State attorneys general brought or settled more than 1,200 consumer privacy cases across a five-year period ending in 2024, playing a vital role in protecting consumers in the absence of a comprehensive data privacy federal law, a new report says.

The new research published Wednesday by the Electronic Privacy Information Center (EPIC) shows state attorneys general brought or settled 78 data privacy cases, 564 data breach cases, 117 platform governance cases and 145 unwanted calls cases.

Most of the platform governance cases related to kids' online safety. Platform governance cases 

addressed “privacy harms from platform features or design that lessen consumer choice and autonomy or expose consumers to other online harms,” the report said.

Many of the enforcement actions were brought under state consumer protection laws, a trend which may change as more state-level comprehensive data privacy laws go into effect. 

EPIC researchers praised state attorneys general for addressing unlawful behavior despite being generally under-resourced.

“Because State AGs are determined to protect consumers from privacy harms, we see them creatively pursuing privacy-related enforcement despite limited resources and enforcement authorities that have not always kept pace with newer technologies,” Chris Frascella, EPIC counsel and report co-author, said in a prepared statement.