The conversation around data privacy has shifted gears across the U.S., and state attorneys general are stepping into the spotlight like never before. With 19 states now boasting comprehensive privacy laws, the responsibility to shield consumers from data mishandling has landed squarely on these public enforcers. Places like California, Connecticut, and Texas have gone further, setting up dedicated privacy units and AI units within their attorney general offices, signaling a serious commitment to keeping personal information safe. If you’ve noticed more chatter about your online footprint lately, it’s no surprise people are waking up to how much data businesses hold, and state officials are responding with action that’s starting to reshape the landscape.
This movement gained momentum with the creation of the bipartisan Consortium of Privacy Regulators, bringing together attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon, and the California Privacy Protection Agency. This group is all about teamwork, pooling resources to tackle enforcement across state lines and iron out inconsistencies in how privacy laws are applied. It’s a big shift from the early days when these laws were just ink on paper. Now, with each state’s attorney general tasked with wielding these new tools, they’re becoming the frontline defenders of consumer rights, even though only California lets private citizens sue for violations. The rest rely on these public offices to hold companies accountable.
Take California as an example—it’s been a trailblazer since the California Consumer Privacy Act (CCPA) kicked in back in 2020. Attorney General Rob Bonta didn’t waste time, sending out private notices to businesses in 2021 after the law’s first year, nudging 75% of them to fix issues within 30 days. Those early moves set the stage for public action, like the 2022 case against Sephora. The makeup giant faced allegations of selling customer data to third parties for ads and analytics, despite claiming otherwise in its privacy policy. Bonta’s office argued this fell under the CCPA’s broad definition of a “sale”—anything of value, not just cash—leading to a $1.2 million settlement and a mandate for better opt-out options and monitoring.
That Sephora case opened the floodgates. Bonta followed up with targeted sweeps—loyalty programs in 2022, mobile apps in 2023, big employers and streaming services in 2024, and location data in 2025—each uncovering new violations. The 2024 DoorDash settlement, a $375,000 fine for sharing data through a marketing cooperative, echoed the “sale” theme, even without direct payment. Then there’s Tilting Point Media, hit with a $500,000 penalty in 2024 for collecting kids’ data without opt-in consent, a stricter rule under the CCPA for minors. These cases show a pattern: Bonta’s office is casting a wide net, interpreting terms like “sale” and “cure” broadly to maximize protection. Recently we say Healthline fined over a million dollars and more companies in the crosshairs.
Other states are finding their footing too. Connecticut’s Attorney General William Tong released a report six months after its Data Privacy Act took effect, detailing 10 cure notices for issues like missing opt-out tools—many businesses stepped up to fix things beyond the notices’ scope. Texas, meanwhile, made history in August 2024 with Attorney General Ken Paxton’s lawsuit against Arity, alleging the data firm collected location data without consent, a bold move under the new Texas Data Privacy and Security Act. Oregon’s Privacy Unit, launched with the Oregon Consumer Privacy Act, has sent “light” cure letters to data brokers and launched a complaint portal, seeing a surge in reports about confusing privacy policies.
Lessons from the Privacy Trenches
- Broad Definitions Matter: States like California and Texas are stretching terms like “sale” to cover data exchanges, setting a high bar for compliance.
- Cure Periods Vary: While Texas locks in a permanent cure option, others like California have dropped mandatory notices, signaling tougher stances ahead.
- Consumer Education Lags: Reports from Connecticut and Texas highlight confusion about rights, pushing states to step up outreach.
Three Ways Forward
- Strengthen Collaboration: The Consortium of Privacy Regulators can help align enforcement, reducing confusion for businesses across states.
- Boost Public Awareness: States need to simplify how consumers exercise rights, drawing from Oregon’s marketing campaigns or California’s Delete Act.
- Adapt Business Practices: Companies should audit data flows and opt-out systems now, learning from Sephora and DoorDash to avoid hefty fines.
These efforts reveal a landscape still finding its balance. Consumers are more aware—77% of Texans expressed deep concern about data use in a 2024 report—yet many struggle to navigate their rights. Businesses, meanwhile, grapple with overlapping rules, some calling for a federal standard to ease the burden. Public enforcers are caught in the middle, using notices, lawsuits, and reports to build a framework, often learning as they go. The Consortium’s push for harmony hints at a future where enforcement might smooth out, but for now, it’s a patchwork of bold actions and growing pains.
As the clock ticks past 10:36 PM on this July 2, 2025, evening, the momentum behind state privacy enforcement feels unstoppable. The growing pains are real—businesses adjusting to new rules, consumers figuring out their rights—but there’s a sense of hope too. This could be the start of a movement where privacy isn’t just a buzzword but a lived reality, with states leading the charge to protect what matters most. Whether it’s a parent worrying about their kid’s data or a small business owner navigating compliance, the stakes are high, and the story’s just unfolding.
Frequently Asked Questions
Folks are naturally curious about this wave of enforcement. What’s driving it? Growing consumer concern, with 68% of Americans worried about online privacy according to a 2023 IAPP survey. Are other states following suit? Yes, though at different paces Connecticut and Oregon are ramping up with notices and reports according to a panel during the Global Privacy Summit in DC last April, while Texas made waves with its first lawsuit. How long will this last? It’s early days, but as laws mature, enforcement is only going to increase.
