Table of Contents [hide]
- 1 Key Takeaways:
- 2 What Is the Consortium of Privacy Regulators?
- 3 How the Consortium of Privacy Regulators Works and Why It Matters
- 4 How State Privacy Enforcement Impacts Identity Platforms and Data Processors
- 5 What Businesses Should Do Now to Prepare for Multi-State Privacy Enforcement
- 6 Why Decentralized Identity Aligns with the Consortium’s Privacy Goals
- 7 Could the Consortium Lead to a Federal Privacy Standard?
- 8 Conclusion
- 9 Identity.com
Key Takeaways:
- The Consortium of Privacy Regulators is unifying state-level enforcement, creating stricter and more consistent expectations for businesses handling personal data. This marks a shift away from fragmented compliance and toward coordinated oversight.
- Identity platforms are under increased scrutiny, especially for how they store data, obtain consent, and justify data collection. Regulators are pushing for transparency, data minimization, and user control.
- Decentralized identity offers a privacy-first model that aligns with emerging enforcement priorities across states. If federal law continues to lag, the Consortium may shape the national standard by default.
The United States is home to some of the world’s most dominant technology companies. Platforms like Facebook, Google, and Amazon collectively process vast amounts of personal data every day. But when it comes to privacy protections, there’s no single standard that applies across the country. Instead, enforcement depends on a growing web of state-level laws.
This fragmented approach has created confusion for consumers, compliance challenges for businesses, and gaps that bad actors can exploit. In response, seven states have launched the Consortium of Privacy Regulators—a new coalition designed to coordinate enforcement efforts, share investigative strategies, and align priorities across state lines.
As data breaches rise and public trust erodes, this alliance marks a shift toward more consistent and collaborative privacy oversight. It may also serve as a blueprint for how the U.S. could eventually approach privacy regulation on a national scale.
What Is the Consortium of Privacy Regulators?
The Consortium of Privacy Regulators is a multi-state partnership of government agencies working together to enforce consumer privacy laws across the United States. It was created to address the absence of a national privacy law, which has forced individual states to develop their own regulations. This patchwork of laws has made compliance more complicated for both consumers and businesses.
When companies operate across multiple states, they often face differing rules depending on where their users live. That inconsistency makes compliance harder and creates gaps that bad actors can exploit. The Consortium aims to fix this by encouraging states to collaborate on investigations, share information, and take coordinated enforcement actions.
The group includes regulators from California, Colorado, Connecticut, New Jersey, Oregon, Indiana, and Delaware, as well as California’s dedicated enforcement agency, the California Privacy Protection Agency (CPPA). All of these states have passed comprehensive consumer privacy laws, although Indiana’s law has not yet gone into effect. By joining forces, these states and agencies are building a more unified approach to privacy enforcement and oversight.
How the Consortium of Privacy Regulators Works and Why It Matters
With its membership and purpose established, the Consortium’s real impact comes into focus through how it operates and what it prioritizes. It gives states a mechanism to coordinate enforcement so that privacy laws are applied more consistently across the country. Here’s how that plays out:
1. States Can Take Action Together
One of the Consortium’s biggest advantages is the ability for states to conduct joint investigations. This is especially important when a company’s actions affect consumers in multiple states. Coordinated investigations help close enforcement gaps and send a stronger message to companies.
For example, in 2025, California’s Privacy Protection Agency took action against Honda and clothing retailer Todd Snyder for breaking state privacy laws. The result was fines and required changes to how they collect and use personal data. While these cases came from California, they set an example that other states in the Consortium can follow.
2. Sharing Tools and Expertise
By working together, states can share both legal and technical resources, allowing them to move faster and pursue more complex investigations. Even before the Consortium formally launched, states coordinated major cases. In 2022, a coalition of 40 attorneys general reached a $392 million settlement with Google over its location tracking practices, demonstrating the power of multi-state action. The Consortium now helps formalize and expand that type of cooperation.
3. Getting on the Same Page About Privacy
The Consortium also helps regulators align on how privacy laws should be interpreted and enforced. This reduces the ability of companies to “privacy shop” for states with weaker rules. Instead, businesses face increasingly consistent expectations regardless of where they operate.
Recent reports from Oregon and guidance from Connecticut show that states are focused on issues like consent, data minimization, and how companies explain their data practices. By coordinating, states can stay ahead of emerging privacy risks and work toward more uniform standards.
4. Protecting People From Real Harm
Beyond legal compliance, the Consortium focuses on how companies’ data practices affect real people. This includes improper data collection, confusing consent flows, or poor protection of sensitive information.
For example, California regulators have issued warnings to companies about using “dark patterns” — manipulative design tactics that trick users into sharing more data than they intend. Regulators are emphasizing that publishing a privacy policy isn’t enough; businesses must give users meaningful control over their personal information.
How State Privacy Enforcement Impacts Identity Platforms and Data Processors
The Consortium’s efforts are already reshaping how companies handle sensitive data. Platforms that manage identity information are seeing the greatest regulatory pressure, especially where high-risk data is involved.
Regulators are focusing on three key areas:
1. Storage and Access Controls
Large, centralized databases that store identity information are becoming high-risk targets. Not only do they attract cyberattacks, but they also raise red flags for regulators. A 2024 report from the Identity Defined Security Alliance found that 90 percent of organizations experienced at least one identity-related security incident in the past year. When such incidents occur, states now have more tools to launch investigations simultaneously, increasing the potential impact of regulatory action.
2. Consent and Transparency
Regulators are also examining how companies request and manage user consent. Consent must now be clearly explained, freely given, and tied to specific uses of data. Officials in New York and other states have warned that practices such as bundled permissions or default opt-ins may not meet legal standards.
For identity platforms, this means more attention is being paid to how users are informed about data collection—particularly in contexts like facial recognition or document verification. Regulators are looking closely at whether users understand what information is being collected, why it is needed, how long it is kept, and whether it is shared with third parties.
This focus reflects a broader shift in response to long-standing concerns about how Big Tech platforms have shaped user consent practices—an issue we explore further in our article on the privacy problems with large technology companies.
3. Data Minimization
Another growing focus is data minimization. Regulators expect companies to collect only the information necessary for a specific purpose and avoid holding on to it longer than needed. The California Privacy Protection Agency, for instance, has noted that over-collection—even during user rights requests—can violate the state’s privacy law.
Identity platforms that gather broad sets of personal data are more likely to draw attention if their practices appear excessive or unclear. Regulators are watching not just what data is collected, but whether the company can justify its use.
What Businesses Should Do Now to Prepare for Multi-State Privacy Enforcement
With enforcement becoming more aligned across states, businesses must take a broader view of compliance. That means preparing for shared standards, stronger expectations, and more accountability.
Here are key steps companies can take to prepare:
1. Review Privacy Practices in Every State
Do not assume that meeting one state’s requirements is enough. Each state in the Consortium enforces different rules. Colorado, for example, requires formal risk assessments for certain data activities, while Connecticut places strong emphasis on how companies handle user rights requests. A state-by-state privacy review can help identify potential gaps before regulators do.
2. Improve Consent and User Disclosure
Clear and honest consent processes are becoming essential. Regulators are paying attention not just to whether consent is collected, but how it is presented. States have taken action against companies that used default opt-ins, buried terms in long policies, or failed to explain what users were agreeing to. Businesses should ensure their consent flows are easy to understand and reflect real user choice. Keeping records of when and how consent was given is also important for accountability.
3. Rethink Data Collection Practices
Companies that collect more personal data than necessary are now more likely to face regulatory questions. Sensitive information—such as identity documents, biometrics, and other verification data—carries higher risk and requires stronger justification. Minimizing what is collected and limiting how long it is stored can reduce both legal exposure and operational risk.
4. Track Legal Developments Across States
Privacy laws are evolving quickly. A business may be fully compliant in one state while falling behind in another. Legal and compliance teams should monitor changes in enforcement priorities, new regulations, and guidance from regulators in all states where the company operates. As the Consortium grows, this tracking will become more important for identifying emerging risks.
5. Make Privacy Part of the Design Process
Privacy should not be added as an afterthought. Companies should build it into the design of their products and services. This includes collecting only the data that is needed, using privacy-protective defaults, and giving users real control over how their information is used. Designing with privacy in mind helps reduce regulatory risk and builds long-term trust.
Why Decentralized Identity Aligns with the Consortium’s Privacy Goals
One approach that directly supports the Consortium’s privacy priorities is decentralized identity. These systems are built around individual control, minimal data collection, and clear consent—values now reflected in regulatory expectations.
Decentralized identity offers several advantages:
- No Central Database Means Less Risk: Rather than storing all personal data in one place, decentralized identity keeps information on the user’s device or distributes it in secure, limited-use fragments. This structure reduces the risk of a single breach exposing large amounts of data. It also lowers the chances of regulatory scrutiny tied to maintaining centralized identity repositories.
- Share Only What’s Needed: With selective disclosure, users can prove specific facts—such as their age or residency—without providing full identification documents. This approach aligns with data minimization and purpose-based sharing requirements now being enforced in states like California and Connecticut.
- Privacy By Design: Decentralized identity systems are built to prioritize user control and transparency. These are the same values reflected in recent regulatory guidance. Agencies in California and Connecticut have called on businesses to collect only what is necessary and to design systems that respect user rights from the start.
- Fewer Compliance Burdens: When companies avoid collecting or retaining unnecessary data, they reduce their exposure to enforcement risk. A system that does not hold sensitive personal information in the first place does not need to meet the same level of regulatory justification across jurisdictions. It avoids the risk by minimizing what is gathered and stored from the beginning.
Could the Consortium Lead to a Federal Privacy Standard?
The Consortium’s expanding role raises a key question: can this model of coordinated state enforcement serve as the foundation for a national privacy framework? Federal lawmakers have debated comprehensive privacy legislation for years, but progress has been slow. In the absence of federal action, state regulators have stepped in to fill the gap. The Consortium is not only enforcing existing laws—it is also demonstrating what a more unified approach to privacy regulation could look like nationwide.
By coordinating investigations and aligning enforcement priorities, participating states are showing that consistent oversight is possible without congressional intervention. This approach helps close regulatory gaps and creates a more predictable environment for both consumers and businesses.
Still, the lack of a federal standard poses significant challenges. Companies must navigate a growing patchwork of state laws, increasing both operational complexity and compliance costs. It also places the United States at a disadvantage internationally. For example, the European Union expects strong and consistent protections under arrangements like the EU United States Data Privacy Framework.
If Congress continues to delay, the Consortium’s influence is likely to grow. But without federal legislation, businesses will continue to face a fragmented and uncertain regulatory landscape.
Conclusion
The future of privacy in the U.S. may not wait for a national law. The Consortium of Privacy Regulators is already building a more coordinated and serious approach to enforcement. For businesses, that means the rules are shifting. Tools like decentralized identity, strong consent flows, and limited data collection are no longer just ideal—they’re becoming closely aligned with what regulators expect. The gap between privacy guidance and enforcement is closing. Now is the time to prepare.
Identity.com
Identity.com helps many businesses by providing their customers with a hassle-free identity verification process through our products. Our organization envisions a user-centric internet where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols.
As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more information about how we can help you with identity verification and general KYC processes using decentralized solutions.