As states’ “top cops,” one of the primary responsibilities of state attorneys general (AGs) is consumer protection, and more and more AGs are focusing on how to protect consumer data privacy. Discussions at the recent Conference of Western Attorneys General (“CWAG”) Annual Meeting in Santa Barbara reflect this focus and demonstrate that state enforcers are looking at new authority, and new ways to expand their existing authority, to ensure that their citizens’ data privacy is protected.
These discussion took place during two separate panels, one focused on data privacy in general (moderated by American Samoa AG Ale and including senior AG staff from Arizona and New Mexico) and the other on connected devices (the Internet of Things or “IoT,” moderated by New Mexico AG Balderas and including senior AG staff from Colorado). The panels were wide-ranging, touching on issues such as the use of jail-broken IoT devices for piracy, proposed state legislation to prevent the use of unauthorized device repairers, and the protection of children online. Each panel, however, came back to a central focus: that states are continuing to look for more weapons in their data privacy enforcement arsenals.
Most importantly, panelists discussed the expanded use of unfairness authority under the FTC Act (and by extension, state laws on unfair and deceptive acts and practices). In the past, these laws were used primarily as tools to ensure that privacy representations that companies made were true and not deceptive (as the FTC did recently with respect to companies representing compliance with safe harbor frameworks). Use of unfairness authority would greatly expand the manner in which these laws are enforced. Similarly, panelists also discussed greater use of antitrust laws to investigate and take action, if necessary, against big tech companies.
Additionally, panelists called for the creation of new laws, citing both California’s IoT law (which goes into effect next year) as well as the possibility of GDPR-like federal legislation. That said, panelists made it clear that they would not welcome new laws that entrench incumbents, and any new law should put the onus for data privacy on the data collector (similar to the data fiduciary-like standard that has been introduced in New York). Panelists stressed that the key question for policymakers, enforcers, consumers and the tech industry is whether consumers have a property right in their data, which likely will be answered in the next few years, one way or another.
These panels, and countless other examples, continue to confirm that AGs are not going away when it comes to data privacy. In the likely absence of meaningful federal legislation, and with both new state laws such as CCPA and expanded use of existing authority, AGs continue to lead the charge. If companies are not yet thinking about their AG strategy, they should do so now.