Our Take
Federal retreat has handed the litigation initiative to state attorneys general, creating a patchwork of exposure that HR and legal teams cannot ignore.
Why it matters
Employers who assume federal standards are sufficient now face escalating state-level enforcement and class-action risk. The regulatory gap is widening, not closing.
Do this week
General Counsel and CHRO: audit your current data handling and AI deployment practices against California, New York, and Massachusetts privacy statutes this month so you can identify compliance gaps before state investigators do.
State attorneys general are filling the federal enforcement gap
Federal enforcement action on cybersecurity, data privacy, and AI deployment has softened, but litigation at the state level is accelerating. According to Norton Rose Fulbright's U.S. head of litigation and disputes, "even where federal enforcement has softened, states are often stepping in and pushing litigation forward."
This shift matters because state-level enforcement operates independently of federal priorities. A company that avoids federal scrutiny may still face multiple state investigations, class-action suits, or regulatory orders tied to the same conduct or data practices.
The compliance landscape is now fragmented
Employers face a fragmented legal environment. Federal regulators (FTC, EEOC, DOJ) have resource constraints and shifting priorities. State attorneys general, by contrast, have direct incentive to pursue cases that generate headlines and settlements. California's aggressive privacy enforcement, New York's cybersecurity regulations, and Massachusetts' standards for consumer-facing AI all create separate legal obligations that do not align.
For HR and IT leaders, this means compliance frameworks built around federal minimums are now insufficient. A data handling or AI deployment practice legal in one state may trigger enforcement action in another. Class-action plaintiffs' attorneys also monitor state enforcement patterns; when a state AG wins a settlement, private litigation often follows.
Conduct a multi-state privacy and AI audit
Do not assume federal compliance covers your exposure. Map your current data practices, AI tools (especially those using employee or candidate data), and cybersecurity measures against California Consumer Privacy Act (CCPA), New York SHIELD Act, Massachusetts Standards for Artificial Intelligence, and any state where you have significant headcount or operations. Identify gaps where your current practices fall short of state requirements. Engage general counsel or external counsel to prioritize remediations tied to your highest-risk states. The cost of a state investigation or a class-action settlement will exceed the cost of proactive audit and remediation.