EPIC Report: AGs Rely on State and Federal Law, Multistate Letters in Privacy Cases
State attorneys general have relied on a combination of state consumer protection law, state comprehensive privacy law, federal children’s privacy law and multistate letters in cases against privacy violators, according to a new report from the Electronic Privacy Information Center.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
EPIC analyzed 222 state-led cases from 2020-2024, including 34 concerning data privacy. Privacy laws in 10 states were enacted or came into effect by the end of 2023, including in California, Colorado, Connecticut and Texas. Only California filed formal claims under its comprehensive privacy law in data privacy cases: against Sephora in 2022, Tilting Point in 2024 and DoorDash in 2024, according to the report.
Many states in 2024 relied on consumer protection laws to bring claims in data privacy cases: Arkansas (Temu), California (Tilting Point and Adventist), New York (College Board and 4K Apps), Pennsylvania (Shopagala) and Texas (GM/Onstar). Arkansas and New York didn’t have comprehensive privacy authorities in 2024.
Over the five-year window, AGs sent multistate letters to several companies in privacy-related cases, including American Express, Mastercard and Visa in 2022; FedEx in 2022; UPS in 2022; Apple in 2022; and Temu in 2024. The letters were included in the report’s list of open investigations, which EPIC logged separately from formal cases. Texas sent a single-state letter to Memorial Hermann Health System in 2022, and Florida sent letters to Apple and Google in 2023.
EPIC Counsel Suzanne Bernstein, who co-authored the report, called it a “starting point” for understanding how AGs are enforcing against online-related harm, which included everything from privacy to algorithmic harms. In an interview with Privacy Daily, she said the report shows why the availability of consumer protection authority against unfair and deceptive practices is important, but there are gaps that can be filled in part by using comprehensive privacy authority moving forward.
She noted several state privacy laws have come into or are coming into effect in 2025, and many state privacy laws that went into effect between 2020-2024 included a ramp-up period for enforcement. She said to expect AGs to continue to find creative ways to combine authorities, with subject-specific privacy laws like Washington’s My Health My Data Act coming into effect.
In addition, Bernstein noted state use of federal authorities under COPPA and HIPAA. According to the report, states brought formal claims using COPPA in four data privacy cases and two platform accountability cases over the five-year period. New Mexico cited COPPA in 2020 against Google, in 2021 against Angry Birds and in 2021 against TinyLabs/SDK and Google/AdMob. A multistate group cited COPPA against Meta in 2023, and Florida used it for its own case against Meta in 2023. California relied on COPPA in the 2024 case against Tilting Point.
State AGs brought HIPAA claims against entities in 22 different cases over the five-year period, mostly concerning data breaches. AGs used HIPAA only in two data privacy cases: California against Adventist in 2024 and New York against Presbyterian Hospital in 2023.