California, Texas Are Leading 2026 Privacy Enforcement Efforts

The Bottom Line

• Legislative activity is shifting from general privacy laws to issue-based consumer concerns, such as children’s online privacy, biometric usage, and location data.
• California, Texas, and Virginia present clear direction on where state enforcement priorities are heading.
• Companies should consider engaging in targeted dialogue with enforcement officers to ensure compliance.

Compliance strategy often centers on a representative state privacy act or industry-specific requirements. But generalized compliance creates growing vulnerabilities, given the breadth and detail of new consumer-related privacy laws, about 100 of which were enacted in 2025.

California, Texas, and Virginia are leading the way, representing areas of concern throughout state legislatures and enforcement agencies. Regulators from these three states spoke during various meetings in 2025 about privacy enforcement priorities for the coming year. Companies can refine how they triage for this growing web of requirements by taking direction from these states.

California

California, the bellwether in US state privacy law for decades, has two enforcement agencies policing privacy practices.

The California Department of Justice’s privacy unit is a lean group of about seven attorneys. While the unit appears small, the new concentration of consumer-based privacy laws allow the unit to collaborate with other parts of the state attorney general’s consumer protection section. The expanded resources enable bigger investigations and a wider variety of charges, including:

Location data. California is requesting detailed information on location data collection practices. This makes it likely that a complaint will be filed against at least a few of the organizations receiving letters.

Right to opt out. Companies must have functional systems allowing consumers to opt out of data sharing. You can test this by going on clients’ websites and trying to opt out to ensure there are no technical errors; log your tests for future defense. The California Opt Me Out Act, signed in October, will increase regulator focus on opt-out systems and set a standard for how the ideal system should work.

Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health Act allows state enforcers to mitigate HIPAA violations of California residents. This will be an important avenue for California enforcers to maximize the potential privacy claims involving health data.

Student data. Through the Student Online Personal Information Protection Act, California can review a variety of apps, websites, and services. This decade-old legislation allows enforcement of recent concerns centered on children’s privacy.

CalPrivacy’s (formerly the California Privacy Protection Agency) Enforcement Division is a rapidly growing office of 12-plus attorneys. While the California AG brings enforcement actions in federal court, CalPrivacy brings actions in administrative proceedings and helps strengthen California’s enforcement efforts, including in the following:

Dark patterns and deceptive design. Enforcers are testing to ensure privacy-related tech—such as opt-out mechanisms and location tracking—works properly. CalPrivacy is carefully reviewing data minimization practices in system design. If a company is collecting more data that it needs for a stated purpose, that can easily be added to (or the focus of) enforcement actions.

Failure to notify job applicants. Tractor Supply Co. landed a $1.35 million fine, CalPrivacy’s largest judgment ever, to address sufficiency of privacy notices, opt-out request opportunity, and data sharing with inadequate privacy agreements. This case sets a strong prototype for enforcers to change a broad set of privacy practices they see as harmful to consumers. The small size and isolated industry of the organization targeted sends a noteworthy message that all, not only big, tech companies must consider enforcement actions

Opt-out request noticing and platform functioning. CalPrivacy still pushes against slightly off-kilter practices such as missing opt-out notifications, requiring too much consumer information to opt out, and opt-out platform functioning. Each of these faults alone may seem minor, but together, they may indicate deceptive practices toward consumers.

Texas

The Texas Attorney General’s Office data privacy team enforces the Texas Responsible Artificial Intelligence Governance Act and the Texas Data Privacy and Security Act, among other new laws. This new team promises to become a hotbed of privacy enforcement, especially in the following areas:

Children’s data and apps. Despite the Texas AG staff’s enthusiasm for making the new App Store Accountability Act the fulcrum of its children’s data protection initiative, a recent preliminary injection strongly implies the entire act may be invalidated as unconstitutional. Likewise, the Securing Children Online Through Parental Empowerment Act is struggling to survive legal challenges .Texas still has legislation to enforce for children’s privacy in HB 1181, regulating children’s exposure to pornography, which has survived litigation intact, and the federal Children’s Online Privacy Protection Act.

Vendor agreements. Texas is reviewing agreements for use cases that imply permission for the vendor to co-opt data for its own purposes. Vendor use cases tend not to have in-depth review because they’re supposed to function as examples of how the agreement will work rather than adding new terms to the agreement. The Texas AG knows vendors take advantage of this lack of attention, making use cases ripe with impermissible expansions of data usage beyond an agreement’s boilerplate terms.

Genetic data. This falls under the Texas Direct-to-Consumer Genetic Testing Act and the Texas Genomic Act of 2025, which became effective Sept. 1. The Genomic Act dictates that individuals can bring a private lawsuit; this is unusual among Texas laws, which often leave court action only to the AG. This additional right of action gives the law potential for broad litigation by plaintiff’s attorneys.

Geolocation data. Texas geolocation requirements go beyond California’s. The TDPSA requires explicit consent for processing location data and is an enforcement priority in Texas. It likely will become a model for states interested in finding new ways to protect location data.

Virginia

The Virginia Attorney General’s Office, which enforces the Virginia Consumer Data Protection Act, will focus heavily on data and social media this year.

Children’s data. The VCDPA amendments strengthening protections to children’ data include a provision prohibiting the processing of children’s geolocation data and a requirement for data protection assessments for online services targeting children. Imminent enforcement that spotlights these requirements may serve as a template to amend other states’ laws now that the US is overall more interested children’s data privacy.

Social media. Another set of amendments to the VCDPA took effect Jan. 1 and requires good-faith age-screening methods, plus limitations on screen time of one hour a day unless a verifiable parent increases the allotment. Courts’ considerations may shift as different age-screening methods develop and become widely available.

Genetic and health data. A bill amending the Virginia Consumer Protection Act to heighten protection of reproductive and sexual health information took effect in April. Genetic and health data protection are a stated continuing priority for the Virginia AG, and how these provisions will mesh with reproductive health access restrictions throughout the country isn’t yet clear.

Who is Targeted

Each AG described the same three methods for finding entities to sue for privacy transgressions.

State consumer complaint databases. All three states’ enforcement agencies use internal consumer complaint databases for direction on which entities to target for enforcement.

Texas has a new consumer complaint database that received 3,000 complaints in less than a year. Would you like to know if your clients are in that database? Call and ask. All three AGs have stated they’d interpret outreach as indicative of good-faith effort.

Media attention. Privacy incidents and practices exposed by the press garner attention from the public—and enforcers.

Personal experience and word of mouth. A surprising amount of attention comes from anecdotal interactions with enforcers in their private lives—and word of mouth in personal networks. For example, an AG attorney’s personal experience led to testing privacy notice tech to explore how well opt-out platforms function.

Reducing Risk

Watch state legislative dockets—enforcement teams are. The California, Texas, and Virginia AG attorneys acknowledged looking to their states’ new legislation for enforcement priorities as a way of deciphering the will of their constituents. This seems particularly salient in states where, like these three, the AG is an elected official.

Keep feelers out for consumer impressions in the media. Privacy incidents that affect many people or involve sensitive data telegraph the need for enforcement.

Enforcers eagerly use litigation cases brought by individuals. Private attorneys run the investigation through court discovery procedures; enforcers can then use material produced in private litigation instead of using state attorneys and their resources to run an investigation from scratch.

This efficiency means companies sued by civil litigation plaintiffs make desirable targets for enforcers. Watch for consumer protection civil case news, and consider what enforcement authorities share as their priorities.

Enforcers are coordinating to focus on a smaller set of priorities across states—and they’re intentionally aligning enforcement priorities to help organizations prioritize which laws to focus on first. For example, CalPrivacy is expanding its Consortium of Privacy Regulators to coordinate enforcement priorities across member states.

Lawyers from the California, Texas, and Virginia AG offices speak monthly among various large groups of state privacy enforcers.

Cooperative enforcement, such as in the combined objection to the 23andMe bankruptcy, will become more common. The small privacy units will be able to share investigatory research on companies that operate across their states.

The joint objections touting increased privacy compliance are a victory across politically differing states and demonstrate bipartisan harmony. Companies also will benefit by having more time to adjust compliance when AGs announce joint or similar priorities before pursuing litigation.

Compliance Deep Dives

Instead of having an impressionistic—and blurry—sense of requirements that are common throughout states, work thoroughly to align with the latest requirements where your client has a heavy risk load. For example, an organization that relies on voluminous vendor agreements should start reviewing use cases to follow the direction Texas has announced.

Prioritizing this review now will create compliance that likely will more than satisfy all other states that follow the Texas vanguard—at the very least, it will create a solid due diligence record. Plus reviewing ahead of the trend will allow for time to get feedback from the AG on borderline interpretations, possibly eliminating the need to present the most conservative path to a company.

Enforcers’ chances of winning—and bringing a greater variety of improvements to business practices—increase with the number of statutes enforced in a single suit. More charges from more laws mean additional chances to make at least some of the charges stick.

If you see overlapping statutes on a single topic coming out of a state legislature, you’ve found an area enforcers are likely to investigate. It’s also an opportunity for small privacy enforcement teams to pull in other lawyers’ resources. That is why the onset of consumer-related privacy laws is a boon to enforcement teams.

Likewise, consumer protection suits that carry a whiff of fraud may present a more alluring target for AGs to add criminal statutes for prosecution. Criminal fraud changes allow for the AG’s criminal attorneys to join the enforcement team, expanding the resources available to the small privacy units.

Fraud charges may be more black and white than privacy laws, which often are interpreted by what is acceptable to consumers at a given moment. For example, it will be a lot of work to hash out what sufficient age-verification methods are; it’s much clearer to apply age-old fraud standards for a win. And winning criminal proceedings tend to generate public interest and approval for AGs.

Talk to Enforcers

Attorneys at all three states’ enforcement offices consider companies that want to engage in dialogue as more likely to be compliant.

If it’s not clear whether your client is doing enough to comply with a given law, consider seeking guidance first from a state that has a right to cure. Both Virginia and Texas are permanent “right to cure” states—meaning if a company has a privacy violation, it can fix it an any time and no charges will be brought (or charges can be dropped). Enforcers in these states may be more open to entities seeking direction on fine points of compliance.

CalPrivacy recommended against having outside counsel respond to requests for information letters, preferring that the company’s in-house counsel respond. The state’s right to cure, however, has shrunken over time.

Timing is another important consideration for reaching out to an AG’s office. If an agency’s internal process for approval to pursue a case has been completed, it may be too late for good-faith efforts to stop the investigation.

Ultimately, every state enforcer offers clues to guide organizations’ compliance efforts. Tune in to guide your privacy review priorities.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Paula Heckrich serves as lead attorney for crisis context data sharing at the US Department of Homeland Security, Federal Emergency Management Agency. Views expressed do not necessarily represent DHS, FEMA, or the US.

Write for Us: Author Guidelines