Companies should be mindful of state attorneys general expanding their role as aggressive regulators in the consumer protection space, Alexander Southwell and Zenab Irfan of McDermott Will & Emery write.
The second Trump administration’s embrace of reduced federal enforcement in a variety of areas has led to state attorneys general stepping up to fill the enforcement void.
From the effective shuttering of the Consumer Financial Protection Bureau to the Federal Trade Commission Chair’s commitment to “stay in our lane,” enforcement priorities have dramatically shifted across all federal regulators. The Department of Justice has started disbanding its Consumer Protection Branch, and staff reductions, leadership turnover, and firings have hit many of the traditional federal enforcement agencies.
In turn, state AGs are pursuing more novel theories and aggressive investigations as federal enforcement wanes, particularly in the consumer protection area. Companies should remain vigilant about this trend—and avoid being lulled into compliance complacency—so they are best positioned to meet the efforts of state AGs to fill the enforcement gaps.
State AGs have broad and flexible legal authority under their unfair and deceptive practices statutes, as well as state data privacy, securities, antitrust, and usury laws. In the face of a federal pause on Foreign Corrupt Practices Act enforcement, California Attorney General Rob Bonta warned businesses that they still could be charged with bribery under California’s Unfair Competition Law.
Additionally, state AGs have authority to enforce federal consumer protection laws, such as the Consumer Financial Protection Act and the Children’s Online Privacy Protection Act, or COPPA.
In the absence of a comprehensive federal privacy law, states have passed many laws about data security and privacy, including ones focused on children’s privacy. Those actions, including suits focused on the effect of social media on children and alleged tracking and misuse of user data, have resulted in some successes, encouraging more state enforcement activity.
Notably, Texas Attorney General Ken Paxton recently obtained a $1.75 billion settlement with Google LLC, resolving an enforcement action that alleged unlawful tracking and collecting of users’ private data regarding geolocation, incognito searches, and biometric data. Michigan Attorney General Dana Nessel recently sued the streaming platform Roku Inc., alleging collection of personal information about children without the required notice or parental consent, in violation of COPPA.
Cybersecurity is a related enforcement focus for state AGs. New York Attorney General Letitia James settled an action against a movie theater operator, National Amusements Inc., for alleged failure to implement strong data security and protect employees’ and contractors’ personal data, and for improperly delaying informing affected employees of the data breach for more than a year.
Bonta, the California AG, settled an action against software company Blackbaud Inc. last year for alleged failure to provide timely and accurate information about a data breach, and for its lack of security controls. Expect more actions along these lines as state AGs fill the enforcement gap.
State enforcement in the privacy and cybersecurity space also will be more active due to the existence of agencies beyond the state AGs, such as the California Privacy Protection Agency and New York Department of Financial Services.
The California Privacy Protection Agency has continued to bulk up staffing and stake out its role in data privacy regulatory enforcement, including by entering into cross-border cooperation agreements with foreign data and consumer protection agencies and establishing a consortium of state regulators to collaborate on privacy issues, including the AGs of seven states.
The superintendent of the New York Department of Financial Services said in April that the department “doesn’t intend to let up on cryptocurrency enforcement, even in the face of pullback from the federal government” and will continue to “remain at the forefront of regulating AI, cryptocurrency, and cybersecurity.”
As with data privacy laws, state laws on artificial intelligence have proliferated—with a possibility federal law will preempt them—and state AGs have issued legal advisories about how existing state laws regulate companies’ use of AI, including in California, Massachusetts, and Oregon.
Paxton, the Texas AG, announced an investigation into the prominent Chinese AI company DeepSeek in February, including a notification that its platform violates the Texas Data Privacy and Security Act, and settled a consumer protection case with a health-care technology company last year over its alleged false statements concerning its AI product’s accuracy.
State AGs have been particularly active in consumer financial services protection, in response to the decline in federal enforcement attention. New York AG James brought a lawsuit against top consumer bank Capital One Financial Corp. for allegedly using bait-and-switch tactics and cheating its customers out of millions in interest payments.
The CFPB brought a similar case in January but dropped the lawsuit after leadership changed post-inauguration. Massachusetts Attorney General Andrea Joy Campbell obtained a court order for three UnitedHealth Group insurance companies to pay more than $50 million in restitution and more than $115 million in civil penalties for an alleged deceptive sales scheme that misled consumers into buying unnecessary health insurance products.
State AGs also have challenged novel consumer products and services through existing consumer protection laws. Products that provide access to earned wages are being scrutinized as potential loans, and there is increased attention on “buy now, pay later” products after the CFPB withdrew an interpretive rule on such products last month.
District of Columbia Attorney General Brian Schwalb recently filed suit against a fintech provider offering “earned wage advance” services under D.C.’s usury laws, alleging that the service was a “loan” despite the service’s structure. Campbell, the Massachusetts AG, brought an action related to home equity investment products, similarly alleging they should be treated as mortgage loans. And James, the New York AG, is suing a “rent-to-own” company, alleging its lease agreements are loans that violate the states usury laws.
Recent retractions in federal enforcement efforts and priorities under the Trump administration, particularly in the consumer protection space, have largely ceded the area to state AGs to expand their role as aggressive, primary regulators. This trend, and the nuance it raises in how to effectively engage with regulators, is important for companies to keep in mind as they consider business expansions and risk mitigation.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Alexander H. Southwell is partner at McDermott Will & Emery, handling white-collar, securities, and consumer protection enforcement defense matters and complex, high-profile internal investigations; he is a former federal prosecutor.
Zenab Irfan is a law clerk at McDermott Will & Emery.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.