Last updated: March 16, 2026

State attorneys general enforce privacy laws through data breach notification statutes, unfair trade practice acts, and state-specific privacy regulations (CCPA, CPA, etc.) with enforcement authority that can result in multimillion-dollar settlements when companies violate consumer rights at scale. Filing complaints requires identifying your state’s AG office (most have online forms), describing the privacy violation with documentation (screenshots, emails, data breaches), explaining financial or identity harm, and identifying whether your state has specific privacy laws the company violated. Unlike federal FTC complaints which go into a database, state AG offices can initiate investigations that lead to enforcement actions; in fact, many landmark privacy settlements (Meta’s $100M, Google’s $393M, Equifax’s $700M) originated from state AG investigations rather than individual complaints. Developers should document: what data was collected, whether consent was obtained, retention duration, any unauthorized sharing, and breach notification failures, patterns showing systemic violations rather than isolated incidents get AG attention.

Table of Contents

Understanding State AG Privacy Enforcement Powers

Every U.S. state and territory has an attorney general office with authority to enforce consumer protection laws, including state-level privacy regulations. These offices can:

The California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and similar state laws create concrete enforcement mechanisms that state AGs actively use.

Identifying Applicable State Laws

Before filing a complaint, determine which state laws apply to your situation. Your state’s laws protect you if you are a resident, but companies may also be subject to your state’s jurisdiction if they conduct business there.

Most state privacy laws share common elements:

State Law Enforcement
California CCPA/CPRA California AG, CPPA
Virginia VCDPA Virginia AG
Colorado CPA Colorado AG
Connecticut CTDPA Connecticut AG
Utah UCPA Utah AG

Even without privacy laws, every state has consumer protection statutes that address deceptive practices, which often encompass data mishandling.

Filing a Complaint - Step-by-Step Process

Step 1 - Gather Evidence

Document everything before submitting your complaint. Collect:

Step 2 - Locate the Correct Office

Most state AGs provide online complaint portals. Here’s a quick reference for major states:

California Attorney General
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

New York Attorney General
https://ag.ny.gov/internet/consumer-fraud-bureau

Texas Attorney General
https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint

Florida Attorney General
https://www.myfloridalegal.com/contactus

Step 3 - Submit Your Complaint

Most portals accept complaints through web forms. Structure your complaint with:

  1. Your information: Name, address, contact details
  2. Company information: Name, address, website, relevant employees
  3. Description of violation: Specific privacy law sections violated
  4. Harm suffered: Financial harm, identity theft risk, emotional distress
  5. Evidence: Attach documentation as supporting files

Example Complaint Template

COMPLAINT DETAILS:

Company Name: [Company Name]
Company Address - [Address]
Company Website - [URL]

Violation Description:
Under [State] Consumer Privacy Law Section [X], consumers have the right to [specific right]. On [date], I submitted a data deletion request to [company] via [method]. As of this complaint, [company] has failed to respond within the required [30/45] day timeframe / has denied my request without valid legal basis.

Supporting Evidence:
- Exhibit A: Copy of original privacy request dated [date]
- Exhibit B: Company's response dated [date]
- Exhibit C: Screenshot of privacy policy section [X]

Harm Suffered:
[Description of concrete harm - e.g., continued storage of personal data, risk of breach]

Following Up on Your Complaint

After submission, expect the following timeline:

  1. Week 1-2: Acknowledgment of complaint receipt
  2. Week 2-8: Initial review and jurisdiction determination
  3. Month 2-6: Investigation (if accepted)
  4. Ongoing: Potential enforcement action or referral

Tracking Your Complaint Status

Many state AG offices provide complaint tracking numbers. Use them to:

Example follow-up email template
Subject - Follow-up: Complaint #[NUMBER] - [COMPANY NAME]

Dear [AG Office Contact],

I am writing to follow up on complaint #[NUMBER] filed on [date] regarding [company name]'s violation of [state] privacy law.

Could you please provide an update on the status of this complaint? I am available to provide additional documentation if needed.

Thank you for your attention to this matter.

Best regards,
[Your Name]
[Complaint Number]

Escalation and Multi-State Action

For widespread violations affecting multiple states, consider:

Multi-State Complaints

File complaints in multiple states simultaneously. Many AGs coordinate on large-scale investigations. Document your complaints in each state and note the coordination in follow-up communications.

Referrals and Class Actions

State AGs may refer cases to:

Technical Documentation for Privacy Violations

As a developer or power user, you can provide technical evidence that strengthens your complaint:

API Request Evidence

Document data access API calls
curl -v "https://api.company.com/v1/account/data" \
  -H "Authorization: Bearer [TOKEN]" \
  -H "Accept: application/json"

Cookie and Tracking Documentation

Use browser developer tools to capture:

Data Request Timestamps

// Log timestamps of privacy requests
const privacyRequestLog = {
  requestType: 'deletion',
  date: new Date().toISOString(),
  company: 'Example Corp',
  method: 'email',
  responseDeadline: new Date(Date.now() + 30*24*60*60*1000).toISOString(),
  actualResponse: null
};

When Legal Action Becomes Necessary

If state AG enforcement proves insufficient, consider:

State attorneys general remain powerful allies in enforcing your privacy rights. By documenting violations systematically and submitting well-structured complaints, you contribute to enforcement efforts that hold companies accountable.

Building a Complaint Archive

When filing multiple complaints (either in different states or against different companies), maintain organized records:

#!/bin/bash
Create complaint archive structure

mkdir -p complaint_archive/{evidence,letters,responses,notes}

Document each complaint systematically
cat > complaint_archive/complaint_index.csv << EOF
date,state,company,law_violated,tracking_number,status,evidence_files
2026-03-22,California,ExampleCorp,CCPA,CA-2026-001234,pending,evidence/examplecorp_1.pdf
EOF

This archive helps you track progress across multiple complaints and identify patterns of company behavior across jurisdictions.

Complaint Template with Real Examples

When constructing your complaint, structure arguments around specific legal language from your state’s privacy law:

COMPLAINT AGAINST - [COMPANY NAME]

COMPLAINT NUMBER - [IF RESUBMITTING]
STATE - [YOUR STATE]
DATE FILED - [TODAY'S DATE]

1. CONSUMER IDENTITY
   Name: [Your Name]
   Address: [Your Address]
   Email: [Your Email]
   State of Residence: [State]

2. COMPANY IDENTITY
   Legal Entity Name: [Company Legal Name]
   Primary Business Address: [Address]
   Website: [URL]
   Business Description: [What they do]

3. JURISDICTION AND APPLICABLE LAW
   This complaint is filed under [State Privacy Law], specifically:
   - Section [number]: [Right being violated]
   - Section [number]: [Related provision]
   - [State] unfair trade practice statute if no specific privacy law

4. VIOLATION DESCRIPTION
   On [specific date], I submitted a Data Deletion Request via [method] requesting removal of my personal information. The company was required to respond within [30/45] calendar days per [cite law section].

   As of [today's date], [duration since request], the company has:
    Not responded at all
    Denied deletion without valid exemption
    Failed to complete deletion within timeframe
    Resumed collection of similar data after deletion

   Evidence: See attached Exhibit A

5. PATTERN OF VIOLATION
   This appears to be a systematic practice, not an isolated incident, because:
   - [Company has denied multiple consumers' requests]
   - [FTC complaint database shows similar patterns]
   - [Third-party audit revealed practices]

6. CONSUMER HARM
   This violation has caused:
    Financial harm: [amount, how caused]
    Identity theft risk: [explain]
    Reputational harm: [explain]
    Loss of privacy: [explain]
    Emotional distress: [explain]

7. PRIOR ATTEMPTS
   Before filing this complaint, I:
    Submitted formal request to company's privacy email
    Contacted company's customer service
    Reviewed their privacy policy and terms
    Allowed reasonable time for response
    Made good faith effort to resolve

   [Company response, if any]: [What they said/did]

8. RELIEF REQUESTED
   I request that the [State] Attorney General:
    Investigate the company's practices
    Issue cease and desist order
    Require deletion of my personal data
    Require refund of fees paid
    Civil penalties per [cite law]
    Consumer notification of breach/violation

SUPPORTING EXHIBITS:
- Exhibit A: Screenshots of privacy policy dated [date]
- Exhibit B: Copy of deletion request dated [date]
- Exhibit C: Company's response dated [date] (or lack thereof)
- Exhibit D: Communication attempts
- Exhibit E: Evidence of harm

Finding Pattern and Multi-Company Violations

If you discover a company violates privacy rights persistently, your complaint gains strength by documenting the pattern.

Documentation Strategy

import requests
from datetime import datetime, timedelta

def document_pattern(company_email_account):
    """
    Track responses (or lack thereof) from a company over time
    """

    pattern_evidence = {
        "subject_access_requests": [],
        "deletion_requests": [],
        "opt_out_requests": [],
        "verification_failures": []
    }

    # Log each attempt with timestamp
    attempts = [
        {
            "date": "2026-01-15",
            "method": "email to privacy@company.com",
            "request_type": "subject_access",
            "response_received": False,
            "response_date": None,
            "complied": False
        },
        {
            "date": "2026-02-20",
            "method": "GDPR request via formal notice",
            "request_type": "deletion",
            "response_received": True,
            "response_date": "2026-03-05",
            "complied": False,
            "denial_reason": "legitimate business interest"
        }
    ]

    # Calculate compliance metrics
    response_rate = sum(1 for a in attempts if a['response_received']) / len(attempts)
    compliance_rate = sum(1 for a in attempts if a['complied']) / len(attempts)

    print(f"Response Rate - {response_rate:.1%}")
    print(f"Compliance Rate - {compliance_rate:.1%}")
    print("Pattern indicates systematic non-compliance")

    return pattern_evidence

Documenting failure to respond to multiple requests over months creates evidence of systemic violation rather than isolated mistake.

Escalation When Initial Complaints Fail

If state AG complaints don’t result in action within 6-12 months, consider:

Federal FTC Complaint

curl -X POST https://reportidentitytheft.ftc.gov/api/steps \
  -H "Content-Type: application/json" \
  -d '{
    "complaint_type": "privacy_violation",
    "company": "Company Name",
    "violation": "CCPA non-compliance",
    "description": "Company failed to delete personal data..."
  }'

FTC coordinates with state AGs and may pick up cases state offices deprioritize.

Class Action Coordination

If you discover your state’s AG won’t act but others are investigating, reach out to private attorneys handling related cases. Multiple consumers with similar complaints strengthen class action potential.

Congressional Office Contact

Your elected representatives’ offices handle constituent complaints about company privacy violations. Congressional inquiries sometimes prompt regulatory action:

U.S. Representative [Name]
Office of [Name]
[House Office Building]
Washington, DC 20515

Subject - Consumer Complaint About Privacy Violations by [Company Name]

State attorneys general remain powerful allies in enforcing your privacy rights. By documenting violations systematically and submitting well-structured complaints, you contribute to enforcement efforts that hold companies accountable.

Frequently Asked Questions

How long does it take to use state attorney general office to enforce privacy?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles