These efforts targeted six core privacy harm categories, filling critical gaps left by a “hostile federal environment” characterized by the repeal of broadband privacy rules in 2017 and the ongoing limbo of comprehensive federal legislation. AGs leveraged everything from longstanding state consumer protection (SCP) laws—invoked in 95% of cases—to nascent comprehensive privacy statutes like California’s CCPA and Virginia’s CDPA. As EPIC’s executive summary starkly notes, “State AGs have stepped into the breach, using their parens patriae authority to protect residents from privacy harms that federal inaction has left unaddressed.”
State AG Privacy Enforcement (2020-24)
See the full report via Airtable here: https://airtable.com/app4cvxMFPTwk9IYt/shrpI3QqsgG7ooqFS
For compliance professionals in regulated industries like finance, healthcare, tech, and e-commerce, this report isn’t just a statistical compendium—it’s a strategic roadmap laced with actionable insights. It highlights how AGs are wielding multistate coalitions to dismantle systemic threats like massive data breaches and algorithmic biases, while single-state actions surgically target hyper-local violations such as deceptive consent practices. As organizations navigate an era of escalating cyber risks, AI-driven harms, and a patchwork of 20+ new state privacy laws with more states ramping up enforcement, understanding these trends is essential for fortifying compliance programs, anticipating resource-intensive audits, and mitigating penalties that have ballooned from six-figure fines to settlements exceeding $500 million. Let’s dive deep into the report’s revelations, drawing on its exhaustive case studies, visualizations, and forward-looking recommendations.
The Big Picture: Scale, Scope, and Methodological Rigor
EPIC’s analysis reveals a torrent of AG activity, with 2,328 total actions documented between January 1, 2020, and December 31, 2024—a figure that swells dramatically when accounting for multistate participation (e.g., a 50-state coalition against a single violator counts as 50 discrete actions). This includes 222 individual cases and settlements, 99 public investigations announced via press releases, and over 1,023 warning letters demanding cessation of unlawful practices. The report’s methodology is a model of transparency: EPIC compiled data from NAAG (National Association of Attorneys General) databases, archival press releases, court dockets, and direct consultations with over two dozen AG offices. The dataset is “frozen” as of late 2024, excluding pre-2020 actions or non-privacy-related fraud, and includes three complementary views: Total Actions (emphasizing scale), Individual Cases (focusing on unique enforcement events), and Grouped Cases (clustering similar multistate efforts for pattern analysis).
Key drivers of this surge? The post-2020 explosion in reported data breaches from 2,260 incidents in 2016 to over 10,000 annually by 2024, per FBI Internet Crime Complaint Center (IC3) data—and the insidious rise of platform harms, particularly those exploiting minors through addictive algorithms and dark patterns. AGs predominantly invoked state SCP laws (e.g., UDAP statutes) in nearly all cases (95%), supplemented by federal backstops like the Telephone Consumer Protection Act (TCPA) for robocalls and the Children’s Online Privacy Protection Act (COPPA) for kids’ data. As the report emphasizes, “Multistate enforcement has proven to be a powerful tool in addressing large-scale privacy violations, pooling resources to achieve outcomes unattainable by individual states.”
Here’s an expanded breakdown of actions by category, incorporating EPIC’s visualizations (e.g., bar charts and heat maps) and highlighting trends like the 2022–2024 spike in platform governance suits:
| Category | Total Actions | % of Total | Individual Cases | Notable Trend | Avg. Settlement Size |
|---|---|---|---|---|---|
| Unwanted Calls & Texts | 909–1,200+ | 39% | 48 | Multistate letters via Anti-Robocall Task Force (ARTF); 1,258 traceback requests to carriers. | $1–5M |
| Data Breach | 602 | 26% | 66 | 91% multistate; encryption failures and delayed notices dominate. | $10–500M+ |
| Antitrust | 247 | 11% | 15 | 60% federal claims; data monopolies in search and ads. | $20–100M |
| Data Privacy | 171 | 7% | 34 | 90% single-state; consent and collection under CCPA-like laws. | $500K–10M |
| Platform Accountability & Governance | 341–342 | 15% | 53 | Post-2022 surge; youth safety via COPPA and dark patterns. | $5–50M |
| Algorithms & Automated Systems | 58 | 2% | 6 | Emerging; AI biases and deepfakes; overlaps with other categories. | $1–20M |
| Totals | 2,328 | 100% | 222 | 85% multistate overall; SCP claims in 95%. | Varies |
These metrics underscore AGs’ agility and innovation: While federal inaction persists—exemplified by the FTC’s under-resourced privacy docket—states are creating “market incentives for better practices” through injunctive relief (e.g., mandated audits), monetary penalties funneled to victim compensation funds, and behavioral remedies like algorithm transparency requirements.
Enforcement by Privacy Harm Category
EPIC’s taxonomy blends traditional intrusions with frontier issues, providing a granular lens on harms, claims, and remedies. Each category draws from dozens of case studies in Appendix A, revealing enforcement patterns and compliance pitfalls.
1. Unwanted Calls & Texts: The Persistent Intrusion Epidemic
Dominating with 909+ actions (and up to 1,200+ including ARTF referrals), this category addresses the psychological and economic toll of unsolicited robocalls and SMS—harms like harassment, scams, and eroded trust. AGs targeted VoIP providers, lead generators, and telemarketers, with 62% invoking TCPA alongside SCP laws. The ARTF, a bipartisan juggernaut spanning 50 states and DC, drove 711+ letters, including 2023 warnings to All Access Telecom and Telcast Network for unleashing 24.5 billion illegal calls, many laced with COVID-19 scams.
Notable settlements paint a vivid enforcement mosaic: The multistate Avid Telecom case (ongoing since 2020) has yielded $100M+ in forfeitures, while NGL Communications paid $3.2M to 51 jurisdictions in 2023 for debt-collection spam. Single-state gems include Texas’s 2024 suit against Dish Network ($400M judgment) for 57 million violations. EPIC highlights a shift to “spoofing” and AI-generated voices, with 2024 deepfake robocalls prompting urgent ARTF guidance.
“These intrusions aren’t mere annoyances; they enable broader fraud ecosystems,” notes the report, citing IC3 losses topping $10B annually.
2. Data Breach: Safeguards Under Siege in a Hyper-Connected World
As breaches escalated—IC3 complaints from 5,145 in 2014 to 64,000 in 2024—AGs logged 602 actions, 91% multistate, focusing on inadequate safeguards like unencrypted PII and delayed notifications under laws like NY SHIELD. SCP claims underpinned 100%, with 33% layering HIPAA for health data. Mega-settlements define the era: Equifax’s $575M resolution (2019–2021, 50 states) compensated 147M victims; Marriott’s $52M payout (2024, 50 states) addressed a 2018 Starwood hack exposing 500M passports.
Recent flashpoints include T-Mobile/Experian ($2.4M, 39 states, 2023) for a 2021 breach hitting 54M users, and Quest Diagnostics (CA, $1.25M, 2024) for vendor lapses. EPIC’s Appendix B clusters these into “systemic failure” patterns, like ransomware in Blackbaud ($49.5M, 49 states, 2023). Overlaps with antitrust emerge in cases like Change Healthcare (multi-AG probe, 2024), where breaches exposed monopolistic vulnerabilities.
“Delayed disclosures compound harm, turning incidents into crises,” the report warns, urging 72-hour notifications as a baseline.
3. Antitrust: Data as the New Monopoly Currency
With 247 actions—60% tied to federal Sherman/Clayton claims—AGs dissected how data hoarding stifles innovation, from search dominance to ad tech collusion. Multistate coalitions amplified impact: The 2023 Google Search monopoly suit (38 states + DC) alleges $700B in overcharges via rigged auctions; Amazon’s ad tech probe (19 states, 2023) targets self-preferencing. Non-Big Tech cases, like RealPage (8 states, 2023–2024), nailed algorithmic rent-fixing inflating costs for 80% of U.S. units.
EPIC identifies “data-fueled anti-competitive conduct” as the harm core, with 33% invoking state analogs to federal law. Remedies? Structural divestitures and data portability mandates. Appendix C maps these to SCP overlaps, revealing hybrid claims in 40% of cases.
“Antitrust enforcement is evolving to treat personal data as an essential facility,” per the analysis.
4. Data Privacy: Consent in the Crosshairs of Deceptive Practices
171 actions—90% single-state—zeroed in on wrongful collection and opaque disclosures, with 92% SCP and 28% COPPA. TikTok’s minor data harvesting drew AR’s 2023 suit ($1.5M settlement), while Google’s location tracking (51 states, 2018–2023, $391.5M) exposed “incognito” myths. E-commerce hits: Temu (AR, 2024) for dark-pattern checkouts; Facebook’s Cambridge Analytica echo (NY/FL, 2021, $5M). CCPA enforcement in CA yielded 78 cases, emphasizing opt-out rights.
EPIC’s taxonomy flags “consent fatigue” as a recurring harm, with remedies like policy overhauls in 70% of settlements.
“Single-state precision allows tailored responses to local harms,” the report observes.
5. Platform Accountability & Governance: Dark Patterns and Youth Vulnerabilities
A 2022–2024 boom (341 actions) targeted addictive designs and governance lapses, harming youth via mental health crises. Bipartisan suits vs. Meta (33 states, 2023, $5B+ sought under COPPA) and TikTok (40 states, 2024) demand age verification and addiction audits. Others: Snap’s “disappearing messages” enabling harassment (NV, 2024, $1M); DoorDash’s tip-skimming dark patterns (CA, 2024). 94% SCP; 32% tort for negligence.
EPIC predicts state online safety laws (e.g., NY’s 2024 S.7694) will turbocharge this, with Appendix D visualizing a 300% case uptick.
“Platforms must govern like public utilities,” urges the report.
6. Algorithms & Automated Systems: The Black Box Battle Heats Up
Though nascent (58 actions), this category signals explosive growth, targeting biases in tenant screening (Buildium, MA, 2022, $400K) and facial recognition (Clearview AI, VT, 2020, injunction). Deepfake overlaps: Lingo Telecom (multi-AG, 2024) for AI robocalls. All SCP-based; FCRA in 20% credit cases. EPIC forecasts: “The biggest growth area, intersecting with biometrics and AI regs.”
Multistate Muscle vs. Single-State Precision: A Tale of Two Enforcement Modes
Multistate efforts (85% of actions) excel in resource-heavy domains like breaches, pooling expertise for $1B+ recoveries—e.g., the 50-state Marriott suit. Single-state (81% of cases) thrives in nuanced privacy suits, like TX’s 100+ data broker letters (2021–2024). Federal synergies? Limited but rising in calls (2 cases via FCC). EPIC’s heat maps (Appendix E) spotlight leaders: CA (75 actions), NY (62), TX (44), with territories like PR adding 12.
State deep dives: California’s CCPA machine cranked 2024 DoorDash ($3.75M); Texas probed TikTok for national security (2023); New York’s GEICO breach suit (2024) layered GBL § 899-aa.
Methodologies and Appendices: The Data Backbone
EPIC’s rigor shines in Appendices 1–6: A (case spreadsheets, 222 entries with DOIs); B (state mini-reports); C (claim taxonomy, e.g., SCP in 95%); D (visuals like green-shaded timelines); E (grouped cases); F (law overviews). Exclusions ensure focus: No pre-2020 or tangential fraud.
Recommendations, Future Outlook, and Compliance Imperatives
EPIC urges AGs to bolster privacy units (e.g., MA’s 2020 division) and harness 20+ new laws for AI/biometrics. Expand ARTF-like task forces; prioritize algorithms. Outlook: Enforcement doubles on platforms/automation, with AI datasets enabling predictive tracking.
“AGs fill federal gaps, incentivizing ethical data stewardship,” EPIC concludes.
For leaders: Map risks via EPIC’s taxonomy; integrate EDR with SCP/HIPAA scoring. Our Compliance Sentinel automates this, preempting coalitions.
In sum, state AGs aren’t reacting—they’re rearchitecting privacy. Download the report here; fortify now. Stakeholders’ data demands it and Captain Compliance is here to protect and help businesses.
