2026 Elections Could Mean 'Splashier' State AG Actions, Says Former Texas Enforcer
Election year 2026 could drive more headline-grabbing state privacy enforcement, said Womble Bond privacy attorney Tyler Bridegan in an interview with Privacy Daily. In general, state privacy enforcement seems to be at the "very beginning of the bell curve,” said Bridegan, who was recently director of privacy and tech enforcement for Texas Attorney General Ken Paxton (R). Also, Bridegan praised Ryan Baasch, another alumnus of the Texas AG's office, who's expected to be nominated as an FTC commissioner by President Donald Trump.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Next year’s election includes 30 state attorney general races, according to Ballotpedia. Privacy enforcement actions "garner a lot of bipartisan support,” so it will "be interesting in an election year to see which AGs want to use that lever to drum up press and support,” Bridegan said. As such, he wouldn’t be surprised to see “a lot of faster pre-suit investigations and splashier, larger lawsuits" over the next year.
Bridegan believes it’s still early days for state privacy enforcement, with more actions and higher penalties likely ahead. “A lot of states and regulators are ... still dipping their toe into what enforcement looks like.” Every regulator is "charting a path -- not just with precedent interpreting the law, but also internally," such as figuring out what documents should be requested and "how aggressive should [to] be with investigations."
“California is probably the furthest along" in privacy enforcement, but "even they are still laying that initial groundwork for escalating enforcement actions over time,” said the former Texas enforcer. While California received criticism about the amount of penalties it has assessed so far, "they're at the very beginning of their enforcement, and they're going to take more hardline positions as time goes on, including seeking higher penalties," he predicted. The fines "will continue to grow, particularly because they'll be able to say" that they have "already enforced on this.”
"Every state has its nuances" when enforcing privacy, differing on elements like whether they have a separate privacy team, how many people are on it, where the team is housed, and what their approach is to enforcement, said Bridegan.
Some states are employing outside counsel to help with privacy investigations. For example, in a news release touting Texas’ $1.375 billion settlement with Google, Paxton thanked the law firm Norton Rose for its help. Meanwhile, a Nov. 5 news report said Connecticut is seeking outside counsel for potential litigation related to Meta and Cambridge Analytica.
Bridegan sees "a growing appetite across a lot of states on both sides of the aisle to retain outside counsel,” he said. It happened before with state AGs' tobacco and opioid litigation; and it looks like tech and privacy issues will be "the third big wave." Many states have already retained outside counsel for lawsuits against social media companies, added Bridegan. "I think that's only going to increase."
When "staff resources are stretched thin," retaining outside counsel is "a good route for an AG's office to get around any resource constraints,” he said. Bridegan added that, for some states, outside counsel might bring stronger expertise in privacy than the AG's office has on staff. Based on his experience in Texas, Bridegan said that what usually happens is that one or two people from the AG's office is "quarterbacking the lawsuits, while outside counsel drives discovery forward and does a lot of the heavy lifting."
Meanwhile in Texas…
Baasch hired Bridegan to lead the state’s privacy enforcement team in 2024, just as multiple Texas privacy laws were starting to take effect. Bridegan left the AG’s office to join Womble Bond last month (see 2510060016).
"Unbeknownst to a lot of industry or the privacy bar," not only did the Texas legislature pass a comprehensive privacy law, but "also funded it,” said Bridegan: Legislators "earmarked around a million dollars" for new hires and technological updates, such as creating a privacy-specific complaint database. The Texas privacy team started with two attorneys, including Bridegan, but it soon increased to about 20 people, including attorneys, technologists, paralegals and legal assistants, he said.
The Texas AG's office said in July that it investigated data practices of more than 200 companies and issued “dozens of privacy violation notices” under the Texas Data Privacy and Security Act during the past year (see 2507210028). Targets included data brokers, car manufacturers, social media outlets and Chinese companies, it said.
Bridegan said three common catalysts for Texas privacy investigations during his time in the AG office were consumer complaints, news reports and regulators stumbling upon potential problems.
Texas has a "very active" consumer complaint database to draw from for possible investigations, said Bridegan. However, consumers aren't always "well-versed in the law," so the focus of their complaint "may or may not be a privacy issue" and "may or may not be in compliance with the law."
Also, "regulators are consumers as well," and sometimes get a lead on potential enforcement when interacting with a company and, for example, checking the privacy policy of an app they themselves use, the former Texas official said.
Texas made a big splash this year with its $1.375 billion Google settlement (see 2510310005 and 2505090071). It came less than a year after another $1.4 billion settlement between Texas and Meta (see 2407300030).
“Every AG office is weighing where to dedicate resources,” said Bridegan, and there are "really big matters where the financial component is one of the key drivers." However, he cited another case in which the Texas AG office "settled with an AI company for injunctive-only terms."
Most investigations may never be announced. “Well over 90% of investigations that a state AG does never result in any sort of public enforcement action,” he said: That's because there are many "ways to resolve a matter without a formal settlement during the course of an investigation."
In Texas, there's only been one lawsuit under the state's comprehensive privacy law, but "there's been at least 10 times more investigations pursuant to that privacy law that have happened," said Bridegan. "They'll never be made public, and they don't need to be escalated, because they're generally curable."
Texas’ comprehensive privacy law includes a 30-day right to cure. Unlike in other states, the policy isn’t scheduled to sunset. Even so, the former Texas official said, "There's certain conduct under these privacy laws that is probably not curable.”
"Sensitive data and consent is one really difficult area,” he said. "If sensitive data has been sold without consent ... it's really hard to unsell data." Also, 30 days to cure is "a quick turnaround," so in some situations, the possible violation "may be curable, but in that timeframe becomes relatively impractical.”
On his old boss’ potential ascension to the FTC, Bridegan said that Baasch is "an extremely pragmatic and reasoned person" with an "impressive" ability to digest information. Baasch is expected to be nominated for the seat left by Commissioner Melissa Holyoak, who has been appointed interim U.S. attorney for Utah (see 2511170046).
Baasch, who is special assistant to President Trump for economic policy, “takes a very harm-based approach" to tech, data and privacy enforcement, which comes from his litigation background, added Bridegan. While it's likely up to the FTC chairman to set the agenda, having a commissioner who looks for harms in those areas could impact the commission’s focus, he said.