Privacy Advisor

State AGs: The Most Important Regulators in the U.S.?

Last year saw a flurry of AG engagement in privacy. Will 2014 see the same?

November 26, 2013


By Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US

As 2013 amply demonstrated, the Federal Trade Commission (FTC) and European data protection authorities (DPAs) are not the only sheriffs in town when it comes to data privacy. State attorneys general (AGs) continue to walk the data privacy beat. Throughout 2013, AGs made data privacy a major policy and enforcement focus with a variety of educational, enforcement and litigation efforts to ensure that they are leaders in protecting the privacy of their citizens. AGs were a force in the privacy movement in 2013 and can be expected to continue to exercise influence for the foreseeable future.

AGs Made Data Privacy a Major Policy Initiative in 2013

Throughout 2013, data privacy (Privacy in the Digital Age) was the Presidential Initiative Topic of National Association of Attorneys General (NAAG) President and Maryland AG Doug Gansler. As a result of this initiative, the attention of all 50 AGs was brought to bear on data privacy issues throughout the year, resulting in a variety of legislative, policy and enforcement actions. This initiative culminated in a Presidential Initiative Summit at which AGs and their senior staff heard from a numerous business interests, state and federal enforcement and regulatory agencies, academia and consumer advocacy groups on multiple novel data privacy topics, including protecting business and government from cyber-risks; protecting the privacy of consumers, especially children, on the Internet, and addressing the impact of “Big Data” on consumer privacy. The largest takeaway was the request for AGs to be more active enforcers of consumer data privacy, coming both from consumer advocates and current and former federal regulators including FTC Commissioner Julie Brill, a former assistant AG in Vermont and North Carolina—two of the most active consumer protection offices in the country, who requested that AGs take action where the FTC cannot.

Many of these issues will be the focus of AGs in 2014 as well, given that there are strong indications that cybercrime and cybersecurity will be among the topics for the next NAAG Presidential Initiative, ensuring that these issues remain a focus of AGs for the coming year.

California Continues To Be a Leader on Data Privacy

In 2002, California was the first state to enact data breach legislation and has remained active on data privacy ever since. This year, however, was a landmark year in California with important new legislation as well as significant activity by California AG Kamala Harris.

On the legislative front, California enacted several new laws in September, with the support and encouragement of AG Harris, to strengthen consumer privacy. Notably, California amended its data breach notification statute, greatly expanding the definition of personal information to include username and/or e-mail address in combination with password, sweeping into its notification law data breaches that do not compromise traditional sensitive financial information. California also amended its laws to require websites to tell visitors how they respond to “Do-Not-Track” signals from web browsers, as well as took a significant step in providing consumers with the “right to be forgotten,” allowing minors to erase content they post on websites.

Harris also was active on a variety of other data privacy fronts as well. She collaborated with six top app developers to release in January “Privacy on the Go,” a best practices guide for mobile app developers that urges them to consider consumer privacy early in the development process. She also issued the state’s first-ever report summarizing the data breaches affecting California residents that occurred in 2012 and providing key recommendations and “lessons learned” for businesses, including stressing the need for data encryption. On the litigation front, although AG Harris’ landmark lawsuit against Delta Airlines for failing to include a privacy policy in its mobile app encountered a setback when the judge tossed the suit on the basis that the federal Airline Deregulation Act preempted enforcement of the California law, AG Harris continues her focus on protecting mobile privacy. Other lawsuits against app developers are likely to follow.

Other States Equally Active on Protection Citizens’ Data Privacy

California was not the only state that made headlines on data privacy this year. AGs around the country remain committed to protecting their citizens’ privacy, and are engaging in a variety of activities to do so.

In addition to his NAAG Presidential Initiative, Maryland AG Doug Gansler joined several other AGs, such as California and Connecticut, in creating his own Internet Privacy Unit to ensure that companies that operate online comply with consumer protection laws. He also called for the state to strengthen its laws to make a violation of COPPA enforceable in state courts and led a coalition of 22 state AGs in commending Google for its efforts to address issues related to transparency and protecting consumer privacy that the AGs had raised with Google previously, although the AGs also noted that Google still had progress to make in the area of privacy protections.

Connecticut AG George Jepsen also was very active on data privacy enforcement. After a joint investigation with California revealed a vulnerability in Citibank’s online account service that permitted hackers to access user accounts, in August the bank agreed to pay Connecticut $55,000 and to submit to a third-party audit of its online credit card account system. Additionally, the Connecticut AG was one of the leaders on the Google Street View investigation, which led to Google’s March settlement with 38 AGs. Google agreed to pay $7 million after admitting that its Street View mapping project violated people’s privacy by collecting passwords, e-mail addresses and other information from nearby computers, and, importantly, agreed to proactively monitor its employees’ actions and to provide consumers with guidance about how to protect themselves from similar invasions of privacy.

Other AGs engaged in their own enforcement actions as well. Acting New Jersey AG John Jay Hoffman reached a $1 million settlement with online advertiser PulsePoint in July. The settlement resolved allegations that PulsePoint improperly accessed and tracked consumer browsing habits by using new technology to bypass web browser privacy settings and then allegedly used that information to target advertisements to New Jersey computers. In September, Vermont AG Bill Sorrell reached a settlement with Natural Provisions grocery store after it failed to timely notify consumers of a data breach and to take corrective measures, requiring it to perform security upgrades and pay $15,000 in penalties. Given Sorrell’s continued interest in data privacy, 2014 is likely to bring additional similar enforcement actions. That said, demonstrating that not all AG attention is negative, Missouri AG Chris Koster in July cleared Schnucks Markets, Inc., of any wrongdoing following a security breach. Koster concluded that Schnucks did not violate any data security laws related to a data breach that exposed the information of 2.4 million payment cards, and declared that the grocer itself was a victim of crime.

Finally, like California, other states also made significant changes in their data breach notification laws, including Texas, which amended its law to expand its application not only to states that have no notification law but to all other states as well; North Dakota, where the legislature expanded the definition of personal information to include health insurance and medical information, and Vermont, which now requires regulated financial institutions to provide notice of a breach to the state’s Department of Financial Regulation.   

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased AG scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the FTC is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and DPAs to consider AGs, who are rapidly becoming the most important data privacy regulators around.

Divonne Smoyer is a Washington, DC-based partner in Dickstein Shapiro’s State Attorneys General Practice, where she advises clients on a wide range of legal matters, including cybersecurity and data privacy issues. She has been recognized repeatedly by Chambers USA: America’s Leading Lawyers for Business as one of the country’s top attorneys in her field. Smoyer has extensive experience counseling major corporations through government investigations and litigation, as well as private litigation. She is also a Certified Information Privacy Professional. Divonne can be found on Twitter @DivonneSmoyer.

Aaron Lancaster is counsel in Dickstein Shapiro’s State Attorneys General Practice, where he primarily represents clients in state investigations and litigation in a wide variety of consumer protection and data privacy matters. He also counsels clients on building relationships with State Attorneys General to minimize their exposure to state-led lawsuits and negative publicity and advises them on dealing with data breaches and other privacy concerns. He is also a Certified Information Privacy Professional.