Strategic Privacy Leadership Among Regulatory Variability

As more and increasingly nuanced privacy and AI-related issues gain traction among regulators and consumers alike, organizations should expect increased scrutiny not only at the state level but potentially on a federal level as well. Recent cases spurred by the Texas Attorney General (and other Attorneys General or AGs) are prime examples of what organizations can expect in terms of new investigative trends at the intersection of data privacy and advanced technologies.1 While federal privacy legislation has faltered year after year in the United States, privacy is one topic that tends to draw a measure of bipartisan support, meaning that the upcoming shift in political leadership may not lessen the momentum for regulatory action.2

Even in the absence of federal data privacy regulation, enforcement is expected to remain active at the state level. Investigations often start small but can quickly snowball into broader reputational crises. For example, inquiries into companies’ practices in areas like children’s privacy or AI ethics often lead to scrutiny from stakeholders far beyond regulators, including investors, media, customers, and advocacy groups. These investigations may not always yield formal penalties, but the heightened attention they generate can amplify negative narratives and set off a chain reaction of reputational harm.

Strategic, forward-thinking organizations need to prepare on two fronts: substance and communication.

Invest in Privacy Governance That Meets the Moment

Real investment in privacy practices is foundational to building long-term organizational resilience.

Real investment in privacy practices is no longer optional. It is foundational to building long-term organizational resilience. The privacy challenges of today are evolving rapidly, especially with the integration of AI into consumer-facing and business operations. Companies need governance frameworks that not only address existing regulatory requirements but also anticipate emerging challenges in AI ethics, algorithmic transparency, and data protection.

Good governance starts with embedding privacy into core business operations and decision-making processes. Organizations that rely on AI must also prioritize oversight mechanisms that allow them to identify and mitigate risks before they escalate into public crises. This means engaging stakeholders from compliance and legal teams to technical and product leads in ongoing risk assessments.

A review of the recent cases in Texas suggests several areas on which organizations may wish to focus:

  • Ethics, Trust, and Reputation Management. Trust is becoming a major differentiator. Companies appear to be judged not just by what they achieve but by how they achieve it. In numerous examples, the rise of dark patterns and secret data collection has led to lawsuits and reputational harm. Ethical data handling and values-driven decision-making are crucial for brand reputation. Consumers increasingly prefer to do business with companies that are transparent, accountable, and privacy conscious. Organizations may wish to integrate ethical considerations into corporate strategy and consider creating an ethical review board to assess new AI, data, and technology deployments to ensure alignment with public expectations.
  • Children’s Privacy and Parental Control. Companies that engage with children (e.g., social media, gaming, and educational platforms) face growing regulatory pressure to obtain parental consent for the collection of children’s data. Companies that offer digital services, educational apps, and social platforms used by children under 13 must ensure they comply with Children’s Online Privacy Protection Act (“COPPA”) in the United States and similar laws globally. Companies must also verify parental consent and implement child-appropriate privacy practices. Companies should ensure they have age-verification processes in place, provide age-appropriate privacy notices, and develop methods to obtain verifiable parental consent before collecting any data from children.
  • Transparency, Consent, and Dark Patterns. Regulatory authorities are cracking down on companies that use dark patterns, which are design tricks that manipulate users into making decisions that benefit the company, like clicking “accept” on broad data-sharing permissions.3 The Texas Attorney General (“AG”) has directly targeted companies for allegedly using interfaces and consent workflows that fail to obtain consent.4 Companies with customer-facing digital interfaces (e.g., websites, apps, and e-commerce platforms) must ensure that user experiences are fair, transparent, and free of manipulative tactics. Regulators are scrutinizing “consent fatigue” and are enforcing rules that require companies to present clear, accessible, and unambiguous opt-in options. Companies should review their user interfaces (“UI”) and consent flows to ensure they align with regulatory definitions of “clear consent.” Consider conducting usability tests to confirm that users clearly understand what they are agreeing to.

Marry Good Practices with Strategic Communication

A strong communications program ensures companies can articulate a clear, consistent narrative to stakeholders and maintain trust, even amid shifting consumer expectations and regulatory attention.

Even organizations with robust privacy practices often falter when it comes to communication. A strong communications program ensures that companies are not caught off guard by shifting consumer expectations or intensified regulatory attention. Public trust hinges on the ability to both demonstrate good faith in addressing privacy and articulate a clear, consistent narrative to stakeholders.

Organizations that excel in this space adopt three key strategies:

Proactive Positioning: Companies need to communicate their commitment to privacy, data ethics, and AI responsibility consistently, and not just in times of crisis. Being transparent about privacy investments and responsible practices helps build a foundation of trust and separates ethical organizations from bad actors.

Crisis-ready Messaging: When crises or investigations emerge, it’s essential to strike the right balance between speed and accuracy. Transparency and accountability are critical, but so is avoiding premature or misleading statements that may later undermine credibility. Organizations need pre-prepared messaging frameworks that address key stakeholder concerns while aligning with broader governance practices. This should always include defined approval processes for communication actions – often the thorn in the side of organizations that aim to move quickly but do not have an effective mechanism to do so when a crisis hits.

Relationship-building: A proactive approach to building regulatory relationships can benefit organizations, particularly those operating in higher-risk industries, such as financial services, healthcare, or ad tech, where data privacy and AI use are under heightened scrutiny. Building rapport with state AGs can serve as a risk mitigation strategy. An existing relationship helps foster mutual understanding of how your organization operates, demonstrates commitment to compliance, and provides opportunity to clarify the guardrails in place to protect consumers and mitigate potential concerns before they escalate. Companies with a higher regulatory exposure, such as those handling large volumes of consumer data or deploying AI-driven decision-making tools, should consider engaging multiple AGs to stay ahead of evolving enforcement trends. For organizations with lower risk, maintaining a working relationship with their local state AG can still offer valuable insight into enforcement priorities and regulatory expectations, ensuring they are not caught off guard when new policies take shape.

The Stakes Are Rising

As investigations like those currently underway in Texas become more common, organizations should expect to face intensified scrutiny from multiple angles. A single regulatory inquiry can cascade into broader challenges — spurring media coverage, prompting investor questions, and catalyzing in class-action lawsuits. Companies unprepared for this level of attention risk falling into a reactive stance, where they are perpetually on the defensive.

On the other hand, organizations that view privacy and AI governance as strategic imperatives will be better positioned to navigate this complex landscape. By marrying robust governance with proactive communications, they can build trust, reinforce their reputation, and emerge stronger from moments of scrutiny.

This confluence of privacy, AI, and regulatory momentum should be viewed as a critical moment for taking decisive leadership. For companies to thrive in this era of heightened attention, they must not only walk the walk by investing in substantive privacy measures but also talk the talk by aligning their practices with communications that inspire trust, confidence and differentiation from less-responsible actors.

The organizations that embrace this dual approach will not only weather today’s challenges but will set themselves apart as ethical leaders in the years to come.

Footnotes:

1: Kanishka Singh, “Texas probes tech platforms over safety and privacy of minors,” Reuters (December 12, 2024) 

2: Joe Duball, “Congressional committee kickstarts new federal privacy law dialogue,” IAPP (February 24, 2025) 

3: “FTC, ICPEN, GPEN Announce Results of Review of Use of Dark Patterns Affecting Subscription Services, Privacy,” FTC (July 10, 2024) 

4: Jonathan Stempel, “Texas sues Allstate for collecting driver data without consent,” Reuters (January 13, 2025) 

Related Insights

Related Information

Published

March 31, 2025

temp Key Contacts

Michael Spadea

Senior Managing Director

Kelly Miller

Managing Director

Most Popular Insights

  1. What Directors Think Report
  2. Know Your Risk: Terrorist Designation of Cartels on Business Interests in Mexico
  3. Four Predictions for Private Equity in 2025
  4. Global CFO Survey 2025
  5. Current Power Trends and Implications for the Data Center Industry

Sign up to get access to FTI Consulting Insights

Subscribe