The Consortium consists of the Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, as well as the California Privacy Protection Agency. This type of joint effort is not new for the CPPA. The Agency has previously entered into cooperation agreements with other privacy regulation agencies in countries with some of the most extensive privacy laws, including France in 2024 and South Korea in January 2025.

(The French agency is the Commission Nationale Informatique & Libertés, and the South Korean agency is the Personal Information Protection Commission.)

The stated purpose of the Consortium, per the CPPA’s press release, is

to share expertise and resources, as well as coordinate efforts to investigate potential violations of applicable laws. Although each state has its own law, they all share certain fundamental features to protect privacy with rights to access, delete, and stop the sale of personal information, and similar obligations on businesses. These similarities pave the way for like-minded applications across jurisdictions and give the Consortium the ability to work together on a common goal of promoting the privacy rights of consumers. Commonalities in the laws make this collaboration possible.

However, in addition to these stated objectives, it is also likely that the Consortium was formed in response to Trump Administration initiatives, which include decreases in resources and overall enforcement of privacy matters by the federal government. It is likely that the regulators from these Consortium states intend to “fill the void” by stepping up the volume of enforcement and also the scope of enforcement via coordination. For example, in March, Rob Bonta, Attorney General for California, announced an investigative sweep into the location data industry, sending letters to advertising networks, mobile app providers, and data brokers. Other states may launch similar sweeps or use the information from these sweeps to conduct their own separate-yet-related probes.

Overall, the participating states have some of the nation’s more stringent privacy laws, so it’s not surprising that they would put greater effort into enforcement. Delaware and New Jersey, in particular, have comprehensive privacy laws that took effect at the start of this year, and may be looking to hit the ground running with enforcement actions.

As businesses keep an eye on the Consortium, it may be helpful to look at previous enforcement actions in order to determine compliance priorities. Targets for enforcement include

• Sharing consumer data with ad tech companies that fell into data broker and data sale territory.
• Failure to have certain consent preferences enabled or to honor opt-outs.
• “Dark pattern” practices that unfairly bias or influence users to act one way or select a particular option over another.
• Inadequate measures to protect the privacy of children’s information.
• Failure to register and pay fees as data brokers. Data brokers in particular have been a high priority for California recently, and other states have signaled that excessive data sharing is a priority as well.

Businesses covered by privacy laws from states that have joined the Consortium would do well to review their operations to make sure that all aspects of their business are in compliance, including with any relevant updates or amendments. This could include the following:

• Evaluate external-facing parts of the business that would be easily noticed in an investigative sweep, such as website privacy policies and consent banners.
• Understand data sharing practices, and ensure robust contractual provisions are in place with third parties and service providers
• Evaluate technical safeguards on consumer data, particularly that involving children, health, or financial data.
• Verify status as a data broker, especially because regulators are taking a strict approach toward any organization that fails to register or pay fees on time.

Companies should monitor the Consortium’s activities and anticipate an uptick in state enforcement actions. In the meantime, businesses will want to ensure that they are in full compliance with all applicable privacy laws. Defending against these actions can be time-consuming and costly, resulting in high fines and stringent remediation actions.