State AG Privacy Enforcement

U.S. state attorneys general are playing a growing role in privacy enforcement, using their broad consumer protection powers to investigate and penalize companies over data misuse, dark patterns and algorithmic harm. From California to Texas, AGs are issuing subpoenas, negotiating multimillion-dollar settlements, and teaming up on multistate actions. Enforcement often goes beyond privacy statutes, relying on deceptive or unfair practices laws to target violations. This page tracks major enforcement actions, legal theories and cross-state efforts shaping how privacy laws are interpreted and applied at the state level.

Date Range:

Author:

Category:

Include:

articlessource documents

Refine Trend Search

Clear Terms

Search Primer

Term list: Separate terms with spaces, not commas or semicolons.

Multi-word term: Place inside quotes to ensure an exact match (e.g. "China import").

Acronyms: Use all capital letters to ensure the search is not looking for that letter sequence instead.

Required term: If a term must be included in any resulting articles, prefix it with a plus sign (e.g., +CBP).

Excluded term: If a term should be excluded from any articles being found, prefix it with a minus sign (e.g., -ruling).

Singular form: Always use the singular form when doing multi-word terms (e.g. "russian export control" instead of "russian export controls").

Shortest word form: When you have different word forms in a quoted (multi-word) term, you want to only include the shortest version if it is the last part of the expression (e.g., "entity list" instead of "entity listing" or "entity listed").

Top Privacy Daily Articles You May Have Missed From Last Week

August 12, 2025 |Top News

Privacy Daily is providing readers with the top stories from last week, in case you missed them. All articles can be found by searching the title or clicking on the hyperlinked reference number.

Topics:Health Privacy and HIPAA

Allstate Subsidiary Says Court Should Drop it From Location Data Case

August 11, 2025 |Courts

Texas’ claims that an Allstate subsidiary collected and shared Texans' driving data with the insurer are based on assumptions, not facts or evidence, the subsidiary, Arity 875, said in an appeals court brief August 4. As such, Arity, a data analytics company, urged the Texas 15th Court of Appeals to drop it from a lawsuit.

Topics:Data Brokers and Delete Acts

Wikimedia Loses UK Online Safety Challenge; EFF Warns of Similar US Legislation

August 11, 2025 by Dugie Standeford|Top News

London's High Court of Justice Monday tossed a challenge by nonprofit Wikimedia Foundation to provisions of the U.K. Online Safety Act (OSA) it claimed could jeopardize the privacy and safety of Wikipedia contributors, but stressed that contributors must be protected.

Judge Questions Federal Preemption Claims in NJ Daniel's Law Case

August 11, 2025 by Adam Bender|Top News

CAMDEN, N.J. -- A federal judge raised doubts Monday that the Communications Decency Act gives data brokers immunity from New Jersey’s Daniel’s Law. In an oral argument at the U.S. District Court for New Jersey, Judge Harvey Bartle heard preemption arguments from various data brokers sued by Atlas Data Privacy under the 2020 state law, which is aimed at protecting the personal information of judicial and law enforcement officers, child protective investigators and certain family members.

Topics:Data Brokers and Delete Acts

20th-Century Wiretapping Statutes Deserve Updates, Privacy Pros Say

August 8, 2025 by Kara Thompson|Top News

As privacy litigation under older laws has exploded, some have called for amending decades-old statutes often at the center of lawsuits so that they aren't applied to modern technologies. The California Invasion of Privacy Act (CIPA) in particular has been subject to more scrutiny as litigation has increased (see 2503030050).

Topics:Class Actions, Private Right of Action, Health Privacy and HIPAA

Allianz Data Breach Exposing PII of Almost 1.4M Brings Bevy of Lawsuits

August 7, 2025 by Kara Thompson|Top News

A July data breach of Allianz Life Insurance Co. of North America precipitated a flurry of lawsuits alleging inadequate safety procedures. The company said the data breach exposed the personal information of most of its 1.4 million U.S. customers and stakeholders.

Topics:Class Actions

Class-Action Suit Alleges Bitcoin Depot's Negligence in 2024 Data Breach

August 6, 2025 |Courts

Bitcoin Depot failed to adequately protect the personally identifiable information (PII) of more than 26,000 individuals, which was then exposed in a data breach, a class-action complaint alleged Friday in the U.S. District Court for Northern Georgia. Lead plaintiff Quincey Hall's lawsuit alleges negligence, invasion of privacy, breach of implied contract and violations of the Georgia Uniform Deceptive Trade Practices Act, among other claims.

Topics:Class Actions, FTC

Illinois Renews Call for Dismissal of DOJ's Workplace Privacy Suit

August 5, 2025 |Courts

Illinois renewed its request for a federal court to dismiss a DOJ workplace privacy suit Monday. The state argued that DOJ didn't prove how federal law preempts elements of the state's Right to Privacy in the Workplace Act (Privacy Act).

Topics:Social Media

Federal Court Drops Kids Privacy Case Against EdTech Platform Instructure

August 5, 2025 |Courts

A federal court sided with education technology platform Instructure and ruled that a case against it failed to plausibly allege specific facts about the taking or use of data. The U.S. District Court for Central California dismissed case 25-02711.

Topics:Comprehensive Privacy Bills

Increased Data Broker Regulation Has Companies Weighing Multistate Compliance

August 5, 2025 by Karl Herchenroeder|Top News

The expansion of data broker liability in states like Texas and California has companies considering multistate compliance approaches, privacy attorneys told us in interviews.

Topics:Data Brokers and Delete Acts