State Privacy Enforcers Discuss Collaboration and Enforcement Priorities: Key Takeaways From IAPP Global Summit 2026

At the 2026 IAPP Global Summit in Washington, D.C., a panel titled “State Collaboration on Privacy” brought together state privacy enforcers to discuss how they are working together and what businesses should expect. 

The panelists were:

• John Eakins, Deputy Attorney General, Delaware Department of Justice
• Michele Lucan, Deputy Associate Attorney General, Connecticut Attorney General’s Office
• Michael Macko, Deputy Director of Enforcement, California Privacy Protection Agency (CalPrivacy)
• Stacey Schesser, Supervising Deputy Attorney General, California Department of Justice
• Jennifer Van Dame, Assistant Section Chief for the Data Privacy and Identity Theft Unit, Indiana Attorney General’s Office

A central theme of the discussion was the 2025 launch of the Consortium of Privacy Regulators, a multistate, bipartisan group formed to pool investigative efforts and share information and expertise across state lines. Below, we summarize key takeaways:

• Enforcement infrastructure is growing. The panelists described that they have been expanding their teams and technical capacity to enforce their respective privacy laws. Several panelists noted that their offices have added lawyers, technologists, and investigators in recent years, with more growth expected in the future. Connecticut, for example, has added legal investigators and contracted with privacy and cybersecurity consultants to support enforcement efforts; California’s AG office has hired an AI policy technologist; and Indiana has focused on recruiting lawyers with technology backgrounds. Macko characterized the trend as an “army amassing troops” across states. Panelists also emphasized that collaboration helps fill gaps; states that lack in-house technologists, for instance, can draw on technical expertise from other states.
• Current priorities center on opt-out rights, sensitive data, and transparency. The panelists identified several areas of active enforcement focus. Opt-out rights, particularly the right to opt out of the sale or sharing of personal data, remain a top priority for California enforcers, who highlighted their Global Privacy Control (GPC) compliance sweep and subsequent outreach to businesses. Schesser emphasized that when a consumer is known to a business, the business must honor that consumer’s opt-out preferences across its entire ecosystem, not just on a single device. Schesser emphasized this point by noting that the California Consumer Privacy Act (CCPA) is a “consumer” privacy act, not a “device” privacy act. Sensitive data is another key area, with panelists flagging active work involving health data (including non-HIPAA regulated health data), geolocation data, genetic data, and children’s data. Van Dame signaled that health data enforcement will remain a priority. On transparency, Connecticut noted that a deficient privacy notice is often a red flag for deeper compliance issues. Lucan pointed to Connecticut’s published enforcement reports as a resource, noting that they are designed to provide transparency into the office’s priorities and active areas of focus. Eakins noted that Delaware’s enforcement has similarly moved beyond reviewing notices to examining how companies are handling data in practice, including whether executives and boards of directors are actively overseeing privacy programs.
• Forthcoming priorities. Looking ahead, panelists identified several newer areas of enforcement attention. AI is a growing priority. Connecticut has sent inquiry letters to AI developers regarding chatbot-related practices, and California’s attorney general recently took the unusual step of publicly announcing an investigation into xAI’s Grok chatbot over the alleged generation of nonconsensual sexual images of women and children. Addictive design features are also on the radar. Schesser indicated that California’s AG office may soon begin a rulemaking on age assurance and parental consent under the Protecting Our Kids from Social Media Addiction Act and noted that lessons from the rulemaking process could be shared with Connecticut, which is pursuing similar legislation. The California’s AG office has launched an investigative sweep into so-called “surveillance pricing,” examining whether businesses in the retail, grocery, and hotel sectors are using consumer data in ways consumers would not reasonably expect to set prices. Connecticut flagged recently enacted amendments to the Connecticut Data Privacy Act (CTDPA) that will impose new disclosure requirements on companies collecting, selling, or disclosing data for use in large language models, as well as new requirements around inferences and changes to applicability thresholds for sensitive data. Indiana flagged pending litigation against adult websites, including the use of VPNs to circumvent geographic restrictions, signaling that states may challenge technical workarounds to privacy obligations. Regarding financial penalties, Macko signaled that CalPrivacy intends to pursue larger, more proportionate fines, noting that penalties should not simply be seen as a “cost of doing business.”
• Inquiry letters and monitoring of enforcement actions. Multiple panelists noted that their offices routinely send inquiry letters to businesses as a first step. The panelists stressed that not every letter leads to a formal investigation, but a company’s response can determine whether an inquiry escalates. Vague or evasive answers were described as red flags. Similarly, panelists cautioned that submitting required documentation, such as a data protection impact assessment, with a date that postdates the inquiry letter can signal that the documentation was not completed as required under the relevant law. Panelists encouraged businesses to engage constructively with enforcement inquiries, to be forthcoming with facts, and to proactively self-report and remediate issues where possible. They also noted that many investigations never become public, which can benefit cooperating businesses. Panelists also indicated that they expect companies to learn from published enforcement actions and engaging in conduct that mirrors a previously challenged practice is likely to result in harsher penalties.
• Implications of maturing state privacy enforcement. The panel’s overall message was clear: State privacy enforcement is maturing, and businesses should act accordingly. Panelists encouraged companies to test their own opt-out mechanisms and data subject rights flows with the same rigor they apply to product and checkout experiences, cautioning against the use of dark patterns and emphasizing that intent is not required—the focus is on the effect on consumers. More broadly, panelists stressed that enforcers are increasingly looking beyond what a privacy policy says to its practices. Schesser described this as a shift from “facial compliance” to understanding how everyday consumers are affected by data practices, and companies should be prepared to walk regulators through their technical data handling. Schesser pointed to the California AG’s Healthline enforcement action as an example where regulators discovered opt-out mechanisms were not functioning through external testing. 

For more information on the conference, including several noteworthy panels, please see the following companion blog posts:

Where Privacy Is Headed Next: Key Takeaways From the 2026 IAPP Global Privacy Summit | Perkins Coie