging to resolve our inquiry.”
Eakins’ comments echoed a recurring message: companies that adopt a defensive stance too early can make simple issues far more complicated than necessary.
Andrea Lowe, Assistant Attorney General of Colorado, agreed—emphasizing that her office treats first contact as a conversation, not a confrontation.
“If we send a letter, we’re trying to engage in a type of back and forth, because we’re seeing if this is something that we can resolve short of having to send a cease-and-desist and go through a more formal process,” Lowe said. “But if we’re doing an inquiry, and we’re sending a C&D, we have a reasonable basis that our consumer protection laws have been violated.”
Lowe cautioned against organizations ignoring or delaying a response to a regulator’s outreach, warning that such actions often backfire and erode goodwill. Engaging early, she said, can lead to quicker, less punitive resolutions.
Institutional Memory and the Importance of Credibility
California Privacy Protection Agency Deputy Director of Enforcement Michael Macko, who moderated the panel, spoke candidly about how regulators retain an “institutional memory” of how companies respond to investigations—something that can follow an organization across future dealings.
“This is why it is important to build credibility with regulators,” Macko said. “This is why smaller businesses who are trying to become acquisition targets by larger ones can get into trouble because they don’t have a long-term mindset. They’re looking at improving the appearance of the balance sheet and that incentive structure gets in a lot of trouble in different contexts.”
Macko’s point underscored a new reality: reputation with regulators now carries weight similar to a company’s relationship with investors or consumers. Businesses that demonstrate a culture of compliance build trust and may receive more cooperative treatment when issues arise.
Privacy Regulators Have Shared Goals & Specialized Expertise
The panelists—each a member of the Consortium of Privacy Regulators—shared their forward-looking enforcement priorities. Despite differences in state statutes, their goals align: increase technical capability, strengthen consumer transparency, and coordinate expertise across jurisdictions.
Colorado: Protecting Opt-In Rights and Children’s Data
Following the enactment of the Colorado Privacy Act, Lowe said her office will focus on ensuring companies respect residents’ opt-in preferences and follow the state’s new protections for children’s data, effective October 2025.
“The potential harm for consumers in the use and disclosure of this kind of data is pretty contrary to what consumers expect when they’re providing this information to companies,” Lowe said. “Given the additional legal obligations around children’s personal data, this will especially be an enforcement priority.”
Indiana: Medical Privacy and Transparency
Although Indiana’s Consumer Data Protection Act takes effect in 2026, Swetnam noted that his office is already active in medical privacy enforcement, especially around data breaches and the sale of personal data on the dark web.
“We’ve done a lot of work in (the medical) space,” Swetnam said. “We see it as an area that is really important, and we balance our priorities by the amount of harm that can be done to consumers.”
Swetnam added that his office is also preparing to evaluate how understandable privacy notices are to the average consumer. His team plans to offer a public complaint portal for residents to flag overly complex or misleading privacy notices.
“Can people understand what (the privacy notice) says?” Swetnam said. “What we’re looking for is transparency.”
Delaware: Data in Connected Devices
Eakins described how Delaware is prioritizing investigations into connected devices—from vehicles to smart televisions—that collect and transmit personal data. These data flows, he noted, are outpacing the current regulatory frameworks that apply to mobile “gatekeepers” like Apple and Google.
“One of the great things about the states is that we all work together,” Eakins said. “As more data is used from Delaware residents’ vehicles and connected TVs, they are going to grow ever more concerned about the hyper targeted advertising directed at them.”
California: Technical Validation and Operational Readiness
Macko highlighted California’s continued focus on ensuring that companies can technically operationalize compliance under the CCPA and CPRA. His team is concentrating on validating whether systems function as promised—not just whether the legal paperwork exists.
“How are we going to validate that an organization’s systems are working properly?” Macko said. “In our actions there has to be some analysis done and there has to be some technical implementation. If there is not, then we’re missing a big piece of the puzzle.”
The Consortium Model: Divide, Conquer, and Collaborate
The regulators emphasized that the Consortium of Privacy Regulators—representing a growing coalition of state privacy authorities—is moving toward a “divide-and-conquer” model. By assigning specific focus areas to individual states, the consortium hopes to avoid duplication, accelerate investigations, and create shared expertise that benefits consumers nationwide. It’s also private right of actions for privacy lawsuits from firms like Tauler Smith & Swigart that are driving adoption of privacy software tools to avoid these expensive fines and settlements.
For instance, Delaware is zeroing in on connected devices, while Indiana is taking the lead on healthcare data, and Colorado continues to monitor children’s privacy and opt-in frameworks. California remains a hub for technical enforcement and inter-agency coordination.
This collaborative model aims to bring consistency to what has been, until now, a fragmented patchwork of state-level privacy enforcement. The regulators acknowledged that while the federal government has yet to enact a national privacy standard, cross-state collaboration through the consortium provides a pragmatic bridge in the meantime.
Privacy Officer and In House Legals Job
- Early engagement pays off: Treat a regulator’s first outreach as a conversation starter, not a subpoena. Cooperation can lead to faster, more favorable outcomes.
- Build credibility now: Regulators remember how companies behave during inquiries. Transparency and responsiveness can influence future interactions.
- Focus on technical compliance: Laws like the CCPA require proof that systems actually function as advertised. Documentation alone isn’t enough.
- Design for clarity: Privacy notices must be written for real people, not lawyers. Expect scrutiny if your notice feels incomprehensible or deceptive.
- Monitor your ecosystem: From connected vehicles to TV apps, ensure that every platform collecting consumer data aligns with your compliance strategy.
