As privacy laws grow in reach throughout the U.S., privacy enforcers, primarily housed within state attorneys' general offices, are sharpening their corrective measures as they gain legal experience in handling complex data privacy cases.
During a breakout session at the IAPP Privacy. Security. Risk 2025 conference in San Diego, Calif., privacy regulators from California, Colorado, Delaware and Indiana shared their experiences navigating fairly novel privacy laws in their respective states and discussed what soft law and big stick enforcement tools they can deploy.
Each of the panelists said their prior work in other legal fields, whether that was in the private sector or at different state and federal agencies, helps inform their work and set their priorities.
For instance, Indiana Attorney General's Office Section Chief for Data Privacy and Identify Theft Douglas Swetnam, CIPP/US, CIPT, FIP, said before he will start the investigatory process for potential future violations of the Indiana Consumer Data Protection Act, which enters into force 1 Jan. 2026, he will put himself in the shoes of the organizational decision makers who will be responding to the agency based off his prior experience in the private sector.
"I understand how the decision-making process really works, and the iterations within a company where the bigger the company, the more iterations (of decision-making) tend to exist," Swetnam said. "I am cognizant when we talk to companies about the effort it takes to bubble something up to the right decision maker who has a thumbs-up and thumbs-down authority, because that is not always easy."
When the regulators first reach out
The panelists each took turns sharing how their respective agencies conduct initial outreach to organizations who may ultimately become subject of a privacy or data breach investigation.
Delaware Deputy Attorney General John Eakins said organizations need to keep in mind that an initial letter from a regulator does not constitute litigation. He said the purpose of an initial inquiry is to gather facts and pursue a resolution.
"It's important to remember this is not litigation. We get to ask for information, and we can compel information if we’re required," Eakins said. "When we see counsel that takes a litigation posture, that becomes challenging to resolve our inquiry."
Colorado Assistant Attorney General Andrea Lowe said when a state regulator initially reaches out to an organization, by and large, they view it as an opportunity to start a dialogue. The dialogue, she said, would carry the hope by pursuing a less legally formal outreach it could rectify the issue at hand without needing to issue a cease-and-desist letter.
Lowe sad it is more productive on the organizational legal counsel's part to engage with the initial outreach than to ignore it before being issued a cease-and-desist letter and then come back after the deadline to ask for an extension to comply with the order, which may foster feelings of animosity on either or both sides.
"If we send a letter, we're trying engage in a type of back and forth, because we're seeing if this is something that we can resolve short of having to send a (cease-and-desist) and go through a more formal process," Lowe said. "But if we’re doing an inquiry, and we're sending a C&D, we have a reasonable basis that our consumer protection laws have been violated."
California Privacy Protection Agency Deputy Director of Enforcement Michael Macko, who moderated the panel, said regulators have an "institutional memory" of how different businesses respond to their inquiries. He said this can be problematic for smaller businesses hoping to be acquired by larger firms because their motivation to complete a sale agreement may override their ability and willingness to adhere to the letter of the law.
"This is why it is important to build credibility with regulators," Macko said. "This is why smaller businesses who are trying to become acquisition targets by larger ones can get into trouble because they don't have a long-term mindset. They're looking at improving the appearance of the balance sheet and that incentive structure gets in a lot of trouble in different contexts."
Looking ahead: Regulators' priorities
Each of the states represented on the panel have joined the Consortium of Privacy Regulators. During the conversation, each regulator shared their offices' main priorities going forward.
Lowe said following the Colorado Privacy Act entering into force, her office will prioritize ensuring that companies are respecting state residents' opt-in preferences for the use of their personally identifiable information for commercial purposes. Additionally, as of 1 Oct., new protections safeguarding children's personal data through an amendment to the CPA, which she said will be prioritized.
"The potential harm for consumers in the use and disclosure of this kind of data is pretty contrary to what consumers expect when they're providing this information to companies," Lowe said. "Given the additional legal obligations around children's personal data, this will especially be an enforcement priority."
While Indiana's state Consumer Protection Act has yet to enter into effect, Swetnam said his office has emphasized enforcement actions in medical privacy cases affecting state residents. He said is office is actively monitoring the dark web for instances where Indiana residents' personally identifiable information has been circulated.
"We've done a lot of work in (the medical) space," Swetnam said. "We see it as an area that is really important, and we balance our priorities by the amount of harm that can be done to consumers."
Swetnam said, going forward, a major calculation in his office's pursuit of potential litigation in data privacy or data breach matters will be how comprehensible organizations' privacy notices are for average consumers. He said his office will offer them a portal where they can lodge a consumer complaint if they are confronted with protracted privacy notices.
"Can people understand what (the privacy notice) says?" Swetnam said. "What we're looking for is transparency."
Even among the members of the burgeoning Consortium of Privacy Regulators, there is an emerging recognition that the best means of tackling enforcement issues is through somewhat of a divide-and-conquer strategy. The panelists said depending on the resources and technical wherewithal within each state attorney general's office, there is an opportunity for jurisdictions' enforcers to gain an expertise in certain areas of consumer privacy laws that can ultimately apply to residents in other states participating in the consortium.
Eakins said, for example, his office emphasized looking into the use of personal data in connected devices from cars to televisions. He said regulations around the use of personal data from connected TVs has yet to catch up with the minimal regulations imposed on "gatekeepers" for mobile devices, such as Apple and Google.
"One of the great things about the states is that we all work together," Eakins said. "As more data is used from Delaware residents' vehicles and connected TVs, they are going to grow ever more concerned about the hyper targeted advertising directed at them."
Macko said by virtue of residents' asserting their rights under the California Consumer Privacy Act, the key going forward will be ensuring that companies subject to the law's requirements are able to operationalize from a technical standpoint. He said whatever area of consumer privacy law a specific jurisdiction may choose to pursue, there will be a universal necessity to understand the breadth of the issue through a technological lens, beyond just the black and white legal scope of the matter.
"How are we going to validate that (an organization's systems) are working properly?" Macko said. "(In our actions) there has to be some analysis done and there has to be some technical implementation. If there is not, then we're missing a big piece of the puzzle."
Alex LaCasse is a staff writer for the IAPP.
