Though it may not be a perfect correlation, meaningful enforcement is a major driver of data privacy compliance.
Because of its federal structure, the U.S. has more than 50 government bodies empowered to enforce state and federal privacy-related laws, from the U.S. Federal Trade Commission and sectoral federal agencies on down to the attorney general of the smallest state. After all, Rhode Island — the smallest state by area — will have an enforceable comprehensive privacy law as of January 2026.
Though most of these enforcers do not dedicate substantial resources to the issue of consumer privacy, this fact is rapidly changing. Whether driven by increased awareness to privacy issues, the splashy headlines from other states' enforcement actions, or by the obligation to show results from comprehensive privacy laws, the state enforcers are staffing up.
Texas serves as a key example. Almost two years ago, as the Texas Legislature observed the impending 2024 implementation deadline of the Texas Data Privacy and Security Act, it decided to add a significant budgetary line-item to the office of the attorney general.
The Texas attorney general's final 2024 budget included more than USD5 million specifically earmarked for "start up / implementation costs and ongoing costs" of enforcing the TDPSA. Of this, just over USD1 million covers staff salaries and wages, while another USD3 million is allowed for "professional fees and services," which likely covers litigation and other specialized costs.
Though not guaranteed, the 2024 Texas budget also recommends the continuation of funding at this level at least through 2027.
These dedicated funds help to explain Texas' rapid rise to prominence in the privacy world, after the attorney general's office quickly staffed a Privacy and Tech Enforcement Unit with new hires with deep privacy expertise working alongside experienced consumer protection attorneys. It took only a few months for the unit to begin publicly announcing a string of investigations related to data brokers, sensitive data, children's safety and deceptive generative AI claims.
Shortly thereafter, Texas announced a settlement with Meta of USD1.4 billion under its biometric privacy law. Of course, this case was only inherited by the new unit, but it is worth noting that a single fine like this could fund a USD5 million budget for 280 years. Though it is considered gauche for enforcers to self-fund, such that fines in most states are returned to general coffers, it is hard to avoid the conclusion that this is good return on investment.
These numbers are reminiscent of the early days of the California Privacy Protection Agency, which began with a budget of around USD5 million in 2020, but has since expanded to USD12.8 million for the 2024-25 fiscal year. As the agency’s recently released 2024 Annual Report explains, "the budget's growth reflects CPPA's expanding mandate and responsibilities." This mandate includes more than enforcement, though the agency's enforcement division has grown to include about a dozen attorneys and technologists.
By comparison, the Colorado attorney general's entire consumer protection and antitrust section had a budget of under USD6.7 million for 2024 including the salaries of roughly 45 full-time employees.
Though every state's appropriations and budgeting processes are different, the total numbers are a helpful guide toward understanding the resources that each watchdog is able to bring to the field.
In a scene that underscored the importance of dedicated funds, Maryland Attorney General Anthony Brown this week beseeched the legislature to pass a novel data broker tax, because the revenue would help the state catch up on privacy enforcement.
As reported by Privacy Daily, Brown said, "Maryland is slipping behind" even with its uniquely strong privacy laws. He went on to explain, "Without dedicated professionals, attorneys, investigators and technologists with expertise in data privacy, artificial intelligence and high-tech enforcement, my office simply cannot effectively regulate this evolving industry or safeguard Maryland’s personal information."
These remarks are especially notable after the Maryland attorney general's office received a 30% increase in 2024, with a total budget for the consumer protection section of USD12.5 million.
Even small states have begun to realize that specialized attorneys and technologists are needed to effectively staff data privacy matters. For those states with comprehensive laws coming online in 2025, a pattern has emerged for a minimum viable privacy team within their attorneys general offices.
A handful of these states have each devoted two full-time attorneys and a technologist to investigating consumer privacy. Meeting this minimum appears necessary to simultaneously pursue the public education and enforcement efforts most states embrace.
States like Utah and Virginia instead follow the older model of designating a single full-time attorney for privacy matters generally are not able to maintain a public presence, though they still show up in multistate investigations.
Of course, raw numbers do not account for everything. Expertise also matters.
No one knows the value of long-term operational expertise as well as the FTC, which has been the primary U.S. privacy enforcer for decades.
FTC commissioners have long been proud of the agency's ability to punch above its weight, often comparing the 50-person staff of the Division of Privacy and Identity Protection to the more than one-thousand-person strong U.K. Information Commissioner's Office. Though data protection authorities like the ICO have different obligations from pure enforcement agencies, notably including mandatory responses to individual complaints, the point remains: nothing is more key to effective privacy enforcement than a deep bench of specialized expertise.
As the Trump administration continues to pursue deep cuts to the federal workforce, it is unlikely the FTC will be spared. The return-to-office mandate alone, in effect next week at the FTC, is likely to encourage departures at an agency that has long enjoyed a flexible work culture, even before the pandemic. Though privacy enforcement remains a priority, staffing uncertainty could mean an ebb in the FTC's upcoming presence.
Overall, as the state and federal policy landscape rapidly evolves, the contours of privacy enforcement are likely to see seismic shifts. It is difficult to predict what this will look like in the next few years, but it is fair to say the proliferation of privacy laws will only add to the activity from America's diffuse cadre of watchdogs.
Please send feedback, updates and budget sheets to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
