Enforcing U.S. Consumer Data Privacy Laws Part 2: State Attorney General Enforcement

In this second installment, we focus on the role of state attorneys general in enforcing U.S. consumer data privacy laws. For our most recent previous article, click here.

Most federal privacy laws do not preempt applicable state law or establish minimum federal standards that may be supplemented by more stringent or complementary state standards. This means that businesses can face simultaneous enforcement actions under multiple laws enforced by different authorities on the same alleged facts. Business leaders should not presume that complying with a federal law could ensure adherence to a potentially higher state standard, nor should they assume that enforcement activity from one authority will bar other actions.

State attorney general offices have a long-standing role in privacy enforcement through their function as consumer protection advocates. In addition, the National Association of Attorneys General acts as a coalition to advocate on behalf of their citizens’ privacy rights.

Enforcement of State Consumer Protection Laws. Most states have consumer protection laws that often prohibit unfair and deceptive practices, known as UDAP statutes mirroring the FTC Act. Recent examples of state consumer protection law enforcement by attorneys general offices include:

  • The Massachusetts attorney general joined a coalition of 40 attorneys generals in reaching a $391.5 million settlement with Google, with $9.3 million to be paid to the Commonwealth, for misleading consumers about its location tracking practices in alleged violation of state consumer protection laws.
  • The Indiana attorney general filed a lawsuit against TikTok Inc. and ByteDance Ltd. alleging data security misrepresentations in violation of deceptive consumer sales laws, based on TikTok’s purported secret cooperation and data sharing with the Chinese government despite promises to consumers that data is not shared and is protected by a U.S.-based security team.

Enforcement of State Data Breach Notification Laws. Many states have passed data breach response laws, requiring certain reporting and imposing liability on companies under certain circumstances in the event of a breach of their data security. Recent examples of state data breach law enforcement by attorneys general offices include:

  • The Pennsylvania attorney general, in a coalition of seven attorneys general, announced an $8 million agreement with convenience store Wawa to resolve a data breach that compromised approximately 34 million payment cards due to their failure to employ reasonable security measures.
  • The Massachusetts attorney general reached a $230,000 settlement with a Rhode Island job placement company concerning its failure to implement proper security programs to protect personal information following a data breach that impacted more than 3,000 residents.

Enforcement of Federal Law. Some federal statutes, such as HIPAA and COPPA, also authorize state attorneys general to enforce violations affecting residents of their respective states. Examples of recent federal law enforcement by attorneys general offices include:

  • The New York attorney general participated in a COPPA enforcement action against Google and YouTube, resulting in a settlement payment of $34 million to New York as part of a $170 million national settlement.
  • The Oregon and Utah attorneys general settled a data breach enforcement case against Avalon Healthcare Management concerning email security practices and compliance with HIPAA following a 2019 data breach that exposed the protected health information of 14,500 Avalon employees and patients.

Enforcement of State Consumer Privacy Laws. In addition, a handful of U.S. states have passed comprehensive consumer data security statutes, including (at the time of this publication) California, Colorado, Connecticut, Indiana, Iowa, Virginia, and Utah. Except for California, which is the only state to create a new regulatory agency, the California Privacy Protection Agency, to oversee consumer privacy protection, each of these comprehensive privacy laws looks to the state’s attorneys general for enforcement. Critically, the resources and funding allocated for enforcement will impact the ability of state authorities to pursue actions for the full scope of laws they are tasked with enforcing.

Critically, the resources and funding allocated for enforcement will impact the ability of state authorities to pursue actions for the full scope of laws they are tasked with enforcing. For example:

  • California’s attorney general reached a stipulated judgment with Sephora, Inc. to pay $1.2 million to resolve allegations that the company violated the California Consumer Privacy Act (CCPA) for failure to disclose the sale of personal information, process user requests to opt-out of data sales, or cure violations within 30 days.

In our next installment, we’ll discuss how private litigants also have enforcement authority under U.S. federal and state privacy laws, and the added complexity that creates to an already complicated tapestry of enforcement actors.

If you have any questions or concerns about consumer data privacy laws, would like to know whether they apply to your business, or if there are particular topics you’d like us to address in the future, please contact Melanie Conroy, Vivek Rao, or Ariel Pardee.