by Felicity Slater and Susan Hintze
On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.
The press release quotes Michael Macko, the CPPA’s head of enforcement, observing that CPPA officials have “seen firsthand how misuse of data can harm Californians, whether it's information about their health, location, kids, identity, and more.” This suggests that sensitive personal information — including health information, kids’ data, and precise location data, which have taken center stage for new privacy laws and enforcement in recent years — is likely to be a priority for the Consortium.
While state privacy law enforcers have been open about engaging in informal information-sharing for years and some have even coordinated multi-state settlement negotiations, the formation of the Consortium marks the first formalization of such collaboration in the privacy context and may signal a potential uptick of multistate privacy enforcement action. This possibility is significant for businesses, whose potential liability may increase in the context of more coordinated lawsuits and settlement negotiations brought under the comprehensive privacy laws of multiple states. In the past, coordinated efforts among state enforcers have tended to yield high combined settlement amounts.
State enforcement collaboration may also be intended to address a commonly cited concern with state level privacy enforcement: that State Attorney Generals offices lack resources to engage in robust investigation into data collection and use practices. Such collaboration could indicate that state enforcement authorities are gearing up to increase their privacy-related enforcement activity in response to a perceived de-prioritization of privacy issues at the federal level, including at the Federal Trade Commission.
Notably, Texas — which has emerged as one of the most active state privacy regulators — is not a Consortium member.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Felicity Slater is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.
Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.