States Increasingly Beefing Up Privacy Teams, Collaboration
SAN DIEGO -- States, especially those with consumer privacy laws coming online soon, are bolstering their privacy and consumer protection enforcement by beginning to onboard additional attorneys and technologists, experts said during a panel at IAPP's privacy and security conference Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Many people are “surprised” to learn “there's so much money dedicated to hiring attorneys in this space,” said Tyler Bridegan, a lawyer at Womble Bond and former director of privacy and tech enforcement in the Texas attorney general’s office.
Texas is “unique” in that the AG office “has its own investigator unit” as well, he said. Some states are hiring “investigators for just the privacy team,” whereas “Texas has a general pool of investigators” who have worked in the AG’s office for a long time and “have a lot of expertise in digging” into things like company practices, so it’s “not entirely new to them.”
Shelby Dolen, a Troutman lawyer, noted that “Texas is very lucky in terms of its size,” adding that how offices approach staffing varies from state to state. “Enforcement can be a little more difficult” in states that have few attorneys working in privacy, but overall, states are “definitely onboarding attorneys [and] technologists to handle … the influx of enforcement, especially if their consumer privacy law is about to come online.”
In addition, Dolen said that although Texas and California have the largest teams and resources for enforcement, they're also very different, as California has a privacy agency pursuing such issues, in addition to its AG office.
Ron De Jesus, the field chief privacy officer at compliance vendor Transcend, noted that a California DOJ official talked on another IAPP panel about her department strengthening its technology expertise (see 2510300052). “There's definitely this trend of regulators not only forming teams that are full of technologists, but then themselves getting into the weeds.”
Bridegan said that since “privacy laws are somewhat unique,” compared with others “that AGs have historically enforced,” many AG offices “are having to adjust their enforcement style accordingly.”
Based on his time working with the Texas AG, he noted that there are formal and informal channels for state attorneys general to discuss privacy issues. For example, there's the more formal privacy cyber working group with all 50 states, which meets monthly, but there's also a subgroup dedicated to discussing laws that are “likely to pass or pending,” Bridegan said.
“A lot of legislators call on AG offices to weigh in on their privacy laws and provide feedback, especially around like enforcement mechanisms,” he added.
Considering that AG offices are “sharing a lot of information with each other,” companies “have to be really consistent and clear no matter what regulator or agency [they] are dealing with,” Dolen said. She and Bridegan noted, however, that collaboration could ease compliance issues. States might consider "interpreting the similar provisions of their law[s] similarly,” Bridegan said. “If one state does something publicly, it's fair to assume that every other state saw that happen, and it's considering … whether they should do the same thing.”
Given that 2026 is an election year for many AGs, Bridegan predicted that states will focus on “investigations that will be popular, either directly to their base or [on] a bipartisan basis,” such as vehicle privacy. There will also be “timeline pressure internally” to do “fast investigations,” which will make it “an interesting year."
Dolen said children’s privacy is bipartisan and could see a lot of action in the coming year. Data broker enforcement is also a trend that may see more enforcement, she added.
At the same time, “a lot of states are also still kind of getting up to speed on what capabilities they have” on privacy enforcement, Bridegan said. He gave the example of Nebraska, which has a privacy law but files privacy-related lawsuits under other consumer protection statutes instead (see 2507080048 and 2509230050).
Concerning the most active states in 2026, Dolen said Indiana is one to watch. She cited remarks by Douglas Swetnam, section chief of the Indiana AG's data privacy and identity theft unit, in a panel Thursday (see 2510310013). California is always active as well, she added.
Bridegan agreed about Indiana. In addition, he said Minnesota has a “thoroughly brilliant AG’s office" and “a great group of attorneys.”