States have been grappling with questions around data ownership following a 2025 executive order, as it could require the sharing of information they collected with, in some cases, the promise of privacy. Some governments have taken actions in recent years to make data collection more inclusive in an effort to better serve all residents, taking into consideration things like disability, gender identity and immigration status.
However, immigration status data is sensitive, and state and local governments are facing concerns about sharing it with the U.S. Immigration and Customs Enforcement (ICE).
So, what authority does the federal government have to access state data sets? The answer depends, both on the program and the nature of the request, according to Tanya Broder, the National Immigration Law Center’s senior counsel for health and economic justice policy.
CONSIDERATIONS FOR STATES
States can take steps, like requiring a judicial order to access certain information, to protect the data of their residents, Broder said. This can help governments administer programs without compromising residents’ safety or constitutional rights, she said.
One example she highlighted, in which litigation is ongoing, is the U.S. Department of Health and Human Services agreeing to share information about Medicaid recipients with the Department of Homeland Security. Twenty-two states have challenged this in court. This shift, Broder emphasized, will deter both citizens and immigrants from seeking critical services, and will affect the health-care infrastructure that serves all residents: “The harm will extend far beyond any targeted individual.”
While states are required to comply with federal laws, some have enacted measures to protect privacy, Broder said; in fact, an array of laws passed in 2025 and 2026 limit state or local government entanglement with federal immigration enforcement actions. Colorado enacted Senate Bill 25-276 last year, which protects data privacy by restricting the collection and sharing of immigration-related data so that all Coloradans feel “welcome” to receive government services. Elsewhere, the Illinois TRUST Act, enacted in 2017, restricts law enforcement data sharing with federal immigration officials.
“The TRUST Act is a vital safeguard that ensures all Illinois residents — regardless of immigration status — can safely interact with state and local law enforcement without fear of unlawful detention or discrimination,” a spokesperson for the Office of the Illinois Attorney General said via email, underlining that the act strengthens public safety and constitutional protections.
A January paper from the Center for Democracy and Technology (CDT) — authored by senior policy analyst Quinn Anex-Ries and policy analyst Maddy Dwyer, both of whom serve on CDT’s Equity in Civic Technology Team — addresses state legislative efforts on this front. The paper found that 29 states had introduced 79 bills and resolutions related to federal data access requests during the last session — either strengthening or weakening data privacy protections. Of these, 17 were enacted.
These federal data requests may be sent to state officials or government service providers, Dwyer said, so states and localities must assess government data protections as well as those within vendor contracts.
One pre-emptive action governments can take is to stop collecting sensitive data like immigration status unless it is legally required, Anex-Ries said, because with less information in state and local governments’ possession, there are fewer vulnerabilities that can be exploited. Anex-Ries pointed not only to citizenship status but also to data on factors like sexual orientation or gender identity that “could be targeted by the federal government or bad actors.”
Some state governments have employees or teams dedicated to supporting other agencies in their response to such data requests.
For example, Minnesota Department of Administration’s Data Practices Office Director Taya Moxley-Goldsmith supports both government and the public with questions about data sharing, offering insight as to how state statute and federal law govern such actions. Not a lot of questions have been received about data sharing in the context of its use for immigration enforcement, she said — but she underlined that the ability to share data with federal agencies depends on whether there is a public classification for the data. If the data is not public, sharing it requires consent.
California’s assistant state chief data officer, Matt Zhou, works within the state Office of Data and Innovation. His office developed a toolkit in response to state agency needs, to make data privacy guidance and information more accessible to government teams and the vendors that work with them.
“There is no one-size-fits-all model for evaluating impact and risk for different state programs,” Zhou said, noting that state data privacy policies, like the California Information Practices Act and State Information Management Manual, apply.
The toolkit focuses on data minimization best practices, discipline for internal systems and IT vendor contracts that process data on behalf of state programs, and clear governance processes and communication for handling external data requests. When it comes to data from underserved communities, Zhou said there is a need to strike “the right balance between impact and privacy,” because accurate representation is important in serving these populations, but they may face unique privacy risks.
“Pull in legal counsel if your organization receives data requests, the earlier the better,” Zhou said. He advised other state data privacy officials to build from existing frameworks, policies and processes and establish clear data governance processes.
CONSIDERATIONS BEYOND STATE GOVERNMENT
Local governments, too, have taken action to protect data security, Broder said. Some have restricted the use of their own resources in federal immigration enforcement. Others are restricting data sharing or ensuring agencies do not collect more information than necessary for the programs they administer.
“Locals don’t have to wait until types of requests like this come to them,” Dwyer said, noting they can proactively assess and update their own data privacy policies.
Data privacy protections not only apply to government agencies but also private-sector companies that work with governments.
“If a state or local agency has control over their data, they can also control the entities that either gain access to or use their data,” Broder said.
In addition to addressing data privacy in new contracts, Dwyer said state and local governments can also take steps to relitigate and strengthen existing contracts, to address vulnerabilities in data protection provisions.
The Privacy Act of 1974 established “relatively comprehensive protections” on federal agencies’ handling of personal data, but Anex-Ries said there are questions about whether the current administration is following the law, and whether it should be modernized given changes to technology and data practices.
Concerns about data privacy could decrease trust in government, leading to “chilling effects across public service,” Anex-Ries said, calling on lawmakers to ensure sensitive information is protected from “federal overreach.”
“Immigrants and citizens live together in families and communities … compromising the health of one person compromises the health of the entire community and the infrastructure that serves us,” Broder said. “Anything that appears to be targeted only at one subgroup will inevitably harm us all.”
