How do privacy regulators decide which companies to poke?
Often, it’s a consumer complaint. Other times, it’s a headline. And, sometimes, it’s just personal. Regulators are consumers, too, after all.
But it’s important to remember that every brush with a regulator doesn’t turn into a full-blown case, said privacy attorney Tyler Bridegan, and he would know.
Bridegan spent nearly two years as director of privacy and tech enforcement for the Texas attorney general’s office. He left government work and returned to private practice in October as a partner at Womble Bond Dickinson.
Most interactions between companies and regulators end without a formal investigation or public settlements, Bridegan said, so long as companies engage openly and work to resolve concerns up front.
If a regulator comes knocking, the best thing to do is respond quickly, be transparent, address concerns without getting defensive and fix what can be fixed right away.
2026 “will definitely be a busy enforcement year,” Bridegan said. But cooperation and common sense can still go a long way.
“Don’t overshare but also don’t be so cagey that it looks like you’re hiding things, and you’ll be a lot likelier to get a resolution everyone is happy with,” he said. “Ask anyone at a state AG’s office and I think they’ll tell you the same thing.”
We caught up with Bridegan a few months into his return to private practice to get his take on what’s coming next and how companies can stay out of the regulatory crosshairs.
AdExchanger: You left private practice in 2024 for the Texas AG’s office and now you’re back, although at a different firm. Why go back to private practice now? Things are just getting spicy on the privacy front!
TYLER BRIDEGAN: I was recruited by one of my former colleagues who had taken over consumer protection at the AG’s office and asked me to come over.
Around four months after I started, Texas’ data privacy law took effect, and the new Texas data broker law took effect the year before. There are a ton of laws that get passed and then nothing happens on the enforcement side. We wanted to signal that we were taking these laws seriously.
But going back to private practice was always the plan. I have a broad consumer protection background. I was also previously at the Federal Communications Commission. I’m a big believer that mixing public and private sector experience makes you a better, more complete lawyer.
Texas has a reputation for being aggressive on the privacy protection front, including major enforcement actions against Allstate, General Motors and TikTok, big settlements with Google and Meta and a recent lawsuit against smart TV companies for “spying.” It all seems very “don’t mess with Texas.”
You could say that.
What I’d point out is that a lot of state AGs are up for reelection next year, and I think every one of them is looking for a way to make their mark through popular enforcements. There’s a lot of support from all political affiliations to enforce these privacy laws, so it’s one of those unique areas where you almost can’t go wrong.
These actions drive a lot of approval, and a lot of AG offices are waking up to that fact. It’ll be an interesting time for the next 12 months.
How do you use your experience from the inside the enforcement machine to advise clients now?
I try to give people a more nuanced view. It’s not just that Texas cares about enforcement; it’s that Texas cares about specific enforcement areas and real harm. And other states have their own priorities. Connecticut and Oregon, for example, follow up on every complaint they get. We can’t do that, because our database is far, far more active. It would be untenable. So we focus on bigger cases where it makes sense to litigate.
Every state is developing its own style.
What proactive steps should companies take to minimize regulatory scrutiny and the risk of litigation?
Pay attention to what state AGs are focused on, like children’s privacy or social media. If you’re launching a product that could be sensitive, talk to regulators before it becomes a headline. Update your policies, fix the obvious stuff and don’t get cagey; it just makes them dig deeper.
How can companies balance legal compliance with the everyday realities of building, marketing and selling products?
There are always ways to minimize risk, but it starts internally. If you’re rolling out a product in a regulator’s focus area, like children’s privacy, increase your safeguards. Don’t wait to do it.
And if you think something might be perceived as problematic, it never hurts to proactively start a dialogue with regulators, at least at the staff level. That way, no one’s caught off guard if something ends up hitting the news.
Answers have been lightly edited and condensed.
🙏 Thanks for reading! And, in other mews, Sora is wild. As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
For more articles featuring Tyler Bridegan, click here.
