June 23, 2026

State Attorneys General Signal Aggressive Enforcement Agenda

Holland & Knight Alert
Benjamin Genn | Kwamina Thomas Williford | Anthony E. DiResta | Da'Morus A. Cohen | Brian J. Goodrich

Highlights

  • Holland & Knight recently participated in the National Association of Attorneys General 2026 Spring Consumer Protection Conference, where state attorneys general offered direct insight into their enforcement priorities.
  • Four key themes emerged from the discussions, each with significant implications for companies operating in this evolving regulatory environment.
  • For general counsels and compliance teams, the message is clear: Proactive engagement and robust compliance programs are no longer optional. Companies should not wait until a civil investigative demand arrives before taking action.

Holland & Knight recently attended the National Association of Attorneys General (NAAG) 2026 Spring Consumer Protection Conference, where state attorneys general (AGs) were unusually candid about their enforcement priorities. Four themes stood out, and each carries real consequences for companies navigating this landscape.

Why This Matters: State AGs have become some of the most active and aggressive regulators in the country. They coordinate across state lines, share investigative resources and increasingly pursue enforcement actions that can result in significant financial exposure. For general counsels and compliance teams, the message is clear: Proactive engagement, robust compliance programs and early relationship-building with AG offices are no longer optional. Companies that wait until a civil investigative demand arrives are already behind.

Algorithmic and Surveillance Pricing

State AGs now view algorithmic pricing as a fairness issue, not just a privacy issue. The concern: Companies are optimizing for what consumers are willing to pay rather than what they can afford. California AG Rob Bonta has opened investigations under the California Consumer Privacy Act's purpose limitation provisions, treating pricing-related data use as potentially exceeding disclosed purposes. Approximately 20 states now have comprehensive privacy laws in effect, and loyalty programs have become a flashpoint. Maryland flatly prohibits conditioning loyalty program participation on the sale of personal data, and California requires disclosure and consent for loyalty programs involving personal data. AGs also argue that when all competitors adopt algorithmic pricing, no one can discover rivals' prices, effectively reducing the downward competitive pressure that typically benefits consumers.

What Companies Should Do: Audit any dynamic or algorithmic pricing models for compliance with state privacy laws, particularly purpose limitation requirements. Review loyalty program structures in Maryland and California for data sale or consent issues. Ensure privacy notices accurately disclose how consumer data informs pricing decisions.

Managing AG Investigations

The conference offered a rare look at how AG offices evaluate companies during civil investigative demand (CID) proceedings. The clearest message delivered is to engage early. As soon as a company becomes aware of potential AG interest, pick up the phone. A litigation-first posture (leading with objections) is counterproductive and noticed by AG staff. By the time a CID arrives, the AG's office has already prepared an internal memorandum establishing a reasonable basis for the investigation, meaning the demand is not merely a fishing expedition. Treat the CID response as a first advocacy opportunity, not just a document production exercise. AGs routinely seek documents already produced in federal proceedings or to other states, so assume cross-pollination. On confidentiality, over-designating documents are viewed negatively.

What Companies Should Do: Companies should understand applicable open records laws and negotiate notice provisions before any Freedom of Information Act (FOIA) production. Develop a relationship with experienced AG defense counsel before an investigation begins. When a CID arrives, treat the response as advocacy, not mere compliance. Coordinate document productions across jurisdictions to avoid inconsistencies. Review confidentiality designations carefully and negotiate FOIA notice provisions upfront.

Current AG Enforcement Priorities

Connecticut AG William Tong's keynote address made clear that AGs see themselves as creative enforcers, leveraging Unfair, Deceptive, or Abusive Acts or Practices statutes, criminal justice partnerships and multistate coalitions to maximize impact. Current priorities include:

  • Social Media. Major social media platforms face enforcement focused on addiction mechanics (infinite scrolling, notification anxiety) that are framed as consumer protection harms.
  • E-Cigarettes. AGs are applying the same playbook used against Big Tobacco, so new market entrants in the vaping space should expect aggressive scrutiny.
  • Opioids. Enforcement remains a top priority. A recent high-profile opioid matter resulted in a $7.4 billion settlement after sustained AG pressure, including a successful challenge to a prior bankruptcy plan the U.S. Supreme Court invalidated in June 2024.
  • Live Entertainment. Major ticketing platforms remain under investigation as AGs examine ticketing practices.

What Companies Should Do: Companies in these sectors should assume they are on AG radar screens and prepare accordingly. Build internal compliance programs that can withstand multistate scrutiny. Monitor AG public statements and coalition announcements for early signals of enforcement trends.

Children's Online Safety and Age Verification

Both AGs and the Federal Trade Commission (FTC) have identified children's online safety as a top enforcement priority. The FTC's amendments to the Children's Online Privacy Protection Act (COPPA) Rule took effect in June 2025, introducing new requirements around data retention, parental consent and third-party data sharing. The Supreme Court's June 2025 decision in Free Speech Coalition v. Paxton is equally significant: The Court upheld Texas' age verification requirements for sexually explicit websites, applying intermediate scrutiny and finding such requirements constitutionally permissible. This decision may encourage other states to enact similar mandates. Emerging biometric verification approaches, including hand movement patterns and electrocardiogram data, may reshape the compliance landscape.

What Companies Should Do: Technology companies, application developers and any business serving minors should evaluate compliance with the updated COPPA Rule, particularly around data retention and third-party sharing. Monitor state age verification legislation and assess whether current verification mechanisms meet emerging standards. Companies deploying artificial intelligence tools that interact with children should be especially attentive.

Holland & Knight Can Help

Holland & Knight's Consumer Protection Defense and Compliance, Data Strategy, Security & Privacy, Local Government Advocacy and Public Policy & Regulation teams regularly advise clients on state AG investigations, privacy compliance and consumer protection matters.

If any of these developments affect your business, we welcome the opportunity to discuss how we can assist. For more information on this matter, please reach out to the authors.


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.


Related Insights