Data privacy is becoming more important to the average American consumer. Recognizing this, nineteen states have passed comprehensive privacy legislation that tasks their attorneys general with protecting their constituents' privacy. Some of those states, including California, Connecticut, New Hampshire, New Jersey, Oregon, Texas and Virginia, have even created privacy-focused subunits within the office of the attorney general.
Attorneys general in California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon as well as the California Privacy Protection Agency have created the bipartisan Consortium of Privacy Regulators to collaborate on enforcing their respective state privacy laws.
State attorneys general and other public enforcers play a huge part in shaping how businesses understand and carry out compliance with state privacy laws. As of now, only the California Consumer Privacy Act allows private parties to file legal actions for potential violations, but every state's privacy law tasks their respective attorney general with enforcement. Indeed, state attorneys general are the spearheads of carrying out privacy laws throughout the U.S.
Though there are not many publicly disclosed investigations yet, each action taken sheds vital light on this ever-evolving field. Attorneys general have often brought actions to defend consumer data privacy under more general unfair competition or false advertising laws. The recent proliferation of comprehensive state privacy laws has given them new and more specialized tools to do so.
Given these developments, how have attorneys general enforced enacted state privacy laws? Focusing on publicly disclosed legal actions and identifying shared trends across states over time, what lessons can be learned by only analyzing the claims made under comprehensive state privacy laws?
California actions
The first comprehensive U.S. state privacy law was the CCPA, which passed in 2018 and came into effect in 2020. While there were no public legal actions taken within the first year of its enforcement, California Attorney General Rob Bonta announced in 2021 that his office had sent out private notices of potential noncompliance to many businesses. In the press release, Bonta noted that "upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period."
Anonymized notice summaries posted on the California attorney general's website provide some insight into the holistic approach taken toward enforcement. They range widely both in the recipients' industries and the referenced provisions of the CCPA. From grocery stores to car manufacturers, from inadequate privacy policies to a lack of opt-out mechanisms, Bonta has been keeping watch over as many potential infractions as possible. Soon after the enforcement sweep, one of the private notices turned public.
The first public complaint under the CCPA came in 2022 when Bonta launched an investigation into the makeup and lifestyle company Sephora. The investigation resulted in a complaint and subsequent settlement of claims that Sephora illegally sold California consumer personal data by "mak[ing] consumers’ personal information available to third-party companies for the purpose of obtaining advertising and analytics," even though its privacy policy at the time stated that "we do not sell personal information."
Bonta stated that this alleged disclosure fell into the CCPA’s definition of sale, regardless of whether Sephora received direct monetary compensation. Similarly, allowing third-party companies to install trackers in return for discounted or higher-quality analytics "including the option to target advertisements to customers that had merely browsed for products online" was also a sale. The attorney general broadly interpreted the CCPA’s definition of a sale to include exchanging personal information for "anything of value," a theme which runs through multiple other public CCPA complaints.
The CCPA obliges businesses that sell personal information to take several compliance measures, such as disclosing what categories of personal information they collect and giving consumers the opportunity to opt out of the collection and sale of their data. Businesses must comply with both manual requests to not sell or share a consumer’s personal information and global opt-out signals. These signals, such as those provided by the Global Privacy Control, transmit a do-not-sell request in a standard format to every website the consumer visits.
Sephora was legally required to implement these measures and failed to do so, Bonta stated. Thus, after giving Sephora notice of potential CCPA noncompliance and waiting the requisite 30 days for a cure that failed to manifest, California's Office of the Attorney General filed the complaint. At the time, this mandatory notice-and-cure period allowed businesses to avoid liability by putting potential violations to rights. The provision requiring notice has since expired; the attorney general’s office may provide notice at its discretion but is not required to do so.
The parties settled for a USD1.2 million fine and the establishment of requirements that Sephora change its privacy practices. These requirements included giving notice to consumers that Sephora was selling personal information, allowing both manual opt-out requests and those made through signals like GPC and implementing a two-year assessment and monitoring program.
That first broad enforcement sweep that led to the Sephora complaint was followed by more targeted sweeps focused on businesses that operate loyalty programs in 2022, businesses with mobile apps in 2023, large California employers in 2023, streaming services in 2024 and the location data industry in 2025. In this period, Bonta’s office filed more complaints that sought to protect consumer privacy under California’s consumer protection and protection of medical information laws, but the next CCPA action came after the sweep that targeted streaming services.
In early 2024, the attorney general announced an investigation into and complaint against the food delivery company DoorDash alleging similar claims to the Sephora complaint: that DoorDash was selling consumer information in violation of the CCPA without notice or an opportunity to opt out.
Instead of a traditional sale, DoorDash allegedly participated in a marketing cooperative "in exchange for the opportunity to send mailed advertisements to customers of the other participating businesses." Continuing the thread of an expansive definition of "sale," Bonta stated that this fell under CCPA even though it did not result in direct monetary benefit. Similar to Sephora, the existence of an alleged sale required DoorDash to provide notice and opt-out opportunities, which the company did not do.
DoorDash took measures to cure the violation by ceasing to sell California consumers' personal information and requesting that the marketing cooperative delete all of their data. However, the attorney general said that this was too little too late. Other entities in the cooperative had sold the data to outside businesses, including a data broker that resold the data multiple times. Bonta stated DoorDash could not cure the violation "because it did not make affected consumers whole by restoring them to the same position they would have been in if their date had never been sold."
The settlement agreement included a USD375,000 civil penalty as well as requirements to provide notice and opt-out methods for selling personal information, update the privacy policy and create a three-year compliance program.
Later in 2024, the California Department of Justice and Los Angeles City Attorney's Office jointly filed a complaint against Tilting Point Media, a company that creates mobile free-to-play games targeted towards children. The allegations in the complaint differ significantly from Sephora and DoorDash's infractions primarily because the complaint centers around alleged violations of the increased protections the CCPA provides to minors.
With adult consumers, the CCPA permits opt-out consent, where businesses can collect and process personal information by default unless they opt out. However, minors or their parents or guardians must give opt-in consent, where they affirmatively choose to share information with the business. Tilting Point allegedly collected known children's data without authorization in violation of this provision.
When users identified themselves as under 16, the app directed them to a child-specific version of the game, but Tilting Point had allegedly misconfigured its software such that it collected consumer data regardless. Tilting Point and the enforcers settled for a USD500,000 civil penalty as well as requirements related to affirmative opt-in consent, notice of how Tilting Point sells or shares personal information, an updated privacy policy and the creation of programs to monitor its practices and how it configures its software.
These three complaints each allege different claims under the CCPA, but all share an assertive attitude towards privacy enforcement. They define important terms like "sale" and "cure" broadly to provide the greatest possible protection to consumers under the CCPA's terms. Press releases from Bonta’s office have repeatedly emphasized the attorney general’s commitment to ardent enforcement, a claim backed up by these public complaints as well as the number of notices disclosed on the attorney general’s website.
In 2020, the CPRA created the California Privacy Protection Agency, which is the first enforcer that is independent from the state attorney general’s office. Although it has taken multiple actions under the CCPA, including a settlement with Honda and an order against clothing retailer Todd Snyder, the CPPA upholds multiple California privacy laws. Together, the California attorney general and CPPA form a dual enforcement structure that continues to evolve. As both entities develop their complementary enforcement strategies, businesses should expect more coordinated and sustained scrutiny going forward.
Enforcement reports across the states
Attorneys general from many states have not filed any complaints enforcing their privacy laws, but complaints are not the only source of insight. Six months after the Connecticut Data Privacy Act came into effect, the office of Attorney General William Tong released a report detailing its enforcement procedures and privacy-related findings.
Similar to the CCPA, the Connecticut privacy law had a provision that required the attorney general to provide notice and wait 60 days for a cure for the violation, which expired on 1 Jan. 2025. The report states that Tong sent out 10 such cure notices in the first six months of enforcement across multiple industries and regarding multiple potential violations.
The violations in Connecticut are like those reported by the California attorney general: absent or inadequate disclosure of a consumer's rights as well as absent or inadequate mechanisms for consumers to opt out or otherwise exercise their rights. The attorney general noted that many of the recipients of cure notices took prompt steps to rectify violations, in some cases going above and beyond to fix issues the cure notice didn't point out.
However, the report also identifies some growing pains with what constitutes a cure under the Connecticut law. As with the CCPA, curing a violation may be difficult or even impossible in some cases. The report indicates a wait-and-see approach to the iterative process of figuring out what can suffice. "[O]nly time will tell," it says, "which companies fully satisfy our concerns and which matters will ultimately require more formal enforcement action."
The report also points out that many consumers don't yet understand the finer points of submitting a violation complaint. Despite outreach efforts, of the more than 30 complaints received, around a third concerned entities or data exempted from the Connecticut law’s purview. Consumers were also confused about what information they could request a business delete and what information is "publicly available" and thus outside of the law’s scope.
The report concludes with recommendations for how Connecticut's legislature could amend its privacy law to "strengthen or clarify privacy protections." The section draws from provisions of other states' laws to suggest, for example, that Connecticut expand its definition of biometric data to align with a newer law in Oregon. The proposed changes also include reducing entity-level exemptions, such as exemptions for entities subject to the Gramm-Leach-Bliley Act, covered entities or business associates under the Health Insurance Portability and Accountability Act and nonprofit entities. This would make the Connecticut law apply to a broader swath of businesses, similar to the scopes of California, Colorado, Delaware and Oregon.
The report suggests that Connecticut enact a one-stop-shop deletion mechanism, like that in California's Delete Act, and the right to know to which third parties a business has disclosed a particular consumer's personal information, as defined in Delaware's and Oregon's respective privacy laws.
These recommendations grow out of the fact the Connecticut law is both one of the earliest state privacy laws and has a slightly different style than the CCPA — its provisions follow the same general shape as the CCPA, but it has a smaller scope due to its narrower applicability thresholds and broader exceptions. Later laws have learned from the Connecticut law and changed their provisions slightly. This report shows implementing those changes into the law could help make enforcement clearer and more effective.
The Texas Department of Information Resources created a similar report in late 2024 that reviewed feedback on the much newer Texas Data Privacy and Security Act. Consumers and data controllers alike indicated confusion about the specifics of the law and asked for clarification of its technical details.
Texas consumers stated that they wanted more education about how to exercise their privacy rights. They found the process of doing so confusing because the method varies from controller to controller. This report was released before 1 Jan 2025, when a provision of the Texas law went into effect that requires controllers to honor global opt-out signals in certain circumstances.
This can alleviate some of the frustration with the lack of streamlining or standardizing opt-out requests, but the problem with exercising rights to access, correct or delete remains. Consumers also indicated confusion about how long their preferences would remain in effect. One asked "(i)f I opt out of sale of my data at one point in time, and then the business gets new data about me, do I need to opt out again?"
Data controllers who responded to the survey reported similar confusion, especially with definitions of terms like "data deletion" and "publicly available information." They disliked the uncertainty of yet another compliance burden on top of all the other state privacy laws and advocated for a single federal standard to simplify operations.
For example, most state privacy laws provide a cure period, where the attorney general's office must send a controller notice of a potential violation; the controller then has some time to cure the alleged wrong to avoid official action. However, the Texas law is unique in that this cure period is mandatory and exists in perpetuity. Other states provide for discretionary notice or include a sunset clause for this provision. The report recommended that Texas revise its cure provision to bring it into alignment with those of other states.
In March 2025, the Oregon Department of Justice released a report on the first six months of enforcing the Oregon Consumer Privacy Act. Oregon's dedicated Privacy Unit has started out with outreach and education efforts, including sending "light" cure letters to data brokers with privacy policies that did not comply with the state’s privacy law and running an informational marketing campaign for consumers. Like some other states, the Oregon DOJ opened a consumer complaint portal on its website, through which consumers reported confusing privacy policies and difficulties exercising their privacy rights, especially the right to delete their data.
These reports show a microcosm of the wider privacy landscape: consumers and businesses alike aren't quite sure yet how to adapt to the rights and responsibilities created by privacy laws. They show a glimpse into the important behind-the-scenes collaboration between the public and private sectors working towards setting standards that are sustainable for both.
Lawsuits
In stark contrast, Texas Attorney General Ken Paxton exploded onto the scene a month after the DIR report by filing the first ever formal lawsuit under a state privacy law, even though the Texas Data Privacy and Security Act is a relatively new law that only came into effect 1 July 2024. The complaint includes a demand for a jury trial — the first public complaint to do so. California's actions were only announced along with their associated settlements, so this is the first contested action filed under a comprehensive state privacy law.
Paxton alleged that the data analytics company Arity, a subsidiary of the insurance company Allstate, violated the Texas law by collecting and processing consumer data without notice, consent or a way for consumers to exercise their privacy rights. Arity allegedly licensed tracking software to developers of mobile applications that offered location-based services, like tracking prices at local gas stations or getting alerts when a family member arrives or leaves certain places.
The complaint claimed that this software harvested, among other things, a consumer's "phone's latitude, longitude, speed, GPS time, bearing, and altitude" and sent it back to Arity. The complaint also alleged that Arity bought data from car manufacturers to refine the data it collected, selling it to insurance companies without notice or consent from consumers.
This marks a sea of change in the history of comprehensive state privacy laws; it may be the first lawsuit to enforce them in the U.S., but it certainly will not be the last. Public enforcers are aware of increased privacy consciousness among their constituents. For example, the report from the Texas DIR stated that 77% of respondents were "very concerned" with how businesses use their data.
Oregon's report found that in the first six months of the Oregon Consumer Privacy Act coming into effect, its online consumer complaint portal received more than triple the number of complaints as did Connecticut's similar complaint portal in its own first six months. Consumers are becoming more aware of their rights and the effect that potential breaches could have on their lives. Some enforcers are responding with actions to show that their laws have teeth.
Conclusion
This period of rapid data-privacy-related development in the public and private sectors has created growing pains for both domains. Some public enforcers are securing settlements with massive monetary and injunctive penalties for alleged violations of fundamental tenets of state privacy laws, like disclosing what data a business collects or providing methods for consumers to exercise their privacy rights. At the same time, attorneys general in other states are requesting increased funding to deal with an influx of complaints and potential violations.
For their part, consumers are also still coming to grips with what rights they have and how to exercise them. In 2023, the IAPP surveyed consumers and found that 68% of respondents said they are either somewhat or very concerned about their online privacy. However, only 30% of respondents had a strong understanding of what personal information industries collect and why and how they use it.
Across the U.S., private and public entities are locked in a complex negotiation with each other to determine what a "sale" or a "cure" is under applicable laws. These terms radically impact the scope of what these laws cover, but there is still a dearth of solid precedent on which to build a shared understanding. Young as they are, state privacy laws have still shaped how all stakeholders approach data privacy practices.
Whether through soft power outreach like notice letters or through aggressive legal actions, the ultimate goal for public enforcers is compliance with law. At the IAPP's Global Privacy Summit, a panel of officials from the CPPA and the offices of the attorneys general of Colorado and Oregon emphasized the need for cooperation and transparency within and across sectors. These states are part of the Consortium of Privacy Regulators, which aims to avoid more piecemeal enforcement and harmonize it throughout the states.
As the older state privacy laws settle in and the newer ones come into effect, regulators are leveraging their growing expertise to take strategic, targeted enforcement actions, often focusing on sectors with high consumer impact or business practices that have been brought to light by consumers and others. As the regulatory landscape matures, companies should expect state attorneys general to move fluidly between both headline-grabbing settlements and a steady track record of privacy enforcement that shapes compliance expectations nationwide.
