State Attorneys General (AGs) have been stalwart defenders of consumers’ privacy by vigorously enforcing data breach laws, investigating the misuse of consumer data, and advocating for passage of comprehensive data privacy legislation. As new threats and novel issues develop in this age of “big data,” AGs continue to protect their constituents’ privacy by utilizing existing laws, applying new enforcement tools, and educating consumers to protect themselves and their privacy. In doing so, AGs should also expand their collaborations with the FTC, use their position as “convenor in chief” to assist small businesses, and consider support for expanding private rights of action.
The right to privacy, guaranteed by federal and state constitutions and recognized by common law, is a cornerstone to our democratic society.1 However, many businesses collect personal information including details about an individual’s finances, geolocation, consumption, and social contacts. Unauthorized disclosure of this personal information and the resulting loss of privacy can be devastating. This includes identity theft, harassment, reputational damage, emotional distress, and physical harm. (see endnote 1). Recent activity by AGs to protect consumers’ data privacy include:
- 2018 investigation by AGs in NYii, MA, and DC into Cambridge Analytica, which harvested Facebook’s data to influence the outcome of the 2016 Presidential election.3 4
- 2019 settlement between 50 AGs and Equifax for $600 million dollars resulting from a data breach involving 147 million consumers’ sensitive information, such as social security numbers, names, dates of birth, credit card numbers, and in some cases driver’s license numbers.5
- 2022 settlement between 40 AGs and Google for misrepresentations and misuse of geolocation data. This settlement required Google to pay $391.5 million in penalties and injunctive relief.6
- AGs in CA, CO, CT, VA, and UT Supported new laws that provide consumers with the right to access, verify, correct, delete, and opt out of the processing and use of their personal data.7 IA also recently passed data privacy legislation that also allows consumers to access, delete, request, and opt out of sale of their data, but unlike the previously mentioned states, IA’s legislation “does not explicitly provide consumers the right to opt out of use of data for targeted advertising.”8
- OR AG Ellen Rosenblum led a task force that drafted H.B. 3284, a bill that protects personal health data from anyone that collects, uses, or discloses such information via a website or mobile application.9
State Attorneys General are Dedicating Resources to Protect Data Privacy and Facing Novel Issues Involving the Intersection of Reproductive Freedom, Threats from International Actors, and the Diminishing Authority of the Federal Trade Commission.
Novel issues in data privacy include topics such as the intersection of data privacy and reproductive rights, international threats to consumer data privacy, and the diminishing authority of the Federal Trade Commission (FTC). AGs remain dedicated to addressing these issues with consumers in mind. Many AGs have been integral in enforcing state laws to protect consumer data, including reproductive data, as well as educating consumers and the business community about data privacy risks—both domestic and abroad.
1. Protecting Consumer Data Privacy
AGs continue to protect consumers’ data privacy. Some states, such as MA, MN, CT and OR, have dedicated divisions or task forces focused on data security. Other states are utilizing new laws and creative applications of their unfair and deceptive practices acts to investigate and enforce violations of consumer data privacy. Some highlights include:
- CA AGO commenced an investigative sweep against those businesses that have failed to comply with the California Consumer Privacy Act, the state’s comprehensive data privacy law. The AGO has targeted retail, travel, and food service industries that allegedly failed to process consumer requests to opt out or delete their personal information.10
- AGOs from forty-nine jurisdictions are investigating Blackbaud, Inc., for a data breach incident involving a ransomware attack.11’12
- VT AGO filed suit and pursued claims against Clearview AI for unfair practices arising from the scraping of photos to create a facial recognition database without the permission of consumers.13
2. Data Privacy and Reproductive Rights
3. Threats to Data Security from International Actors
AGs continue to raise awareness about the need to harden IT system security in light of recent international ransomware attacks. For example, CO Attorney General Weiser joined fellow AGs in alerting businesses and governmental entities to take prompt action to protect operations and personal information in response to reported threats from international ransomware.16 The VT Attorney General’s Office hosted a cybersecurity webinar for small businesses to help them protect data privacy.17
4. The Supreme Court has Weakened the Federal Trade Commission’s Authority.
The FTC’s ability to seek remedial actions for unfair and deceptive trade practices, including those resulting from data breaches of the failure to protect consumer privacy, was significantly curtailed in AMG Capital Management, LLC v. FTC, 141 S.Ct. 1341 (2021). The Supreme Court held in AMG Capital that the FTC could not go straight to court to seek consumer restitution or disgorgement of ill gotten profits. This leaves AGs with the opportunity to fill the enforcement vacuum created by the Supreme Court’s decision. Many AGs have statutory authority to seek restitution and disgorgement of profits under their respective consumer protection acts.18 It will fall upon the AGs to obtain such relief under their respective consumer protection acts.
On the Horizon for Data Privacy is an Expansion of Statutory Authority for State Attorneys General and Possible Federal Action.
The following actions offer insight into the future of consumer protection around data privacy:
- The following states have introduced legislation to enhance consumer data privacy: HI, IL, IN, LA, MA, MN, MN, NH, NJ, NY, NC, OK, OR, PA, RI, TN, TX, VT, and WA.19
- The FTC is exploring rulemaking to address commercial surveillance and lax data security standards.xx The FTC has also commenced an enforcement action against Kochava, Inc., for selling detailed mobile phone geolocation data without consumer consent. Geolocation permits the tracking of consumers to sensitive locations including places of worship, domestic abuse shelters, and reproductive health care providers. The FTC has alleged that Kochava’s activities constitute an unfair trade practice in violation of Section 5 of the FTC Act.21
- Congress is considering a national data privacy law. Previous versions of the law contained provisions that preempted state action.22
Below are recommendations for AGs to take further action to protect their constituents’ online data:
- AGs should work with the FTC and Congress to ensure that federal efforts to regulate data privacy do not preempt states’ ability to innovate and provide leadership in protecting consumers’ privacy.
- AGs should seek expanded opportunities to coordinate with the FTC on enforcement activity to get consumers monetary relief in light of the Supreme Court’s recent decision to scale back its authority to obtain restitution.
- AGs should consider whether private rights of action in various state consumer data privacy bills will assist in enhancing compliance. For example, IL’s Biometric Information Privacy Act and CA’s Consumer Privacy Act provide limited private rights of action.xxiii However, other states have not adopted this model for enforcing violations in their data privacy legislation.24 Some legal observers have commented that a private right of action would be an important additional resource to protect data privacy, especially because privacy is about a personal, dignitary right.25 Opponents cite the risk of nuisance lawsuits and concerns regarding these types of suits taking over a traditional sovereign role of an AG to seek penalties for violations of the law.xxvi Efforts to explore this important topic could include privacy forums given the disparate interests between industry stakeholders and privacy advocates. This may provide opportunities to dispel concerns about frivolous lawsuits, highlight the need to protect consumers from the ubiquitous trade in personal data, and find consensus.
- AGs should use their position as “convenor in chief” to help small businesses comply with new data privacy laws, assist those seeking abortion care to take precautions to protect their privacy, and raise awareness about the need to enhance data security.
The Leadership Center for Attorney General Studies is a non-partisan organization dedicated to educating the public about the important role state attorneys general play in addressing pressing issues, enforcing laws, and bringing about change.
Josh Diamond is the former Deputy Attorney General for the Vermont Attorney General’s Office. He currently practices law with Dinse, P.C., in Burlington, Vermont, and is a Legal Fellow for the Leadership Center for Attorney General Studies.
Kimberly Woods is the Deputy Policy Director for the Leadership Center for Attorneys General Studies and Progressive State Leaders Committee. She is a former Deputy Prosecuting Attorney and has several years of legal experience and policy experience.
Britteny Jenkins is the former Policy Director for the Leadership Center for Attorneys General Studies and Progressive State Leaders Committee. She is also a former Chief of Staff and Staff Director for the Subcommittee on Environment for the House Committee on Oversight and Reform in the U.S. House of Representatives. She also has several years of litigation experience, focused on commercial and bankruptcy litigation.
Jonathan Sclarsic is the Chief Operating Officer and General Counsel for the Leadership Center for Attorney General Studies and the Progressive State Leaders Committee. He is a former Assistant Attorney General and Director of the Division of Open Government in the Massachusetts Attorney General’s Office, and a former legislative director in the United States Senate.
1. Ca. Consumer Privacy Act, Declarations, Section 2; Colorado Privacy Act, Legislative Declaration, 6-1-1302.
2. States will be referenced in this paper by their two-letter postal code.
3. Zadrozny, B., & Collins, B. (2018, March 20). New York and Massachusetts to investigate Cambridge Analytica and Facebook. NBCNews.com. https://www.nbcnews.com/tech/security/new-york-massachusetts-investigate-cambridge-analytica-facebook-n858401.
4. Office of the Attorney General for the District of Columbia. (2018, December 19). AG Racine Sues Facebook for Failing to Protect Millions of Users’ Data. [Press release]. https://oag.dc.gov/release/ag-racine-sues-facebook-failing-protect-millions.
5. Pennsylvania Office of the Attorney General. (22, July 19). AG Shapiro Secures $600 Million from Equifax in Largest Data Breach Settlement in History. [Press release]. https://www.attorneygeneral.gov/taking-action/ag-shapiro-secures-600-million-from-equifax-in-largest-data-breach-settlement-in-history/.
6. Michigan Department of Attorney General. (22, November 14). 40 Attorneys General Announce Historic Google Settlement over Location Tracking Practices. [Press release]. https://www.michigan.gov/ag/news/press-releases/2022/11/14/40-attorneys-general-announce-historic-google-settlement-over-location-tracking-practices.
7. Ca. Civil Code 1798.100 et seq; Colo.Rev.Stat. 6-1-1301 et seq.; Va. Code § 59.1-575 et seq.; CT Gen. Stat. § 42-515 et seq.; Utah Code § 13-61-101 et seq.
8. Martinez, A. (2023, March 17). Iowa Unanimously Passes Data Privacy Law. Forbes. https://www.forbes.com/sites/alonzomartinez/2023/03/17/iowa-unanimously-passes-data-privacy-law/?sh=3e7187d1775f.
9. Spotlight: Privacy – Oregon Department of Justice. (2022, December 20). Oregon Department of Justice. https://www.doj.state.or.us/oregon-department-of-justice/office-of-the-attorney-general/spotlight-privacy/
10. Brush Up On Your Opt-Outs: Calif. AG Signals Mobile App Investigative Sweep. (2023, February 9). The National Law Review. https://www.natlawreview.com/article/brush-your-opt-outs-calif-ag-signals-mobile-app-investigative-sweep
11. Blackbaud, Inc., SEC Form 10-Q, March 22, 2022.
12. In re: Blackbaud, Inc., Consumer Data Breach Litigation, 567 F.Supp.3d 667 (D.S.C. 2022)
13. Office of the Vermont Attorney General. Attorney General Wins Significant Victory in Clearview AI Lawsuit. (2020, September 11). [Press release]. https://ago.vermont.gov/blog/2020/09/11/attorney-general-wins-significant-victory-clearview-ai-lawsuit
14. Office of the New York State Attorney General. CONSUMER ALERT: Attorney General James Provides Guidance to Protect the Digital Privacy of People Seeking Abortion Care. (2022, May 13). [Press release]. https://ag.ny.gov/press-release/2022/consumer-alert-attorney-general-james-provides-guidance-protect-digital-privacy
15. Larson, E. (2023, March 10). Apple Called Out by New Jersey AG Over Period-Tracking Apps. Bloomberg.com. https://www.bloomberg.com/news/articles/2023-03-10/apple-called-out-by-new-jersey-ag-over-period-tracking-ap.ps#xj4y7vzkg; New Jersey Office of Attorney General. AG Platkin Leads Multistate Coalition Urging Apple to Take Practical Steps to Protect Consumers’ Reproductive Health Information on Apple App Store in the Wake of U.S. Supreme Court Dobbs Decision. (2022, November 21). [Press release]. https://www.njoag.gov/ag-platkin-leads-multistate-coalition-urging-apple-to-take-practical-steps-to-protect-consumers-reproductive-health-information-on-apple-app-store-in-the-wake-of-u-s-supreme-court-dobbs-deci/
16. Colorado Office of Attorney General. Attorney General Phil Weiser joins fellow AGs in alerting businesses and government entities to take prompt action to protect operations and personal information. (2021, July 29). [Press release]. https://coag.gov/press-releases/7-29-21-2/; Vermont Attorney General Cybersecurity for Small Business Webinar, Privacy and Data Security, Office of the Vermont Attorney General (Oct. 5, 2022).
17. Privacy and Data Security. (n.d.). Office of the Vermont Attorney General. https://ago.vermont.gov/privacy-data-security
18. Several examples include 9 V.S.A. § 2458(b)(2); Conn.Gen.Stat. § 42-110p; Wash.Rev.Code § 19.86.080
19. US State Privacy Legislation Tracker. (2023, April 14). International Association of Privacy Professionals. Retrieved April 21, 2023, from https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf.
20. Federal Trade Commission. FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices. (2022, August 11). [Press release]. https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices
21. Complaint, FTC v. Kochava, Inc., FTC Docket No. 2:22-cv-377 (August 29, 2022).
22. State of California Department of Justice Office of Attorney General. Attorney General Bonta, Governor Newsom and CPPA File Letter Opposing Federal Privacy Preemption. (2023, February 28). [Press release].
23. 740 ILCS 14/1; Ca. Civil Code § 1798.150.
24. See VA Code § 59.1-584; C.R.S. § 6-1-1310.
25. Lauren Henry Scholtz, Private Rights of Action in Privacy Law, 63 Wm. & Mary L. Rev. 1639 (April 2022).
26. See Note, Private Attorneys General And The Defendant Class Action, 135 Harvard Law Rev. 1419, 1425 (March 2022); Kerry, C.F. & Morris, J.B. (2020, July 7). In privacy legislation, a private right of action is not an all-or-nothing proposition. Brookings. https://www.brookings.edu/blog/techtank/2020/07/07/in-privacy-legislation-a-private-right-of-action-is-not-an-all-or-nothing-proposition/.