From Tallahassee to Phoenix: States Move to Enforce National Security Limits on Access to Americans’ Sensitive Personal Data

State attorneys general increasingly are asserting authority in an area once viewed as the exclusive province of federal national security regulators — scrutinizing who can access sensitive personal data of U.S. persons, where that data flows, and whether foreign governments have legal rights or practical means to control or obtain the data. Recent actions by Florida, Texas, and Arizona Attorneys General illustrate a clear and accelerating trend — national security concerns are no longer abstract policy considerations in the data privacy space; they are becoming a basis for hands-on investigative and enforcement activity at the state level, increasingly aligned with parallel developments at the federal level.

For example, Florida’s Office of the Attorney General announced in early February 2026 the formation of the Consumer Harm from International Nefarious Actors (CHINA) Prevention Unit focused on risks associated with the transfer of Floridians’ data to China, and empowered the Unit to investigate and prosecute foreign corporations. As an early indicator of the Unit’s operations, it has issued information requests to U.S. medical device companies seeking details on Chinese ownership or control, obligations under China’s National Security Law, and whether sensitive operational or customer data may be accessible to Chinese government authorities. The same day, the Unit also issued subpoenas to a China-based, consumer-facing company seeking information on data privacy practices, advertising models, and data governance. These actions reflect a deliberate framing of data access as a national security issue, which is consistent with the broader federal reassessment of foreign access to U.S. persons’ data, rather than a conventional consumer protection or cybersecurity inquiry.

Florida is not alone, and the data privacy concerns cross party lines. Texas Attorney General Ken Paxton has been at the forefront of utilizing state enforcement authorities to challenge certain data practices tied to China, particularly where U.S. persons’ data may be subject to foreign legal compulsion, i.e., access. Texas has initiated several high-profile enforcement actions and investigations involving technology and e-commerce platforms operated by companies with Chinese ownership or ties. The Texas Attorney General has asserted that certain data collection and transfer practices of these companies present risks to Texans, using rhetoric usually reserved for national security threats.

Arizona has taken a similar, if less prolific, approach. In December 2025, Arizona Attorney General Kris Mayes engaged in enforcement actions and public warnings focused on the collection and handling of sensitive personal data by foreign-linked technology platforms, emphasizing transparency, data minimization, and control over onward data access.

While these state actions proceed under different statutes and legal theories, they reflect a shared premise echoed by U.S. federal authorities — that foreign ownership and control structures, particularly those subject to Chinese law, can translate into compelled access to U.S. persons’ data in ways regulators view as unacceptable and potentially illegal.

These state initiatives closely track, but operate independently from, recent federal developments reflecting the increasing national security focus on protecting access to Americans’ sensitive personal and government-related data. In April 2025, the U.S. Department of Justice implemented the Data Security Program (DSP) under Presidential Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The DSP established a transaction-based national security protection regime to prevent “countries of concern” and “covered persons” from accessing and exploiting U.S. Government-related data and Americans’ sensitive personal data. While the Data Security Program Rule provides important context and a shared vocabulary, the significance of current states’ activity is that attorneys general are advancing similar national security objectives through state enforcement mechanisms, independent of federal enforcement actions or formal coordination.

Against this backdrop, both federal and state regulators increasingly are asking the same core security-related questions with respect to Americans’ sensitive personal data, even as they proceed under different authorities. Who ultimately controls the entity with access to the data? What foreign laws impose duties to cooperate with intelligence or security services? Can a foreign government compel disclosure, access, or technical assistance? These questions, once associated primarily with federal national security reviews, are now appearing in state subpoenas, civil investigative demands, and enforcement inquiries.

For global companies, this paradigm has concrete operational implications. Regulators are examining corporate ownership structures, vendor and cloud service relationships, workforce location and access controls, and the foreign legal structures that may apply to personnel or service providers with access to sensitive personal data. The enforcement landscape is therefore shifting on two fronts simultaneously — and increasing compliance risk for the industry across critical infrastructure.

At the federal level, national security regulators have articulated a forward-looking framework through the issuance and enforcement of the Data Security Program Rule, which rather than misuse alone, treats access and control over data as the central risks. At the state level, attorneys general increasingly are incorporating parallel national security logic into state law investigations, even where no traditional data breach or consumer harm is alleged. For companies operating in data-intensive sectors, this convergence materially expands enforcement risk beyond any single regulator or statute.

Taken together, the enforcement actions in Florida, Texas, and Arizona referenced above, viewed alongside recent federal initiatives like the DSP, reflect a fundamental reclassification of sensitive personal data of U.S. persons. Access to that data is no longer viewed solely through a privacy prism as a central societal value, but increasingly as a matter of national security. Both federal and state regulators are signaling that they will scrutinize not only how data is used, but also who can access it and under what sovereign authority. For companies with operations in the U.S., this means that data governance increasingly requires an integrated assessment of technical access, organizational control, and foreign legal exposure.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.