Issue Brief

The Role of State Attorneys General in Protecting Consumers’ Data Privacy

Download PDF

Authors

Joshua Diamond

Contributors

Kimberly Woods, Britteny Jenkins, Jonathan Sclarsic

Share

Summary

State Attorneys General (AGs) have been stalwart defenders of consumers’ privacy by vigorously enforcing data breach laws, investigating the misuse of consumer data, and advocating for passage of comprehensive data privacy legislation. As new threats and novel issues develop in this age of “big data,” AGs continue to protect their constituents’ privacy by utilizing existing laws, applying new enforcement tools, and educating consumers to protect themselves and their privacy. In doing so, AGs should also expand their collaborations with the FTC, use their position as “convener in chief” to assist small businesses, and consider support for expanding private rights of action.

Introduction

The right to privacy, guaranteed by federal and state constitutions and recognized by common law, is a cornerstone to our democratic society.1 However, many businesses collect personal information including details about an individual’s finances, geolocation, consumption, and social contacts. Unauthorized disclosure of this personal information and the resulting loss of privacy can be devastating. This includes identity theft, harassment, reputational damage, emotional distress, and physical harm. (see footnote 1). Recent activity by AGs to protect consumers’ data privacy include:

  • 2018 investigation by AGs in NY2, MA, and DC into Cambridge Analytica, which harvested Facebook’s data to influence the outcome of the 2016 Presidential election.3 4
  • 2019 settlement between 50 AGs and Equifax for $600 million dollars resulting from a data breach involving 147 million consumers’ sensitive information, such as social security numbers, names, dates of birth, credit card numbers, and in some cases driver’s license numbers.5
  • 2022 settlement between 40 AGs and Google for misrepresentations and misuse of geolocation data. This settlement required Google to pay $391.5 million in penalties and injunctive relief.6
  • AGs in CA, CO, CT, VA, and UT Supported new laws that provide consumers with the right to access, verify, correct, delete, and opt out of the processing and use of their personal data.7 IA also recently passed data privacy legislation that also allows consumers to access, delete, request, and opt out of sale of their data, but unlike the previously mentioned states, IA’s legislation “does not explicitly provide consumers the right to opt out of use of data for targeted advertising.”8
  • OR AG Ellen Rosenblum led a task force that drafted H.B. 3284, a bill that protects personal health data from anyone that collects, uses, or discloses such information via a website or mobile application.9

 

State Attorneys General are Dedicating Resources to Protect Data Privacy and Facing Novel Issues Involving the Intersection of Reproductive Freedom, Threats from International Actors, and the Diminishing Authority of the Federal Trade Commission.

Novel issues in data privacy include topics such as the intersection of data privacy and reproductive rights, international threats to consumer data privacy, and the diminishing authority of the Federal Trade Commission (FTC). AGs remain dedicated to addressing these issues with consumers in mind. Many AGs have been integral in enforcing state laws to protect consumer data, including reproductive data, as well as educating consumers and the business community about data privacy risks—both domestic and abroad.

1. Protecting Consumer Data Privacy

AGs continue to protect consumers’ data privacy. Some states, such as MA, MN, CT and OR, have dedicated divisions or task forces focused on data security. Other states are utilizing new laws and creative applications of their unfair and deceptive practices acts to investigate and enforce violations of consumer data privacy. Some highlights include:

  • CA AGO commenced an investigative sweep against those businesses that have failed to comply with the California Consumer Privacy Act, the state’s comprehensive data privacy law. The AGO has targeted retail, travel, and food service industries that allegedly failed to process consumer requests to opt out or delete their personal information.10
  • AGOs from forty-nine jurisdictions are investigating Blackbaud, Inc., for a data breach incident involving a ransomware attack.11’12
  • VT AGO filed suit and pursued claims against Clearview AI for unfair practices arising from the scraping of photos to create a facial recognition database without the permission of consumers.13

2. Data Privacy and Reproductive Rights

Several AGs have provided the public with helpful guidance regarding data privacy and access to abortion services following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and eliminated the constitutional right to abortion. This included guidance from the DC and NY AGOs recommending users turn off location services and ad personalization on cell phones, enable VPN and private web browsers, send messages through end to end encrypted platforms, exercise caution in posting to social media, limit the use of cookies, and take advantage of online privacy settings.14 NJ AG Matthew Platkin recently led efforts with seven other states asking Google and Apple to ensure apps sold on their platforms meet privacy standards necessary to protect against the misuse of private reproductive health data.

3. Threats to Data Security from International Actors

AGs continue to raise awareness about the need to harden IT system security in light of recent international ransomware attacks. For example, CO Attorney General Weiser joined fellow AGs in alerting businesses and governmental entities to take prompt action to protect operations and personal information in response to reported threats from international ransomware.16 The VT Attorney General’s Office hosted a cybersecurity webinar for small businesses to help them protect data privacy.17

4. The Supreme Court has Weakened the Federal Trade Commission’s Authority

The FTC’s ability to seek remedial actions for unfair and deceptive trade practices, including those resulting from data breaches of the failure to protect consumer privacy, was significantly curtailed in AMG Capital Management, LLC v. FTC, 141 S.Ct. 1341 (2021). The Supreme Court held in AMG Capital that the FTC could not go straight to court to seek consumer restitution or disgorgement of ill gotten profits. This leaves AGs with the opportunity to fill the enforcement vacuum created by the Supreme Court’s decision. Many AGs have statutory authority to seek restitution and disgorgement of profits under their respective consumer protection acts.18 It will fall upon the AGs to obtain such relief under their respective consumer protection acts.

On the Horizon for Data Privacy is an Expansion of Statutory Authority for State Attorneys General and Possible Federal Action.

The following actions offer insight into the future of consumer protection around data privacy:

  • The following states have introduced legislation to enhance consumer data privacy: HI, IL, IN, LA, MA, MN, MN, NH, NJ, NY, NC, OK, OR, PA, RI, TN, TX, VT, and WA.19
  • The FTC is exploring rulemaking to address commercial surveillance and lax data security standards.20 The FTC has also commenced an enforcement action against Kochava, Inc., for selling detailed mobile phone geolocation data without consumer consent. Geolocation permits the tracking of consumers to sensitive locations including places of worship, domestic abuse shelters, and reproductive health care providers. The FTC has alleged that Kochava’s activities constitute an unfair trade practice in violation of Section 5 of the FTC Act.21
  • Congress is considering a national data privacy law. Previous versions of the law contained provisions that preempted state action.22

 

Recommendations
Below are recommendations for AGs to take further action to protect their constituents’ online data:

  1. AGs should work with the FTC and Congress to ensure that federal efforts to regulate data privacy do not preempt states’ ability to innovate and provide leadership in protecting consumers’ privacy.
  2. AGs should seek expanded opportunities to coordinate with the FTC on enforcement activity to get consumers monetary relief in light of the Supreme Court’s recent decision to scale back its authority to obtain restitution.
  3. AGs should consider whether private rights of action in various state consumer data privacy bills will assist in enhancing compliance. For example, IL’s Biometric Information Privacy Act and CA’s Consumer Privacy Act provide limited private rights of action.23 However, other states have not adopted this model for enforcing violations in their data privacy legislation.24 Some legal observers have commented that a private right of action would be an important additional resource to protect data privacy, especially because privacy is about a personal, dignitary right.25 Opponents cite the risk of nuisance lawsuits and concerns regarding these types of suits taking over a traditional sovereign role of an AG to seek penalties for violations of the law.26 Efforts to explore this important topic could include privacy forums given the disparate interests between industry stakeholders and privacy advocates. This may provide opportunities to dispel concerns about frivolous lawsuits, highlight the need to protect consumers from the ubiquitous trade in personal data, and find consensus.
  4. AGs should use their position as “convener in chief” to help small businesses comply with new data privacy laws, assist those seeking abortion care to take precautions to protect their privacy, and raise awareness about the need to enhance data security.

 

The Leadership Center for Attorney General Studies is a non-partisan organization dedicated to educating the public about the important role state attorneys general play in addressing pressing issues, enforcing laws, and bringing about change.