State Attorneys General as U.S. Privacy Regulators—Q & A with Maryland AG Doug Gansler
By Divonne Smoyer, CIPP/US
As the debate continues at the national level as to who should regulate privacy in the U.S. and what direction such regulation should take, states increasingly have been ramping up their legislative and legal enforcement efforts to protect consumer and employee privacy.
Maryland Attorney General (AG) Doug Gansler has been at the forefront of efforts by state attorneys general to protect privacy. In 2013, as the president of the National Association of Attorneys General (NAAG), Gansler’s policy focus was "Privacy in the Digital Age," which is widely credited for facilitating awareness of the importance of AGs as privacy regulators as well as for stepping up AG enforcement actions against entities that may not sufficiently protect private data or otherwise comply with federal and state privacy regulations.
In this Q & A, Gansler discusses his privacy initiative, his priorities in the area of privacy enforcement and what entities that gather or maintain data on consumers or employees can expect to see from Maryland and other states in the future.
The Privacy Advisor: What was the driver of your NAAG initiative, and what do you see as its legacy?
Gansler: The driver of my initiative was the safety of consumers, who are living more and more of their lives online—from banking to grocery shopping to socializing. State attorneys general have long been champions of consumers’ privacy in the physical marketplace, where breaches of privacy are more easily contained—if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater. With a couple of clicks, a consumer’s information could be viewable across the globe and used for fraudulent purposes in a matter of minutes. I wanted AGs, as consumer advocates, to help consumers build awareness of how to keep their personal information safe while enjoying their online experiences and press online businesses to commit to improved privacy protections.
I would point to two big changes in the online space as the legacy of my initiative. First, we have succeeded in getting major Internet companies like Google to focus significant attention on the strength and usability of their privacy controls through collaboration and, where necessary, enforcement actions. Second, through these efforts we have spurred a lively national conversation among consumers about how they can best protect their privacy. With our help, consumers are educating themselves on how to be privacy-savvy when using the Internet. When it comes to privacy, an ounce of prevention is worth a pound of cure.
The Privacy Advisor: Beyond your work as NAAG president, you have established within your own office an Internet Privacy Unit. What can readers expect to come out of it?
Gansler: Readers can expect increased vigilance from our office on matters of Internet privacy and real accountability for those bad apples that breach consumers’ trust by either mishandling their private information or misrepresenting how they treat private information. Although the Internet Privacy Unit has been operating for less than a year, it has already opened several investigations, and it led the recent $17-million multistate settlement with Google over Google’s tracking of Safari users without their knowledge or consent and misrepresentations Google made about how it honored consumers’ privacy settings with respect to cookies. That settlement was the largest privacy-focused settlement in state AG history and established firm privacy protections for Google users going forward.
Readers can also expect increased outreach to consumers and businesses. Members of the Internet Privacy Unit have given presentations to multiple audiences on privacy protection, and the unit is working on newly updated educational programming—both through our website and through live trainings—aimed at helping consumers take control of their online privacy. The unit has also worked with businesses to highlight best practices and has partnered with Internet industry leaders to raise awareness of the existing privacy protections they offer.
The Privacy Advisor: Maryland, like most states, has a data breach notice law, as well as substantive privacy laws. A recent example is a new law governing protection of employees' social media passwords. What legislative measures can readers expect to see in Maryland—and elsewhere—in the future governing privacy?
Gansler: I think one area where we will see more legislative activity is online privacy for children and teens. For today’s kids, online sharing of information is as natural as breathing, but they are often too young and unsophisticated as consumers to foresee how their shared information may be exploited by unknown third parties without their consent. I think we will see more efforts to protect the privacy of data shared by kids, e.g., data students store in the cloud at their schools, location data they share via their mobile phones and tablets and the like. This year my office convened a Workgroup on Children’s Online Privacy Protection—composed of leading consumer, public health and industry groups—to study some of these issues. Its report is available here.
I also think readers can expect to see more efforts to update existing state privacy laws to keep up with the changing times. Many states’ laws regarding online privacy were written well before the iPhone was invented and even before most people had heard of Google. Since then, the types of information that can be easily collected have changed dramatically—companies now regularly collect geolocation and fingerprint data, for instance—and consumers’ notions of what they consider “private information” has changed as well. State privacy laws need to be updated to meet current privacy needs.
The Privacy Advisor: You also were a strong advocate of enhancing the ability of your office to enforce the federal Children's Online Privacy Protection Act in state court. Further, AGs have enforcement authority under other federal privacy laws such as HIPAA/HITECH, GLBA and FCRA. Can readers expect to see stepped up enforcement of these federal laws by AGs?
Gansler: Absolutely. Our federal partners in privacy enforcement are doing a great job, but the Internet has literally millions of businesses, and the resources of any one law enforcement agency will never be sufficient to combat privacy violations. The AGs therefore play a critical role in enforcing federal privacy laws and we will be doing all we can to help keep the online marketplace safe for our states’ consumers. One sector that is seeing a major shift to the online space is the healthcare sector. As more of our consumers’ healthcare transactions move online, we AGs will be keeping close watch on the handling of their health information.
The Privacy Advisor: Besides working with the FTC, AGs often work together on privacy cases. Recent matters in which you partnered with other AGs involve privacy issues concerning Google and Living Social. How often and under what circumstances do states come together to pursue enforcement action?
Gansler: State AGs collaborate frequently on enforcement matters related to privacy. The privacy-focused attorneys at each of our offices are in regular contact, so even when a case is being pursued by only one state, other states are generally kept abreast of the developments in that enforcement action. The decision to come together formally to pursue a multistate enforcement action depends in part on the nature of the specific privacy incident—its scope and complexity—and the number of consumers affected in multiple states. When private information is breached at a company that conducts its business primarily in one state, it is natural for that state to handle enforcement. However, the Internet makes it easy for a business to operate in multiple states, and we are seeing more and more cases involving breaches in one state that affect consumers in the majority of states.
The Privacy Advisor: Finally, do you have any tips for entities that may be facing an inquiry or investigation by your office on data loss or privacy protections?
Gansler: Three tips: transparency, transparency, transparency. When companies are forthright with us from the beginning, and cooperate to provide us with all the information we need to evaluate their privacy incident, we are better able to seek resolution. When companies delay notification to our state, provide conflicting information to different state AGs or limit what relevant information they do share, it only serves to raise more questions and prolong our investigation.
Divonne Smoyer is a Washington, DC-based partner in Dickstein Shapiro’s State Attorneys General Practice, where she advises clients on a wide range of legal matters, including cybersecurity and data privacy issues. She has been recognized repeatedly by Chambers USA: America’s Leading Lawyers for Business as one of the country’s top attorneys in her field. Smoyer has extensive experience counseling major corporations through government investigations and litigation, as well as private litigation. She is also a Certified Information Privacy Professional. Divonne can be found on Twitter @DivonneSmoyer.