Data privacy law regulators want U.S. businesses to be transparent and communicative.

That's the advice state regulators gave during the IAPP Global Privacy Summit 2025, which brought together regulators, data privacy experts and chief data privacy and compliance officers in Washington, D.C., last week. The U.S. has not adopted a federal data privacy law. However, companies still have to navigate comprehensive data privacy laws in 20 U.S. states, as well as global data privacy laws like the EU's GDPR.

Should a company receive notice of violating one of the U.S. state data privacy laws, regulators often welcome conversations with companies on the inquiry, said Michele Lucan, deputy associate attorney general at the Connecticut Office of the Attorney General. Regulators aren't "trying to play gotcha," and are open to hearing additional background information from companies, she said during a panel discussion at the conference.

Vague responses from companies "will always guarantee follow-up," she added.

"When companies put their best foot forward responding to our information requests and tell a good story and give us the information we need, those are the types of circumstances that lend toward those closures, and they do happen," she said.

Asking regulators what they're interested in and attempting to understand the scope of an investigation sets a negative tone, said panelist Michael Macko, deputy director of enforcement at the California Privacy Protection Agency (CPPA). Instead, proposing solutions to comply with a regulator's subpoena, listing compliance challenges the business faces, and asking questions about preferences or recommendations the regulator's office has for complying with the law helps in resolving problems, he said.

"That, to me, is much more constructive and less likely to aggravate a regulator," he said.