A bipartisan group of eight state privacy enforcement authorities has formed the Consortium of Privacy Regulators to streamline the implementation and enforcement of state privacy laws. Participating members include the California Privacy Protection Agency and Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
While privacy regulators have worked together in the past, the formal creation of the Consortium group represents a significant step toward a more collaborative and consistent approach to privacy regulation in the face of a growing patchwork of state laws. The regulators have signed a memorandum of understanding (MOU) that outlines shared goals, including coordinating enforcement actions, facilitating ongoing discussions on privacy law developments, sharing expertise and resources, and advancing consumer protection consistently across jurisdictions.
What This Means for Businesses
There is a large overlap in core consumer rights and business obligations amongst state privacy law, including requirements around data security, transparency, and accountability and the right for consumers to access, correct, delete, and opt out of the sale of their personal data.
This alignment gives the Consortium a practical foundation to pursue multi-state enforcement actions, potentially raising the stakes for companies operating in more than one of these jurisdictions.
What can businesses expect?
- Higher Enforcement Risk Across States
Previously, enforcement actions were primarily confined to individual states. Now, businesses may face coordinated investigations or penalties across multiple states for similar violations.
- Increased Need for Compliance Consistency
With regulators sharing insights and enforcement strategies, inconsistent compliance efforts may be more easily flagged. Businesses should consider a uniform privacy compliance strategy that meets or exceeds the most stringent requirements across participating states.
- Proactive Privacy Governance Is a Must
Regulators are focusing on real-world privacy harms, including misuse of sensitive personal data such as health data, geolocation, and children’s information. If your business collects or processes sensitive data, top priorities should include proactive risk assessments, transparency in consumer representations, clear retention policies, and staff training.
What Comes Next?
This move also signals potential momentum toward more harmonized state-level enforcement and, possibly, a broader push for federal privacy legislation. Businesses that take action now to standardize their privacy programs across state lines will be better positioned as regulatory landscapes continue to evolve.
To stay ahead, companies should review and align their privacy policies and practices with the most stringent applicable laws, monitor updates from regulators for shifts in enforcement priorities, ensure their data governance and recordkeeping can withstand cross-jurisdictional scrutiny, and invest in privacy-by-design approaches for new products and services.
Questions about state privacy laws? Does your privacy program need a tune up? We can help!
Aaron works across numerous highly-regulated industries, helping them comply with state and federal laws related to privacy and data security, cannabis, marketing, teleservices, and other consumer protection matters.