Aquiet shift with major consequences is underway in consumer protection enforcement. Across the country, we are seeing states file headline-grabbing lawsuits under privacy and consumer protection laws. But look closer and you'll often find a private firm behind the scenes, developing the case and even appearing on the complaint. This article sets out four recent public examples of public-private partnerships, the factors driving this trend, and steps companies can take to prepare.
Four Recent Public Examples
• Texas: Texas Attorney General Ken Paxton sued Meta in February 2022 for allegedly collecting biometric data without consent in violation of Texas's biometric privacy law. Keller Postman (formerly Keller Lenkner) represented the state. The action resulted in a $1.4 billion settlement.
• Michigan: Michigan Attorney General Dana Nessel filed suit against Roku in April 2025 for allegedly collecting children's personal information without parental consent in violation of COPPA. Korein Tillery is named in the complaint. The case is ongoing.
• Utah: Utah Attorney General Derek Brown sued a social media company in June 2025 for allegedly violating the Utah Consumer Privacy Act (UCPA) in its deployment of AI tools. Edelson PC signed the complaint. The case is ongoing.
• Nebraska: Nebraska Attorney General Mike Hilgers filed a lawsuit in July 2025 against General Motors for allegedly misleading consumers about the collection and sale of driver data in violation of Nebraska's consumer protection law. Susman Godfrey LLP is representing the state. The case is ongoing.
What's Driving the Trend?
• Resource constraints and escalating case complexity
Partnering with outside firms allows states to pursue large, complex cases that would be difficult to handle in-house. Many privacy and consumer protection targets are well-funded companies that can mount lengthy, hard-fought defenses. Private firms often offer to do the investigative legwork, draft pleadings, and manage the litigation.
• High-profile cases bring political and public attention
Regulators recognize that headline-grabbing cases can demonstrate leadership on consumer protection and draw national attention. A blockbuster case backed by a private firm allows a regulator to make a statement, especially in states where regulators are seen as under-enforcing or under-resourced.
• Contingency-fee structures and sizable remedies attract private firms
The combination of statutory damages and contingency-fee arrangements is drawing more private firms into the space. In many states, firms can earn a percentage of the recovery, creating strong financial incentives to find and pitch new enforcement theories to state regulators. In Texas, for example, outside firms can receive the lesser of 11% of a settlement or four times the state's base rate, meaning a firm could take home $100 million from a $1.4 billion settlement.
• But not at the federal level
This trend is largely confined to the states. Federal agencies like the FTC are not permitted to hire outside firms on a contingency-fee basis, which limits their ability to replicate this model.
What It Means for Companies
• Case strategy shifts when private firms are involved
When regulators lead an action, the focus is often on remediation and compliance. In our experience, regulators generally try to work with companies in good faith and may wait to file a complaint until a settlement is finalized. Investigations may never become public. When a private firm is driving the case, the strategy often shifts toward maximizing financial recovery. These cases are more likely to be filed early, publicly, and aggressively, with a higher likelihood of litigation and significant monetary settlements.
• States without strong privacy laws or resources can still be high risk
Companies often assess privacy risk by looking at which states have comprehensive laws or strong enforcement histories. But public-private partnerships disrupt that logic. States without a comprehensive privacy law (like Michigan), with a weaker comprehensive privacy law (like Utah), or with limited enforcement resources (like Nebraska), can now bring high-impact, headline-grabbing cases.
• Top enforcement states are using this model too
This model isn't limited to small or resource-strapped states. Even states with deep enforcement capabilities are tapping outside firms. Texas worked with an outside firm in its $1.4 billion case against Meta.
• Regulators are increasingly willing to litigate
State regulators are showing an increased appetite for litigation, especially when supported by contingency-fee firms. Meanwhile, at the federal level, the FTC has continued to pursue litigation under Section 5 of the FTC Act, including its ongoing action against Kochava. The era of quiet resolution may be fading.
How Companies Can Prepare
The rise of public-private enforcement partnerships marks a meaningful shift in how privacy and consumer protection laws are enforced. Companies should take several steps now to adapt to this new enforcement landscape:
• Reevaluate state-level risk models
If your compliance strategy prioritizes states based solely on the
strength of their laws or known enforcement history, it's
time to reassess. The Meta, Roku, and GM cases show that
enforcement can originate from states with narrow laws, limited
resources, or no comprehensive privacy law at all. Risk assessments
should also account for where contingency-fee arrangements are
permitted and where private firms are actively pitching
cases.
• Monitor plaintiff-side activity, not just
regulators
Many of these cases are built by private firms before a regulator
ever gets involved. Companies should track which firms are active
in privacy and AI enforcement, what theories they are developing,
and which industries they are targeting. It is also important to
work with outside counsel who are familiar with these firms and can
help anticipate where the next wave of enforcement may come
from.
• Prepare for fast-moving and public
complaints
When private firms are involved, companies may not receive advance
notice or the opportunity to resolve an investigation quietly.
Legal, communications, and executive teams should be aligned on how
to respond quickly and strategically to a public enforcement
action.
• Focus compliance resources on high-risk
areas
These actions are targeting companies that collect sensitive data,
use AI tools, or operate in industries with vulnerable groups (like
kids). These areas should be at the top of your governance and
compliance roadmap.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
