Two more states join Consortium of Privacy Regulators
By on Posted in Cybersecurity, Data Privacy

The Consortium of state privacy regulators just got stronger.

On October 8, the California Privacy Protection Agency announced that Minnesota and New Hampshire have officially joined the Consortium of Privacy Regulators, raising the Consortium’s membership to ten agencies across nine states.

The expansion highlights a growing movement at the state level of coordinated privacy regulation and enforcement. CPPA’s head of enforcement, Michael Macko, said the California agency looks “forward to collaborating with Minnesota, New Hampshire, and states nationwide as we continue growing our collective privacy enforcement apparatus.”

At this point, 10 of the 19 U.S. states with comprehensive data privacy laws are now part of the Consortium. With the two newest members joining after Minnesota’s Consumer Data Privacy Act and New Hampshire’s Data Privacy Act became effective this year, it is likely that other states will join as their laws come into effect in 2026.

For companies managing privacy obligations across multiple states, the message is clear: increased regulatory coordination nationwide is the new norm.

The Consortium explained

The Consortium of Privacy Regulators was formed in April 2025 by the CPPA and several state attorneys general. According to the CPPA’s announcement, the mission of the Consortium is “to share expertise and resources, as well as coordinate efforts to investigate potential violations of applicable laws.” Through information sharing, joint training, and coordinated investigations, member states aim to reduce enforcement gaps and streamline interpretation of overlapping legal obligations.

Even though each state’s privacy statute has unique features, they share many core elements such as rights of access, deletion, and opt-out, which enables meaningful collaboration across jurisdictions. By bringing in more states like Minnesota and New Hampshire, the Consortium strengthens both its geographic and regulatory reach.

What will happen next

Organizations should expect to see more cooperation and joint investigations from the Consortium. Most recently, on September 9, the CPPA, along with the attorneys general of California, Colorado, and Connecticut, launched a joint investigative sweep targeting companies that may not properly honor Global Privacy Control signals. The sweep sent letters to businesses suspected of ignoring opt-out requests submitted via GPC, asking them to come into compliance.

GPC is a browser or extension-based signal that allows consumers to automatically opt out of having their personal information sold or shared with third parties, without having to manually click through a website’s mechanism. In states like California, Colorado, and Connecticut, failure to honor GPC signals can violate statutory opt-out requirements.

This joint enforcement action is representative of how the Consortium might function moving forward:

  • More multistate sweeps targeting common compliance weak spots, such as consent management, data minimization, and transparency of privacy disclosures.
  • Shared interpretive standards for how consumer rights should function across varying state laws.
  • A shift toward faster, more coordinated investigations, potentially increasing the pressure on organizations with operations in multiple states.

However, this action is also representative of how the Consortium is still in the early stages of its development. Although the Consortium is intended to represent common interests and priorities across all the states, not all states may be involved in every sweep or investigation. Although organizations may use the Consortium as a starting point for general compliance, their compliance programs will still need to consider and respond to individual state requirements.

Moves to make now

For organizations subject to state privacy laws, now is the time to act. A crucial starting point is mapping applicability and determining which state laws apply to your operations. Organizations should prioritize analysis of the eight state laws that became effective in 2025 (in addition to the laws in Minnesota and New Hampshire, these include Delaware, Iowa, Maryland, Nebraska, New Jersey, and Tennessee) as well as three additional states whose laws will become effective in 2026 (Indiana, Kentucky, and Rhode Island).

Next, ensure that your privacy notices and internal processes meet the privacy requirements among all the states where your company does business or collects data. Many organizations choose to adopt the strictest standard for consistency across the enterprise, but that approach may not be suited for all organizations. At minimum, policies should be reviewed annually, which can be accomplished using a risk-based approach for efficiency that prioritizes, among other things, the Consortium’s areas of focus such as data subject rights—like access, deletion, and opt-out—and honoring universal signals like GPC.

Do not neglect to document your efforts. Even when not required by law, investing in maintaining detailed records of privacy assessments, testing, audits, and consumer request logs can pay tremendous dividends. Especially, in enforcement settings, documentation can be a critical defense: many of the Consortium’s regulators are on record as stating how much consideration and value they attribute to demonstrations of good faith.

Stay abreast of regulatory announcements and emerging enforcement trends. The CPPA and its partner attorneys general publish statements and “sweep alerts” that can give early warning of agency priorities.

Finally, engage legal counsel to assist in interpreting overlapping obligations, building a unified compliance framework, and responding to regulatory notices. A preventive posture is far less costly than reactive remediation.

The bottom line

The expansion of the Consortium of Privacy Regulators is a turning point in U.S. data privacy enforcement. By aligning policy objectives and pooling investigative resources, organizations must now contend with states’ regulatory requirements both individually and collectively. Moreover, the Consortium has made it clear that a passive approach to compliance will not be tolerated, and is already expecting organizations to proactively understand and comply with their legal obligations.

Businesses must take a two-pronged approach to compliance. The first prong involves adapting the organization’s compliance posture as the regulatory environment becomes more complex – for example, as data privacy increasingly involves cybersecurity and artificial intelligence issues as well. The second prong involves consistently striving to minimize the likelihood and impact of noncompliance, using risk-based strategies in an effort to avoid enforcement action or litigation regarding data privacy or security.

To meet heightened standards from both regulatory and enforcement perspectives, organizations should be continuously evaluating their compliance and governance programs to ensure that they are sufficiently comprehensive and adapting to newer developments. With more states likely to join the Consortium, organizations must ensure that their approach to compliance includes consistent, defensible policies and practices that can withstand scrutiny across multiple jurisdictions.

The Constangy Cyber Team assists businesses of all sizes and industries with compliance needs. If you would like additional information about state or federal data privacy laws, please contact us at cyber@constangy.com.

TAGS: California Privacy Protection, Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Minnesota, New Hampshire
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek