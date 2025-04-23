The concept of the "supergroup" may have originated with rock and roll, but on April 16, 2025, privacy practitioners in the United States learned that a whole new type of supergroup has been formed. Far from being a reboot of Cream or the Traveling Wilburys, however, this latest supergroup is comprised of eight state privacy regulators from seven states (each of which has enacted a comprehensive state privacy law), who announced they have formed a bipartisan coalition to "safeguard the privacy rights of consumers" by coordinating their enforcement efforts relating to state consumer privacy laws.

Quick Hits

State attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, as well as the California Privacy Protection Agency, announced the formation of the "Consortium of Privacy Regulators."

While the creation of the Consortium does not reflect a closer alignment in the contents of the actual consumer privacy laws themselves, it will likely heighten regulators' abilities to enforce those elements of consumer privacy law that are common across states.

Businesses may wish to take this announcement as a sign to revisit their consumer privacy policies and practices, lest they find themselves subject to additional scrutiny by this new regulatory "supergroup."

The Consortium of Privacy Regulators, comprised of state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, as well as the California Privacy Protection Agency, seeks to facilitate discussions of privacy law developments and shared regulatory priorities, and to share expertise and resources to focus on multijurisdictional consumer protection issues. The constituent attorneys general come from states that have been particularly active in the privacy regulation space, and this coalition will ostensibly allow them to pursue more coordinated, large-scale efforts to investigate and hold companies accountable for noncompliance with common legal requirements applicable to personal information. Of particular importance to this new regulatory body is the facilitation of consumer privacy rights, such as the "rights to access, delete, and stop the sale of personal information, and similar obligations on businesses."

While this announcement is certainly big news, it is not entirely surprising. Over the course of the past several years, there has been an apparent uptick in coordinated regulation in other areas of data privacy law, especially with respect to data breach investigation and enforcement at the state regulatory level. Just as state attorneys general have been following up with companies that have reported data breaches with an increased diligence and depth (and, in some cases, imposing more substantial civil penalties and seeking to enter into consent orders with these companies), companies can likely expect similarly heightened scrutiny with respect to their consumer privacy practices. And, given the Consortium's announced intent to hold regular meetings and coordinate enforcement based on members' common interests, businesses can likely expect that this additional scrutiny will begin very quickly.

Next Steps

Given this increased focus on regulatory enforcement, companies that have not already done so may wish to prioritize taking steps to shore up their personal information handling practices. Businesses that collect personal information might consider revisiting their privacy policies to ensure they accurately reflect their personal information collection, disclosure, and other handling practices. They may also want to review their procedures for handling highly visible elements of consumer privacy law, including their processes for responding to data subject rights requests. And, of course, businesses might give some thought to whether this announcement is a timely reminder to refresh their employees' training with respect to consumer personal information. Finally, given the requirements in many of the constituent states' privacy laws that consumer personal information be appropriately protected, businesses might consider revisiting their cybersecurity measures, including by updating (or even implementing for the first time) incident response plans and performing tabletop exercises to identify potential gaps and opportunities for increased alignment with applicable legal requirements before the Consortium comes knocking.

