Emerging trends, insights from public enforcement of US state privacy laws

Data privacy is becoming more important to the average American consumer. Recognizing this, nineteen states have passed comprehensive privacy legislation that tasks their attorneys general with protecting their constituents' privacy. Some of those states, including California, Connecticut, New Hampshire, New Jersey, Oregon, Texas and Virginia, have even created privacy-focused subunits within the office of the attorney general.

Attorneys general in California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon as well as the California Privacy Protection Agency have created the bipartisan Consortium of Privacy Regulators to collaborate on enforcing their respective state privacy laws.

State attorneys general and other public enforcers play a huge part in shaping how businesses understand and carry out compliance with state privacy laws. As of now, only the California Consumer Privacy Act allows private parties to file legal actions for potential violations, but every state's privacy law tasks their respective attorney general with enforcement. Indeed, state attorneys general are the spearheads of carrying out privacy laws throughout the U.S.

Though there are not many publicly disclosed investigations yet, each action taken sheds vital light on this ever-evolving field. Attorneys general have often brought actions to defend consumer data privacy under more general unfair competition or false advertising laws. The recent proliferation of comprehensive state privacy laws has given them new and more specialized tools to do so.

Given these developments, how have attorneys general enforced enacted state privacy laws? Focusing on publicly disclosed legal actions and identifying shared trends across states over time, what lessons can be learned by only analyzing the claims made under comprehensive state privacy laws?

California actions