With the continued absence of comprehensive federal privacy legislation after nearly 20 years of debate, state attorneys general (AGs) are increasingly asserting their role as primary regulators in the data privacy space. These state-level actors are shaping the trajectory of privacy law and enforcement through a combination of legislative advocacy, regulatory implementation, and public engagement.
In this Insight, we discuss emerging state AG enforcement priorities, key developments in state privacy laws, and practical guidance for companies navigating this rapidly changing regulatory landscape.
The growing prominence of state AGs reflects a long-standing reality of American governance: when Congress fails to act, states often work to fill the gap. We are now seeing this play out in the privacy realm, with a number of states enacting their own privacy laws. In the absence of federal preemption, these statutes and their enforcers are setting the privacy standards for businesses nationwide. And while each law has its own notable variations, they also have important similarities.
In general, these state privacy laws can be grouped into three “styles”: California-style, Virginia-style, and Utah-style. For companies operating in multiple states, understanding the similarities and differences between these styles is critical for developing and executing a successful compliance strategy.
While the list of states with data privacy laws continues to grow and evolve, the following states have laws that will take effect in 2025 and beyond: Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island.
Despite the different legislative styles outlined above, there are commonalities among state consumer privacy laws as to the consumer rights they protect and strategies for compliance. Most states recognize a core set of data subject rights, including the right to access, correct, and delete personal information, right to portability of personal information, and right to opt out of targeted advertising, the sale of personal data, and certain types of profiling.
All state consumer privacy laws impose notice and transparency obligations. Businesses are required to maintain clear and accessible privacy statements that disclose the categories of data collected, the purposes for which the data is used, whether data is shared or sold, and how consumers can exercise their rights.
Many states also provide heightened protections for sensitive data. In jurisdictions such as Connecticut, Colorado, and Virginia this includes an opt-in requirement before processing sensitive categories such as health, biometric, and neural data.
Other common provisions include data minimization and purpose limitations, which require companies to limit the collection of personal information to what is reasonably necessary for disclosed purposes and retain it only as long as needed. Several laws, particularly those that follow the Virginia-style, mandate risk assessments for higher-risk processing activities, requiring businesses to weigh the benefits of processing against the potential harm to consumers.
While there is general alignment on the types of data and rights protected, some states diverge in how they define the scope of application and exemptions. For example, Utah and Virginia provide entity-level exemptions for financial institutions subject to the GLBA, whereas California and now Connecticut (effective July 1, 2026) take a narrower approach and do not exempt entities in their entirety.
As more state consumer privacy laws take effect, enforcement activity by attorneys general is ramping up in both scope and sophistication. Many AG offices are actively investigating compliance with state breach notification laws as well as the consumer privacy statutes, including by initiating public sweeps, and issuing interpretive guidance aimed at clarifying businesses’ obligations.
A consistent focus has emerged around two central enforcement themes: timeliness and transparency. Regulators expect prompt notification of data breaches, particularly where sensitive data is involved. Significantly delayed reporting, especially beyond statutory deadlines, is likely to draw scrutiny and increase enforcement risk.
Equally important is the manner in which companies respond to incidents or inquiries. State AG offices will be more receptive to businesses that acknowledge their responsibilities, cooperate with investigations, and demonstrate concrete steps taken to mitigate harm. A collaborative approach can significantly influence the course of an investigation, while evasive or legalistic maneuvering may escalate matters unnecessarily.
In addition to post-incident responsiveness, many regulators are placing greater emphasis on proactive compliance. This includes ensuring that privacy notices are clearly written and accessible, consumer rights are not just listed but actionable, and internal processes reflect a genuine commitment to data protection. State AGs have signaled that good-faith compliance—backed by thoughtful implementation and meaningful user control—goes a long way in shaping enforcement outcomes.
Some states have also begun to align their enforcement priorities through multistate working groups. These collaborations allow AGs to share insights and coordinate responses, offering businesses a degree of consistency across jurisdictions even in the absence of federal preemption. While laws may vary in detail, the overarching regulatory posture increasingly favors early engagement, clarity in disclosures, and accountability in data handling practices.
Emerging technologies, particularly artificial intelligence (AI), are also drawing the attention of state AGs. There is growing concern about the ways in which AI may amplify privacy risks or entrench systemic biases. Algorithms used in lending, employment, or targeted advertising can operate opaquely and may rely on personal data in ways that are discriminatory or invasive.
As efforts to regulate AI at the federal level continue to face political headwinds, state-level legislative efforts have arisen to address the privacy and ethical risks associated with AI with several states, often encouraged by their AGs, proposing requirements such as disclosure obligations around AI-powered decision-making, limits or outright bans on discriminatory profiling in contexts such as credit, employment, or housing, and the implementation of risk assessment frameworks to ensure accountability for automated systems.
The patchwork nature of state privacy laws presents a compliance challenge, particularly when paired with overlapping breach notification obligations. Even well-intentioned businesses can struggle to reconcile detailed statutory requirements with broader principles like clarity, transparency, and usability. Regulators are encouraging companies to move away from dense, jargon-filled privacy policies in favor of layered notices that are short, readable, and actionable. Notices should clearly describe consumer rights and provide straightforward mechanisms for exercising such rights. Broken links, missing disclosures, or contradictory information are among the most common deficiencies flagged in enforcement actions.
The expectation is not perfection, but good faith. Companies that demonstrate a serious commitment to compliance will be better positioned to navigate this evolving landscape. For additional guidance, we have developed a state consumer privacy compliance checklist with specific information for businesses operating in California.
With privacy enforcement increasingly concentrated in state AG offices, businesses should anticipate a future where proactive engagement is critical. The goal is not just to avoid enforcement, but to build systems that demonstrate a respect for individual rights and regulatory expectations.
Companies operating nationally must not only monitor legislative developments across multiple states, but also invest in scalable compliance strategies that prioritize clear communication, timely incident response, and cross-functional collaboration. Regulators have indicated that businesses that take these steps, and do so transparently, are likely to be viewed more favorably, even in the face of inevitable challenges.
Visit our state attorneys general practice page and register for upcoming webinars in our comprehensive State Attorneys General Program Series, which provides timely insights and practical guidance on actions taken by AGs and other political subdivisions in response to changes in federal regulations and enforcement.
Read our other Insights in this series.
[1] Connecticut recently amended its law (effective July 2026), shifting the GLBA exemption from an entity-level exemption to a data-level exemption, bringing it more in line with the California-style.