Privacy, Consumer Protection, and State AG Enforcement Action: What to Expect in 2025
Top Themes of 2025 – What to Expect from State Attorneys General
Comprehensive state privacy laws are the “new normal.” Comprehensive state privacy legislation is unlikely to slow down any time soon. In the first few weeks of 2025 alone, nineteen comprehensive privacy bills were introduced across ten states. As more states endeavor to jump on the privacy bandwagon, consumer protection offices will no doubt begin to ramp up education and enforcement efforts.
Consumer protection cases will be driven by political and public policy positions. Partially due to the U.S.’s sharply partisan political climate, AGs will likely prioritize enforcement actions that bolster political objectives of the party in power. Sensitive areas such as reproductive healthcare, DEI, and ESG will continue to result in AGs finding themselves on opposite sides of issues.
Cross-party collaboration on high-priority topics. Despite the current political climate, there remain some enforcement topics that have broad bipartisan support, including, online protections for kids and teens, health data, and general consumer privacy initiatives (e.g., fulfilment of data subject rights). As such, businesses should expect to see continued collaboration between red and blue states in these areas in an effort to pool resources and expand enforcement capabilities.
Emphasis on partner diligence. A number of recent consumer privacy cases, including the Texas Attorney General’s action against Allstate and its subsidiaries, have placed an increased emphasis on partner diligence obligations and the contracts that govern the exchange of data between entities. AG offices across the political spectrum will likely continue to dig in here, and will expect that businesses implement programs to ensure that the personal data they send and receive is done so transparently, fairly, and lawfully.
The fundamentals are increasingly important. As more state comprehensive and sector-specific privacy laws are passed and enacted, certain provisions have rapidly gained in popularity, such as core data subject rights (e.g., deletion and access and the right to opt-out of sales, sharing, and targeted advertising) and the requirement that businesses honor consumer preference signals (e.g., Global Privacy Control). AGs will like focus in on these requirements, and expect businesses to be giving effect to these basic rights.
The Devil Is In the Details. Certain state privacy laws coming online in 2025 have unique provisions. For example, Minnesota (in addition to Oregon) requires businesses to provide consumers the right to request a specific list of third parties that personal data is disclosed to. As such, businesses should expect AGs to focus on ensuring the provisions unique to their statutes are incorporated into privacy compliance programs.
Setting Yourself Up For Success – How to Avoid Being the Subject of an Enforcement Action
Invest in your privacy program and show your work. Building and maintaining a strong privacy program is not the only thing companies should prioritize heading into 2025 – effectively documenting that privacy program and conveying the business’s best efforts is an important element of demonstrating compliance. Companies should document privacy trainings, internal policies, technical controls, and auditing procedures, and be prepared to share this information with AGs upon request.
Maintain an open line of communication. State AGs value and encourage companies to maintain an open line of communication with their offices, particularly when developing a new product or implementing new or novel uses of personal data. Businesses should feel comfortable communicating with AG offices, and educating them on how products work and why they comply with applicable law.
Prioritize best efforts. As many AGs prepare to bring enforcement actions under comprehensive privacy laws for the first time, they will likely prioritize the most egregious actors. This means businesses should do what they can to emphasize their best efforts and benchmark compliance programs to ensure they are staying with the pack.
AGs are consumers themselves. At the end of the day, AGs are consumers, too. At times, offices open investigations into companies because a staff member had a concerning experience while using a website or product themselves. Businesses should ensure their customer service and support functions are prepared to respond to consumer questions, and should strive to address consumer concerns responsively.
For easy access, click here to print this blog.