States Form Consortium to Coordinate on Privacy Regulations

Earlier this week, the California Privacy Protection Agency (CPPA) and California Attorney General Rob Bonta announced the formation of a new bipartisan coalition called the Consortium of Privacy Regulators. This consortium brings together eight state regulators, including state attorneys general and the CPPA, with the shared objective of bolstering the implementation and enforcement of their respective state privacy laws.

The founding members of this collaborative body include the CPPA and the attorneys general of California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon. This alliance signifies a formal commitment among these states to cooperate on privacy matters.

It is worth noting that Texas, which has emerged as a particularly active state in privacy enforcement, is not currently a member of the consortium. The reasons for this are not explicitly stated, but businesses operating in Texas should continue to pay close attention to the state’s independent enforcement activities.

Understanding the Consortium’s Goals and Implications

According to the official press releases, the Consortium of Privacy Regulators established a memorandum of understanding that outlines several key objectives. These include facilitating discussions on the evolving landscape of privacy law, identifying shared enforcement priorities and ultimately enhancing consumer protection across participating jurisdictions.

The consortium expects that it will foster collaboration in several areas:

1. Sharing Expertise and Resources: The participating regulators aim to enhance their understanding of complex data practices by sharing expertise and resources.
2. Coordinating Enforcement Efforts: The consortium will facilitate the coordination of investigations into potential violations of state privacy laws. While each state will continue to enforce its own specific legislation, this collaboration increases the likelihood of multistate investigations and enforcement actions across jurisdictions.
3. Promoting Consistent Interpretation: Despite variations in the specifics of each state’s privacy law, the CPPA press release notes that the different laws share fundamental principles related to consumer rights, such as the rights to access, delete and opt-out of the sale of personal information, as well as obligations on businesses regarding data handling. The consortium aims to foster a more “consistent, streamlined enforcement” across state lines.

Why This Matters

While multistate attorneys general investigations are not new, the formation of the Consortium of Privacy Regulators carries significant implications for businesses operating within and across these states. Here are some key takeaways:

1. Increased Enforcement Risk: The coordinated efforts of multiple state regulators could lead to a heightened risk of enforcement actions. A violation identified in one state could potentially trigger investigations and similar actions in other consortium member states.
2. Potential for Larger Settlements: Coordinated enforcement actions by state regulators have historically resulted in substantial settlements. Businesses facing multistate investigations may encounter greater potential financial exposure.
3. Focus on Key Areas of Concern: The press release from the CPPA emphasizes the harm caused by the misuse of sensitive personal information, including health data, location information and data concerning children. This suggests that the consortium may prioritize enforcement actions in these areas.
4. State-Level Proactivity: While California has been the most active in enforcing its state consumer privacy law, the formation of this consortium could also indicate a growing commitment among state regulators to actively enforce their privacy laws, potentially in response to perceived shifts in federal privacy priorities.

Moving Forward

The establishment of the Consortium of Privacy Regulators marks a significant step toward greater coordination and potentially more robust enforcement of state privacy laws in the United States. Your organization should be aware of this development and its potential impact on your data handling practices.

We recommend that you:

1. Review and update your privacy policies and procedures to ensure compliance with the laws of all states in which you operate, particularly those within the consortium.
2. Pay close attention to enforcement trends and announcements from the participating state regulators.
3. Ensure your data security practices are robust to minimize the risk of data breaches that could trigger enforcement actions.
4. Seek legal counsel to understand how these developments may specifically affect your business and to ensure ongoing compliance with evolving privacy regulations.