Before there were state privacy laws, there was consumer protection.

After the Texas attorney general's office sued General Motors under the Texas Deceptive Trade Practices Act this week — ignoring its newly enforceable consumer privacy law — it is worth taking a closer look at the ways state-level consumer protections form a foundation for privacy rules.

Privacy pros and others building responsible digital products and services need to be aware of the baseline prohibitions built into these laws. Though they largely track the principle-based underpinnings of U.S. privacy practice, there may be some surprises in the details.

The character of existing consumer protection foundations differs wildly across states. Since the 1970s when the consumer rights movement reached its peak, the landscape of state-level consumer protection statutes has been as complex and varied as U.S. geology.

Whether consumers make their home among the rocky shores of Maine or the Great Plains of Kansas or Utah's canyon country, every American is covered by a multi-level regime of protections for unfair and deceptive acts or practices, including the top-layer protection provided by the Federal Trade Commission Act. By reference to the usual formulation of the prohibited conduct under state laws, lawyers refer to them as UDAP statutes, though they are also known as "mini-FTC acts."

The patchwork quilt of consumer protection laws makes the privacy patchwork look like a drab and faded throw. Most states empower consumers to seek their own remedies under these laws separate from attorney general enforcement, though many states also strictly limit the ability of consumers to do so in various ways, including by requiring reliance or a showing of financial injury.

Some states model their statute after the broad and flexible language of the FTC Act, while others include laundry lists of specifically prohibited acts and practices. Some states create a strict liability regime, while others only prohibit knowing or intentional deceptive acts.

Since Texas is salient this week, its DTPA presents as good a case study as any to better understand how state privacy protections and federal laws dovetail with the flexible but sharp requirements under UDAP statutes.

As one might expect, the Lone Star State’s consumer protection statute has some singular characteristics. For one, it can hardly be described as a "UDAP" law because the "U" is mostly missing. There is no prohibition of unfair acts or practices — a part of the FTC’s authority that has increasingly become a feature of privacy enforcements.

A quick aside on this point: for consumers bringing their own action against a business under the DTPA, but not for attorney general enforcement, the law prohibits "unconscionable" actions, defined to mean any action that "to a consumer's detriment, takes advantage of the lack of knowledge, ability, experience, or capacity of the consumer to a grossly unfair degree." So there it is — unfairness lives!

However, for attorney enforcement, the DTPA makes up for the lack of unfairness by way of its multi-pronged approach to deception.

Misleading and deceiving

Like almost all states — with the notable exceptions of Colorado and Oregon — Texas includes a broad prohibition on deceptive acts in the DTPA. More than just pure deception, as the FTC Act defines it, Texas explicitly prohibits "false, misleading, or deceptive acts or practices in the conduct of any trade or commerce."

These extra words matter. The use of "misleading," in particular, highlights the broad applicability of the DTPA to business practices that misrepresent facts about an offered product or service in ways that could mislead an average consumer. Though there doesn't appear to be case law distinguishing "misleading" from "deceptive" acts — the terms are almost always used together — cases under the DTPA do not conform neatly to the three prongs of an FTC deception claim.

In its complaint against General Motors, the Texas attorney general includes four claims of "misrepresentations" allegedly made by the company to its customers, plus "deceptive techniques used to enroll customers" in programs that allegedly sold their personal data to insurance companies and "deceptive representations regarding its privacy practices." All of these claims rely on the catch-all provision under DTPA, in addition to more specific alleged violations, giving the attorney general multiple paths by which to prove its allegations as the case progresses.

Immaterial, my dear Watson

Further, while "materiality" is a core condition of the FTC's deception enforcement, the catch-all provision of the DTPA is silent on this point. A material representation is the type of statement that is important enough to consumers that it would affect their decision to buy or use a product.

For private rights of action, many states, including Texas, go one step further than materiality to require a showing of reliance. That is, private litigants must prove they relied on a deceptive statement in their decision to purchase the product.

But the DTPA provides the Texas attorney general with broad authority to enforce the statute to prevent and remediate harm to consumers without necessarily demonstrating individual grievances. This doesn’t stop the attorney general from bolstering claims with reference to materiality. In its complaint against GM, for example, Texas argues the alleged tactics and representations made by the company together created a situation that "impaired customers' decision making and ensured they would enroll in the Connected Vehicle Services."

The laundry list approach

Beyond the catch-all provision, the DTPA includes another common feature of UDAPs which distinguishes them from the FTC Act. Lawyers call this the "laundry list," a long set of explicitly prohibited practices that serve as examples of the catch-all prohibition, but also provide their own enforcement teeth.

In Texas, consumers cannot bring a private right of action under the catch-all provision, but they can sue under the laundry list within two years of the harm if they can prove injury and reliance, among other limitations.

The attorney general is not so limited, and the laundry list provides a fascinating set of specific claims that the enforcer can make in bolstering its case. The laundry list in Texas includes at least 33 entries, but in the GM case, the attorney general argues violations for each of its six claims under some combination of three of these provisions:

  • (9) advertising goods or services with intent not to sell them as advertised;
  • (12) representing that an agreement confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law;
  • (24) failing to disclose information concerning goods or services which was known at the time of the transaction if such failure to disclose such information was intended to induce the consumer into a transaction into which the consumer would not have entered had the information been disclosed;

It is worth noting that two of these provisions include an intent element, requiring a specified mental state on the part of the business. The other, like the catch-all provision, is silent as to the required level of intent.

This potentially strict provision, DTPA section 17.46(b)(12), is only referenced in the attorney general's final claim against GM, related to deceptive representations of privacy practices. Specifically, the attorney general alleges that the company "falsely, expressly or by implication, represented that customers would be able to exercise control over the sharing of their data with insurance providers when such was not the case."

This is a stark example of the overlap of privacy and consumer protection laws, where claims about privacy rights that may be required by law, such as the ability to exercise choice around data practices, could cause direct violations of other laws — if not actually delivered as described in a privacy policy.

A one-two punch

Even as we continue to watch the spread of comprehensive consumer privacy laws across the U.S., privacy lawyers should not forget that consumer protection statutes are already enforceable. In many situations, these laws can be used to add fuel to privacy claims. And unlike under privacy laws, there is no right to cure for a consumer protection violation, much broader applicability thresholds, and very limited or nonexistent exemptions and exceptions.

Attorneys general may not wait for legislatures to pass privacy laws to begin investing in data privacy enforcement. Last month for example, New York's attorney general issued guidance for online privacy practices.

Still, as new state privacy laws come online, others may copy the Texas playbook. This is already unfolding as New Hampshire just announced a new dedicated privacy unit within its consumer protection bureau.

Enforcing data privacy laws provides a reason for states to provide specific funding for new data privacy units within attorneys general offices. In the coming years, we will only see more state cops on the privacy beat.

Please send feedback, updates and UDAP insights to cobun@iapp.org.

Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.