Excerpted from a JDSupra Blog
The enforcement landscape of recently enacted state consumer privacy laws in the U.S. is beginning to take shape, with state attorneys general (AGs) or designated specialized enforcement agencies leading the charge. The absence of comprehensive federal legislation, along with a lack of private rights of action in most state privacy regimes, has resulted in varied enforcement strategies and priorities across different jurisdictions. The following summarizes some state enforcement actions and priorities.
California: Pioneering Privacy Protections and Enforcement
California remains at the forefront of privacy law enforcement with landmark legislation like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Enforcement under this privacy regime started strong, with California AG Rob Bonta announcing a settlement with DoorDash over its collection of user data early last year, before reaching a stipulated judgment with Tilting Point Media regarding its handling of children’s online data by mid-year.
Texas: Building Momentum in Enforcement
Texas AG Ken Paxton has established a team focused on “aggressive enforcement” of Texas privacy laws. In August 2024, AG Paxton filed a lawsuit against General Motors, alleging the unauthorized sale to insurance companies and other third parties of location data collected from millions of Texas drivers. The lawsuit claims that GM deceived consumers into sharing their data, which was then sold to data brokers without their knowledge, potentially affecting insurance rates and violating privacy rights.
Additionally, in January 2025, AG Paxton launched an investigation into 15 tech companies, including popular social media platforms Reddit, Instagram, Character.AI, Discord, and others, over their handling of data from users under the age of eighteen. The probe aims to ensure compliance with Texas’ Securing Children Online through Parental Empowerment Act (SCOPE) and the Texas Data Privacy and Security Act, which combined mandate parental controls and consent for data handling of minors.
Additional Laws Effective This Year
The national initiative (on a state-by-state basis) to protect consumers’ data privacy is coming to further fruition this year, with eight previously enacted data privacy laws becoming effective in 2025. These include:
- Delaware Personal Data Privacy Act – Effective January 1, 2025
- Iowa Consumer Data Protection Act – Effective January 1, 2025
- Nebraska Data Privacy Act – Effective January 1, 2025
- New Hampshire Data Privacy Act – Effective January 1, 2025
- New Jersey Data Privacy Act – Effective January 15, 2025;
- Tennessee Information Protection Act – Effective July 1, 2025
- Minnesota Consumer Data Privacy Act – Effective July 31, 2025
- Maryland Online Data Privacy Act – Effective October 1, 2025
In addition to these laws becoming effective, four more states have privacy legislation currently introduced or in committee in their state legislatures: Michigan, Ohio, Oklahoma, and Pennsylvania.
State action on both enforcement and legislative fronts continues to demonstrate the importance of data privacy regimes to U.S. consumers and begs the question of when (and if) Congress will catch up.
For the full story, please click here.