U.S. state legislatures and companies across sectors are not the only ones seeking more alignment within the network of U.S. comprehensive state privacy laws. Some of the state authorities charged with privacy enforcement are working toward more harmonization themselves.
Representatives from state attorneys general and the California Privacy Protection Agency touted ongoing efforts to formalize their cooperation to boost enforcement during appearances at the IAPP Global Privacy Summit 2025. Collaboration was among several items regulators covered across back-to-back panels covering the current landscape for state law compliance and enforcement.
Notably, seven attorneys general and the CPPA recently launched a new bipartisan enforcement group, the Consortium of State Privacy Regulators, that aims to facilitate "discussions of privacy law developments and shared priorities, with a focus on consumer protection across jurisdictions." California's two privacy regulators are joined in the group by Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.
"As we think about next steps for enforcement in privacy, we're going to be building more and more collaborative infrastructure that is so helpful in these kinds of cases and other kinds of cases," CPPA Deputy Director of Enforcement Michael Macko said during panel discussion.
After the panel, Macko told the IAPP the consortium is open to all state regulators and simply raises a formal channel for interactions that are already taking place. He hopes the group will hold meetings "periodically" in addition to targeted check-ins as issues arise.
Discussing the consortium during her panel, Connecticut Deputy Associate Attorney General Michele Lucan, CIPP/US, CIPM, FIP, said there is "a benefit" for companies to deal with a group of regulators versus answering to individual complaints. She also pointed to regulator benefits to tightening collaboration, including the ability to "quote resources" and "leverage other state's experiences."
"We have strong relationships in this space. This blends to a lot of coordination," Lucan said. "These issues don't stop at state borders, and I think it's actually less common to see a single state on some of these issues that have very broad impacts."
Just getting started
While there are 19 states with comprehensive privacy statutes, more than half are not fully effective to this point. Some states await their initial effective dates while others have a phased approach to implementation.
These procedural delays contribute, in part, to the a perceived lag in enforcement actions. The other factor is cure periods, provided under many laws, eliminate many potential violations that would potentially warrant an action.
Important work is still going on without final decisions to render. Colorado First Assistant Attorney General for the Office Technology and Privacy Protection Unit Stevie DeGroff and Oregon Senior Assistant Attorney General Kristen Hilton, CIPP/US, CIPM, each find the "education period" fulfilling for businesses and enforcers alike.
DeGroff said the pre-enforcement period lends businesses time to immerse themselves in the complexities of compliance between statutes from state to state. At the same time, covered entities can make a concerted effort to find aligned provisions to avoid more obvious violations that may stretch across states.
"There is a bit of an expectation that for some elements of our law," DeGroff said. "Those are probably the going to be the areas where you're going to see stronger reinforcement, as opposed to maybe still some notice or working together to work through some of the more complicated elements of implementation."
Oregon is firmly in the education and outreach phase with its cure period in place until 1 Jan. 2026. Hilton pointed to the a six-month enforcement report published in March and more recently a Q1 2025 complaints summary as some of the compliance resources at businesses' disposal.
Hilton highlighted cure letters as another important asset toward improved compliance.
"We take the time to really dig into privacy notices, because that's what (the letters) are mostly about, the facial violations of our law." she said. "We are citing to specific things in your privacy notice ... and then citing to specific provisions in our law.
"The best thing you can do before you get on the phone with us or before a response letter is go look at the actual provisions."
The investigation stage can yield similar beneficial lessons and outcomes for businesses. Those positives stem from good faith interactions and proactive dialogue following inquiry letters, according to the panelists.
However, CPPA Deputy Director Macko made clear the differences between investigation and prosecution are stark, with the focus becoming "much narrower and much more intense" when prosecution is imminent. He added a lot can happen between investigation and prosecution, like going from exploring multiple violations to then honing in on fewer to potentially "maximize a remedy with a subset rather than the whole spectrum."
"If you're trying to decode the letter and the regulator's intent, it's fundamentally to understand the facts, not prejudge them, and to just get to the bottom of it," Macko said.
Joe Duball is the news editor for the IAPP.
