Eight-State Consortium of Privacy Regulators Marks Shift Toward Coordinated Enforcement

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway Meredith C. Slawe Lisa V. Zivkovic

In a major development for businesses subject to state data privacy laws, eight state privacy regulators have joined forces to form the “Consortium of Privacy Regulators,” a bipartisan coalition aimed at coordinating enforcement and protecting consumer privacy through collaboration. The announcement, made by the California Privacy Protection Agency (CPPA) on April 16, 2025, represents a new era of multistate cooperation in the enforcement of comprehensive consumer privacy laws.

Regulators at the International Association of Privacy Professionals Global Privacy Summit April 22-25, 2025 stressed that the consortium formalizes existing collaboration among the agencies.

A Unified Front for Privacy Enforcement

The Consortium of Privacy Regulators includes the CPPA and the attorneys general of California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon. These regulators signed a memorandum of understanding (MOU) outlining shared goals to:

  • Hold regular meetings and facilitate discussions on privacy law developments.
  • Share enforcement priorities and coordinate investigations.
  • Leverage technical and legal expertise across jurisdictions.
  • Align enforcement around common statutory rights, such as access, deletion and opt-outs from the sale of personal information.

Although the member states’ privacy laws differ in scope and terminology, the MOU emphasizes their “fundamental similarities” and underscores that these shared provisions enable effective, cross-jurisdictional enforcement.

What This Means for Businesses

With this new consortium infrastructure, companies can expect:

  • Greater multistate coordination in investigations and enforcement actions.
  • More unified interpretations of overlapping privacy rights, such as access, deletion and opt-out.
  • A higher premium on early, open engagement with regulators.
  • Increased resource-sharing among states, including technical experts and legal personnel.

Companies operating in or collecting data from multiple states must ensure their compliance programs are calibrated not just for individual laws but for areas of convergence. Regulators now have a formal mechanism to compare notes, escalate issues and act together — making “check-the-box” compliance strategies riskier than ever.

For more information or to discuss how we can tailor our support to your business, please contact Skadden’s Cybersecurity & Data Privacy Team.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP