We are less than a month into the new Trump administration and are seeing an unprecedented wave of activity and major changes at federal agencies. These changes promise to bring significant disruption to the staff and negatively impact the typical activities of numerous agencies, including the nation’s consumer protection watchdog, the Federal Trade Commission (FTC). As discussed below, we expect the impact on the FTC to be significant given the rapid and aggressive moves by the new administration. And we expect state Attorneys General (AGs) to step in to fill the gap.

One of the first actions the new administration took was to implement a hiring freeze across the federal government. Shortly thereafter, the Office of Management and Budget (OMB) sent an email to all federal employees offering a “deferred resignation” that would exempt them from return-to-office mandates and provide them pay and benefits through September 30, 2025. According to some reports, the White House expects up to 10 percent of two million federal employees to accept the offer by the February 6, 2025, deadline.

The hiring freeze and deferred resignation program will certainly affect the FTC. According to its Fiscal Year 2025 Congressional Budget Justification, the FTC has close to 1,400 employees. Accordingly, the agency could quickly lose the services of 140 employees, plus others whose job offers may already have been rescinded. For a small agency, this would have a significant operational impact. And this is only the beginning of the administration's efforts to reduce the federal workforce. The hiring freeze executive order requires OMB and the Department of Government Efficiency (DOGE) to submit a plan within 90 days “to reduce the size of the Federal Government's workforce through efficiency and attrition.”

The administration’s swift and aggressive moves to reduce the federal workforce will not go unnoticed by state legislators and AGs. It is not uncommon for state legislatures and state AGs to ramp up their legislative and enforcement efforts to fill gaps left by shifting federal enforcement priorities. This alert identifies likely state-level consumer protection priorities in the coming years and how best to prepare for them.

1. Artificial Intelligence (AI) regulation. Within the first three days of the new administration, the White House took three major actions to reduce AI regulatory constraints and bolster AI innovation: 1) issued an Executive Order rescinding President Biden’s Executive Order establishing standards for AI development; 2) announced the $500 billion Stargate venture designed to invest in the future of AI; and 3) issued another Executive Order imposing requirements designed to “sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.” These are all clear indicators that the federal government, including the FTC, is likely to be hands-off when it comes to AI oversight.
   
   States, however, are unlikely to take the same approach. In terms of enforcement, the Texas AG has already brought one AI-related enforcement action against Pieces Technologies, alleging that the company deployed its AI healthcare technology products at several Texas hospitals after making a series of false and misleading statements about their accuracy and safety. California enacted 17 bills covering the use and regulation of AI technology, including several pieces of AI legislation, including a law requiring covered providers to provide an AI detection tool (SB 942) and a law requiring developers of generative AI systems to make certain disclosures about training data (AB 2013). In California, the California Privacy Protection Agency initiated a formal automated decision-making technology rulemaking, with the comment period closing on January 14, 2025. Utah’s AI Policy Act, which went into effect in May 2024, requires disclosures when consumers are interacting with certain AI systems. Colorado’s AI Act, which goes into effect February 1, 2026, includes transparency, governance, and other requirements on high-risk AI systems, defined as those that make, or are a substantial factor in making consequential decisions. Massachusetts has issued an advisory clarifying that state consumer protection laws apply to AI developers and users. And Tennessee has enacted the Ensuring Likeness, Voice, and Image Security (ELVIS) Act to protect individuals from the use of deepfakes. 
   
   States are sure to remain active in the AI space as federal oversight diminishes. Wilson Sonsini’s cross-practice AI Working Group is closely monitoring developments on the AI regulatory and litigation front and is well-positioned to advise on compliance counseling and state AG investigations and activity.
2. Minors’ privacy and online safety legislation and enforcement. State legislatures were particularly focused on minors’ privacy and safety legislation in 2024, and we expect even more attention on this issue in the coming year. California, Colorado, Connecticut, Florida, Louisiana, New York, Tennessee, Texas, Utah, and Puerto Rico enacted social media laws that apply to all users under the age of 18, though these laws have been the focus of legal challenges. Some states have passed laws applicable only to users under 16 (e.g., Georgia). Some states require parental consent to have an account (see, e.g., Tenn. Code Ann. 47-18-5701 et seq), while others require it only for certain purposes, such as overcoming default settings (see, e.g., Tex. Bus. & Com. Code 509.001 et seq). Some of these statutes require verifiable parental consent (similar to the federal Children’s Online Privacy Protection Act, or COPPA) for parental consent to be valid.
   
   In addition to laws focused on social media companies, some states have passed legislation focused on minors’ privacy more generally. The most notable of these recently-passed laws were the Age Appropriate Design Codes in California and Maryland. Although these laws are the subjects of legal challenges, multiple state legislatures have already introduced their versions for consideration this session.
   
   State AGs are already taking action to enforce these new laws. Texas, for example, filed a lawsuit against one major social media platform alleging violations of its Securing Children Online through Parental Empowerment (SCOPE) Act. And the Texas AG announced investigations into 14 other companies “regarding their privacy and safety practices for minors pursuant to the [SCOPE] Act and the Texas Data Privacy and Security Act” (TDPSA).
   
   New state legislative and enforcement developments occur frequently. To stay abreast of these developments and advise companies in real time on the complex legal issues they need to navigate, Wilson Sonsini has established a working group focused on the privacy and safety landscape for minors at the state level. Members of the firm’s Data, Privacy, and Cybersecurity and Litigation practices track both legislative and legal developments in this area and advise clients regularly.
3. Comprehensive privacy legislation and enforcement. Apart from issues involving minors, states will remain active on the general privacy front as well. New privacy laws come into effect in 2025 in Delaware, Iowa, Minnesota, Maryland, Nebraska, New Hampshire, New Jersey, and Tennessee. Various states, including notably Massachusetts and New York, have already proposed comprehensive privacy bills this session, and others are likely to follow suit. California will continue to focus on enforcing its comprehensive privacy law, the California Consumer Privacy Act (CCPA), and has already brought a number of actions to enforce the CCPA. The Texas AG is also focusing on comprehensive privacy enforcement. In addition to the 14 inquiries mentioned above, the Texas AG also sued Allstate and its subsidiary, Arity, for violations of the TDPSA.
   
   Wilson Sonsini’s Data, Privacy, and Cybersecurity group has advised hundreds of companies on these requirements and can help benchmark practices. It also has extensive experience in state AG investigations and can help companies navigate these challenging inquiries.
4. Health data and privacy. We are already seeing signs of likely disruption at the Department of Health and Human Services (HHS) related to changes to regulatory priorities by the new administration. It is unclear to what extent the federal government will be active in protecting consumer health data. States, however, have passed laws in this space and will likely increase their focus on this issue in the absence of federal government involvement. For example, Maryland offers heightened protection for consumer health data that is not covered by the Health Insurance Portability and Accountability Act. Comprehensive state privacy laws enacted prior to 2023, such as the CCPA, offer health information the same standard protection granted to sensitive personal information. In 2023, Washington and Nevada enacted standalone privacy laws specifically for consumer health data, while Connecticut revised its existing comprehensive privacy law to offer distinct protections for consumer health data. And New York is poised to pass a health privacy bill that would have significant implications for businesses that handle health and wellness-related consumer data. States with health privacy laws are likely to be active in the coming year; Wilson Sonsini has advised numerous companies on compliance with these laws.

As change occurs at the federal government level, we expect state legislatures and enforcers to react. Wilson Sonsini Goodrich & Rosati routinely advises clients on data, privacy, and cybersecurity laws and regulations and defends companies facing enforcement actions. For more information about the developments mentioned above, or any other advice concerning U.S. privacy and cybersecurity regulation, please contact Chris Olsen, Maneesha Mithal, Rebecca Weitzel Garcia, or another member of the firm’s data, privacy, and cybersecurity practice.