What Dealers Need to Know About the Growing Multi-State Privacy Coalition and Increasing Enforcement Actions Across the Country
Privacy Activity from Coast to Coast: What Started in California Has Expanded Nationwide
There is a commonly heard phrase: “as goes California, so goes the nation.” When it comes to consumer data protection and privacy, that adage could not be more accurate. The California Consumer Privacy Act (CCPA), enacted in 2018, established the template that states across the country have followed—and now, the enforcement infrastructure California built is being exported to other states on an unprecedented scale.
With a growing number of states enacting comprehensive privacy laws year after year, California’s reputation and influence as a regulatory trendsetter continues to accelerate. But the most significant recent development is not just the spread of privacy legislation—it is the spread of privacy enforcement. State regulators are no longer writing laws and waiting for complaints. They are proactively investigating companies, pooling resources across state lines, and bringing enforcement actions with real financial consequences.
For automobile dealers, the message is clear: privacy compliance is no longer optional, and enforcement risk is no longer theoretical—no matter where in the country you operate.
The Multi-State Consortium of Privacy Regulators: Now Nine States and Growing
In April 2025, California Attorney General Rob Bonta, together with the California Privacy Protection Agency (CPPA), announced the formation of a Consortium of Privacy Regulators. The initial coalition included seven states: California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. Each of these states have already enacted their own comprehensive consumer privacy laws, and the consortium was designed to allow them to leverage California’s substantial enforcement expertise and infrastructure to bring privacy enforcement actions in their own jurisdictions.
As of October 2025, two additional states—Minnesota and New Hampshire—have joined the Consortium, bringing the total number of participating states to nine. Notably, every member state has its own consumer privacy law currently in effect, meaning each state has independent statutory authority to pursue enforcement actions. The consortium allows these states to share investigative resources, coordinate enforcement priorities, and benefit from the CPPA’s sophisticated compliance monitoring capabilities.
This development is significant because it effectively multiplies enforcement capacity. States that may have lacked the budget or technical expertise to conduct complex privacy investigations can now partner with California’s well-funded enforcement apparatus. The practical result is that businesses operating in any of these nine states face a materially higher risk of investigation and enforcement than they did even a year ago.
The consortium has already moved from coordination to action. On September 9, 2025, Attorney General Bonta, alongside the CPPA and the attorneys general of Colorado and Connecticut, announced the coalition’s first joint investigative privacy sweep. The sweep targeted businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the Global Privacy Control (GPC)—a browser-based signal that automatically communicates a consumer’s choice to stop the sale or sharing of their data. As part of the sweep, the coalition sent letters to non-compliant businesses demanding immediate compliance with the law. Attorney General Bonta stated plainly: “California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”
Connecticut Attorney General Tong reinforced that message, declaring that “respecting consumer privacy is non-negotiable” and that violators are “on notice.” This first coordinated sweep builds on California’s prior $1.2 million settlement with Sephora over GPC non-compliance and signals a clear enforcement priority: technology-driven requirements that can be verified through automated audits of business websites. For automobile dealers, this is particularly consequential. GPC compliance is exactly the type of simple, easily auditable requirement that regulators can check at scale across thousands of websites simultaneously. Any dealer whose website does not properly recognize and honor GPC signals is now squarely in the crosshairs of a multi-state enforcement coalition with the resources and demonstrated willingness to act.
Enforcement Beyond the Consortium: Texas, Utah, and Independent State Action
The consortium is only part of the story. Several states that are not members of the coalition are independently ramping up their own privacy enforcement programs, demonstrating that the trend toward aggressive state-level enforcement is truly nationwide.
Texas
In January 2025, Texas Attorney General Ken Paxton filed suit against Allstate and its subsidiary, Arity, for unlawfully collecting, using, and selling data about the location and movement of Texas residents’ cell phones. The Texas Data Privacy and Security Act (TDPSA) requires clear notice and affirmative consent before businesses may collect or use sensitive personal data, and the State alleged that Allstate violated these requirements on a massive scale. Texas has also released comprehensive reports detailing privacy complaints received under the TDPSA and providing guidance on how businesses should address them.
Utah
Utah presents a particularly important case study for dealers. Although the Utah Consumer Privacy Act (UCPA) contains an exemption for entities subject to the Gramm-Leach-Bliley Act (GLB), Utah state authorities have taken the position that automobile dealers are subject to the state privacy law notwithstanding the GLB exemption. This interpretation is consequential: many dealers have historically assumed that their status as financial institutions under the GLB provides a blanket exemption from state privacy laws. Utah’s enforcement posture challenges that assumption directly.
We believe this interpretive approach is not unique to Utah. There are strong indications that regulators in other states with similar GLB exemptions are reaching the same conclusion—namely, that automobile dealers’ activities extend well beyond the scope of GLB-regulated financial activities, and that the exemption does not shield dealers from compliance with state consumer privacy laws for the full range of their data practices. In fact, several states, including Montana and Minnesota, have amended their privacy laws to explicitly remove the GLB exemptions. For this and several other critical reasons, dealers who are relying on a GLB exemption as a basis for non-compliance with state privacy laws should reassess that position immediately.
Recent Enforcement Actions: A Track Record of Significant Penalties
The enforcement actions already brought under state privacy laws demonstrate that regulators are serious and that the financial consequences are substantial.
California
Several high-profile enforcement actions have been resolved under the CCPA:
- Sephora was among the earliest companies to face penalties for alleged CCPA violations, setting the tone for the enforcement environment that has followed.
- American Honda Motor Co. was required to change its business practices and pay a $632,500 fine to resolve claims that the company violated the CCPA. The enforcement action focused on Honda’s data collection and disclosure practices.
- Tractor Supply Company was assessed the largest CCPA fine in history at $1.35 million. The allegations included failure to maintain an adequate privacy policy and unauthorized disclosure of personal information to third-party companies. In addition to the fine, Tractor Supply was required to certify compliance with the CCPA annually for the next four years—creating an ongoing compliance obligation and oversight burden.
Connecticut
In July 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork, Inc. following a lengthy investigation into violations of the Connecticut Data Privacy Act (CTDPA). The company was assessed an $85,000 fine as a result of a privacy notice that regulators alleged was largely unreadable and failed to provide consumers with meaningful information about data practices. This action underscores that regulators are scrutinizing not just whether businesses have privacy notices, but whether those notices are substantively adequate and accessible to consumers.
States Are Staffing Up: Dedicated Privacy Enforcement Units and Increased Funding
Perhaps the most telling indicator of the enforcement trajectory is the investment states are making in dedicated privacy enforcement infrastructure.
New Hampshire Attorney General John M. Formella has established a dedicated Data Privacy Unit, stating that “[e]nsuring accountability, transparency, and consumer choice regarding how companies handle and monetize the personal data of their customers is a priority of my office.” The creation of a standalone unit signals a long-term commitment to privacy enforcement as a core function of the Attorney General’s office.
Minnesota, while it has not yet brought an enforcement action under its newly enacted Minnesota Consumer Data Privacy Act (MCDPA), has secured legislative funding to hire four new attorneys and an investigator who will focus primarily on privacy law enforcement. This staffing investment means enforcement actions are not a question of if, but when.
Both Texas and Oregon have also released comprehensive reports detailing the privacy complaints their offices have received and providing guidance on compliance expectations—further evidence that these states are building the institutional knowledge and public record that typically precede formal enforcement campaigns.
What This Means for Automobile Dealers
This multi-state enforcement expansion has direct and immediate implications for automobile dealerships across the country. Several key trends deserve particular attention:
- Technology-driven compliance is the priority. State regulators are increasingly pooling resources and focusing on simple, technology-driven requirements that are easy to verify remotely. For dealerships, this means the compliance spotlight falls first and foremost on your website and public-facing digital tools. Requirements such as Global Privacy Control (GPC) compliance, conspicuous and complete privacy notices, and proper consent mechanisms are among the easiest elements for regulators to audit—and among the first areas where non-compliance is identified.
- The GLB exemption may not protect you. As discussed above, Utah’s enforcement posture demonstrates that regulators are taking a narrow view of the GLB exemption as it applies to automobile dealers. Dealers who assume they are exempt from state privacy laws based solely on their GLB status are taking on significant risk. We believe this interpretive trend will continue to spread.
- Penalties are significant and escalating. Fines range from tens of thousands to over a million dollars, and enforcement actions frequently impose ongoing compliance certification requirements that create years of additional regulatory oversight. The financial and operational cost of non-compliance far exceeds the cost of proactive compliance.
- No state is a safe harbor. With nineteen states now having enacted comprehensive consumer privacy laws, and enforcement coalitions and independent enforcement programs expanding rapidly, there is no jurisdiction in the country where dealers can safely assume they are beyond regulatory reach. Even in states without their own privacy laws, the multi-state consortium model means that data practices affecting consumers in member states can trigger investigation and enforcement.
The Bottom Line: Dealers Must Act Now
No matter where your dealership is located—but especially if you operate in one of the nineteen states with comprehensive consumer privacy laws—you need to be aware of the rapidly increasing enforcement risks and take concrete steps to ensure compliance.The regulatory landscape has fundamentally shifted. State enforcers are better funded, better coordinated, and more technologically sophisticated than ever before. Enforcement actions are being brought with increasing frequency, and the penalties are substantial.
Dealers should take steps now to work with ComplyAuto to ensure they are meeting the requirements of applicable privacy laws. ComplyAuto’s Privacy solution is purpose-built for the automotive industry and addresses the specific compliance requirements that state regulators are prioritizing—from GPC compliance and privacy notice adequacy to consent management and data subject request handling. The fines and civil penalties that states are imposing are significant, but with the right compliance infrastructure in place, they are entirely avoidable.
Don’t wait for an enforcement action to force your hand. Contact ComplyAuto today to learn how our Privacy solution can protect your dealership.
This article is provided for informational purposes only and does not constitute legal advice. Dealerships should consult with qualified legal counsel regarding their specific compliance obligations.