Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in point: a $17 million settlement with Google related to Google’s use of tracking cookies on Safari browsers.
On November 18, 37 states and the District of Columbia announced the settlement with Google, which resolves an investigation that began in February 2012. Default settings on Apple’s Safari browser do not allow for tracking across different websites. The investigation centered on whether Google tricked the browser into allowing such tracking, ostensibly in contradiction to the user’s choice not to be tracked. Google faced similar scrutiny from the FTC, which entered into a $22.5 million settlement with the search engine giant late last year.
In addition to the $17 million payment, the state AG settlement prohibits Google, without the express consent of an individual user, from overriding that user’s Internet browser’s setting to block tracking cookies. Google is also prohibited from misrepresenting the extent to which a user can manage how Google serves advertisements. Google must create and maintain a page that informs users about cookies, Google’s use of cookies, and user control over cookies. This separate “Cookie Page” must be maintained for five years.
Privacy investigations and enforcement actions are not just handled through the multistate vehicle; individual states are pursuing their own actions, scrutinizing website and mobile app privacy policies, investigating data security breaches, and paying close attention to how entities treat sensitive data like children’s information and health information. For example, California has been particularly active in this area, releasing mobile app best practices guidance earlier this year, which followed on the heels of enforcement actions filed against mobile application developers for alleged non-compliance with California’s privacy policy requirements.
Several states have also flexed their muscles in the health care arena, enforcing data breach notification requirements for the loss of protected health information under the Health Insurance Portability and Accountability Act (HIPAA). Connecticut led the charge in 2010, exercising the new enforcement authority granted to the states under the HITECH Act, with a lawsuit against Health Net. In 2012, both Massachusetts and Minnesota entered the arena with investigations of their own. With this year’s release of final rules under HITECH and a renewed national focus on health care, we wouldn’t be surprised to hear about more states jumping into that privacy arena soon.