With the passage of the California Consumer Privacy Act but no clear federal consumer privacy law on the imminent horizon, state Attorneys General (AGs) continue to investigate and analyze how best to protect their consumers. To further that goal, the National Association of Attorneys General hosted a panel entitled Emerging Issues in the Data Economy at its Winter Meeting in Washington, D.C. The panel was convened to discuss the role AGs can and should play in data privacy in an ever-changing economy. Doug Peterson, Nebraska’s AG, moderated the panel, which included Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the Federal Trade Commission (FTC), Ryan Krieger, Assistant AG, Public Protection Division of the Vermont Attorney General’s Office, and Daniel Castro, Vice President of the Information Technology and Innovation Foundation.
As with recent House and Senate Hearings addressing these topics, the focus remained on balance: what the legal landscape should look like, who should be doing the enforcing and how that enforcement should work, and how to protect consumers without stifling innovation and entrepreneurship.
Lawmaking. The panelists concurred that the best approach to determining the appropriate regulatory framework will occur when everyone works together. State AGs, Mithal explained, are closer to consumers – the FTC benefits from the information they get from the states. In turn, the states benefit from FTC’s expertise, which helps states craft laws and make enforcement decisions: Krieger noted that Vermont’s new data broker law was based directly on the FTC’s data broker report. The FTC is also planning to offer more specificity regarding reasonable security measures on data security, which will help the states prioritize continued enforcement, especially in the absence of a comprehensive federal consumer privacy law. Castro, however, cautioned against too much state action to avoid inconsistent regulatory frameworks and what he described as a patchwork of state laws.
Enforcement. All of the panelists envisioned additional cooperation between the FTC – and other federal enforcers – and AGs. Mithal referenced a number of joint enforcement actions between the FTC and the states, while Castro recognized that the states needed to step up in the absence of additional federal budget resources (which – he noted – the FTC deserved). The goal, according to the panel, is to make sure that laws are enforced without overlap and wasting resources.
Consumer protection and innovation. This, perhaps, is the hardest balance to achieve. Each panelist recognized the need to balance privacy protections with choice and convenience, and no one wanted to stifle innovation and entrench incumbents. Mithal noted that the FTC was mindful of compliance costs and instead wanted to give companies incentive to focus on risk management. Castro stressed that the data economy was so much more than large tech companies – it affected every sector of the economy. He pointed out that consumer analysis indicates that consumers like the current ad-based model, rather than a fee-for-service model. Consumers are most concerned about sensitive data, fraud, and discrimination. As a result, privacy laws, and resulting enforcement decisions, need to strike a balance between curbing harmful usage of personal data without restricting the vast majority of data use, collection, and sharing that is positive, beneficial, and consumer friendly.
One thing is clear: consumers and industry should know that state AGs are focused and motivated to work on data privacy issues, with or without a federal data privacy law. The AGs will have another opportunity to speak with the FTC at an upcoming FTC-hosted AG roundtable as part of its Hearings on Competition and Consumer Protection in the 21st Century (originally scheduled for March 25, 2019, but to be rescheduled). The FTC will also host a separate hearing on April 9 and 10, 2019 (rescheduled from February 12–13) on The FTC’s Approach to Consumer Privacy.