Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

State Attorneys General May Fill Enforcement Void Left by Shift in Federal Priorities

Skadden Publication / Executive Briefing: Latest Updates on the Trump Administration

Andrea Griswold Michael W. McTigue Jr. Anand S. Raman Noelle M. Reed William E. Ridgway Meredith C. Slawe Darren M. Welch Allison Jenkins

Key Points

  • State AGs nationwide are focusing on initiatives in data privacy, cybersecurity, consumer protection and securities fraud.
  • Special areas of concern also include AI and online privacy and protections for youth.
  • Companies should be prepared for continued enforcement by state AGs and state agencies.

State attorneys general (AGs) have increasingly adopted a more aggressive role in regulatory enforcement across various industries, particularly as federal priorities have shifted.

Looking ahead, anticipated areas of focus include consumer protection and youth health, data privacy and cybersecurity, consumer financial services, artificial intelligence (AI) and securities fraud. Policy statements from the National Association of Attorneys General have underscored these enforcement priorities. These include:

Consumer Protection/Youth Health

In recent years, state AGs have wielded consumer protection laws to tackle emerging issues, like the effect of social media on children. Results so far suggest that these lawsuits have gotten some traction. For example, a recent motion to dismiss by Meta was generally denied in a suit led by a coalition of state AGs focused on potential harm to youth, relying on various consumer protection, data privacy and unfair competition laws.

Traditional consumer protection enforcement remains robust as well. The Massachusetts AG recently secured a court order for three insurance companies to pay over $50 million in restitution and over $115 million in civil penalties for a deceptive sales scheme that allegedly misled consumers into buying unnecessary health insurance products. It was the largest order of civil penalties in an action brought under the Massachusetts Consumer Protection Act.

Data Privacy and Cybersecurity

As consumer privacy has become a crucial element of modern life, and with the continued lack of a federal omnibus privacy law in the U.S., states continue to enact and expand comprehensive consumer privacy laws, most of which empower state AGs with enforcement authority. California has even established a dedicated agency, the California Privacy Protection Agency, to enforce its data privacy regulations. The agency has stepped up its enforcement activities, including entering into cross-border cooperation agreements with data privacy and consumer protection agencies abroad.

Another related area of focus for state AGs has been cybersecurity and how companies have responded to consumer data breaches. In June 2024, the California AG settled with software company Blackbaud, imposing $6.75 million in penalties. The settlement cited Blackbaud’s alleged failure to provide timely and accurate information to those affected by the breach as well as its lack of basic security procedures.

Similarly, in January 2025, the Washington AG filed a lawsuit against T-Mobile for alleged failures to address known deficiencies in its cybersecurity protocols, which resulted in a 2021 data breach that exposed the personal information of more than 79 million people, including 2 million Washington residents.

Consumer Financial Services

Given the current uncertainty about the future of the Consumer Financial Protection Bureau (CFPB), many state AGs appear poised to double down on their enforcement efforts. State AGs have authority to directly enforce federal consumer protection laws, including the Consumer Financial Protection Act, enacted as part of the Dodd-Frank Act.

Days before President Donald Trump’s inauguration, the CFPB released a report outlining how states can strengthen consumer protections and encouraging states to rely on their authority to directly enforce federal laws.

State AGs and financial regulators may also rely on their broad state law authorities, including those addressing unfair and deceptive acts and practices, fair lending, debt collection, state credit licensing requirements and other laws. Recent state AG enforcement actions include settlements the New York AG entered into with allegedly predatory lenders and with a bank regarding illegal debt collection practices, as well as a lawsuit by the District of Columbia AG against an earned wage access provider regarding fees.

Artificial Intelligence

States are subjecting AI to heightened scrutiny through the lens of consumer protection and data privacy. Multiple state AGs have released legal advisories on how existing state laws apply to companies’ use of AI, including California, Oregon and Massachusetts, while state legislatures race to keep up with developments.

In addition, several state AGs, including California’s, have engaged in “AI sweeps” to target fraudulent investment schemes purportedly generated by, or tied to, AI. And the Texas AG announced an investigation into DeepSeek in February 2025, specifically investigating its AI model’s alleged violations of the Texas Data Privacy and Security Act.

Continuing with the trend of concern for the well-being of American youth, the Minnesota AG released its own report on the effects of AI on young people. Companies should expect increased scrutiny of AI to continue.

Securities Fraud/Market Integrity

State AGs are anticipated to intensify their securities enforcement efforts across various industries to safeguard the investing public. The New York AG, leveraging its extensive statutory authority to conduct civil and criminal securities investigations, continues to be a frontrunner in this domain.

Recently, the New York AG undertook sophisticated investor-protection actions across varied industries, including cases involving alleged misrepresentations in the sale of asset-backed securities and alleged fraud in the offering of real estate securities.

A meaningful source of state AG securities actions arises from tips, investor complaints and referrals from other agencies. Referrals from the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) may continue even on matters that they may not pursue due to the shift in federal priorities.

Final Thoughts

In almost every area, state AGs will continue to coordinate in multistate initiatives and pursue wide-reaching and broad investigations, particularly where federal enforcement may wane. Now is an opportune time for companies to be proactive, assess their potential state AG enforcement risks and enhance their internal compliance efforts.

See the Executive Briefing publication

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP