Seen by many as a barometer of the policy and enforcement trends of state attorneys general around the U.S., Iowa Attorney General Tom Miller is at the leading edge of issues around emerging technologies, data privacy and protecting consumers online. The longest-serving attorney general in U.S. history, Miller has spent decades as one of the nation’s foremost consumer advocates and has adroitly adapted attorneys’ general consumer protection authority to meet the challenges of the day, including complex areas like the multi-state tobacco litigation of the late 1990s, the post-2008 mortgage crisis litigation and sprawling multi-state investigations into for-profit colleges and student lending.
This year, attorney general Miller took the reins as the President of the National Association of Attorneys General, the nonpartisan national forum for attorneys general. As NAAG President, Miller set his 2022 Presidential Initiative as “Consumer Protection: Tech Threats and Tools,” which will cover issues such as how attorneys general can address traditional scams that have increasingly moved online, more complex legal and policy questions about the impact of algorithms on consumers, so-called dark patterns, and the concentrations of personal data among fewer and fewer entities. Here, he answers questions for the Privacy Advisor on his NAAG Presidential Initiative, how he sees privacy and data protection evolving in the U.S. and the role of the states in that evolution.
The Privacy Advisor: Over the past few years, more attorneys general have begun looking at how their consumer protection laws can be used to address issues they see emerging regarding tech, often times associated with cybersecurity, data privacy, and online social and retail platforms. You are widely seen as the leader among attorneys general on consumer protection and have tackled many complex issues throughout your tenure as Iowa’s attorney general. How did you decide on “Consumer Protection: Tech Threats and Tools” as the topic for your NAAG Presidential Initiative and why do you believe that attorney generals should address these issues?
Miller: Thanks, Divonne. Yes, in 39 years as attorney general, one of my top priorities has always been protecting consumers. Today, though, the sophistication and the seriousness of the threats facing consumers are unprecedented. Rapid changes in digital technology and social media pose both promise and peril for all Americans. And we continue to grapple with intractable, persistent consumer protection concerns, such as robocalls and imposter scams. So, consumer protection seemed a clear choice for my presidential initiative, as well as one that would have bipartisan appeal. With NAAG’s expertise and support, attorneys general of different political parties really do come together to work on a range of consumer protection issues. I want constituents to know that their attorney general’s office is the place to go for help in these matters. I also want us to forge strong partnerships with federal and local officials, consumer groups and partners in the private sector. None of us can do it alone.
The Privacy Advisor: For some time, the U.S. Federal Trade Commission has had on staff a chief technologist. As the role of attorneys general in privacy protection continues to grow, should attorney general offices do the same? Would NAAG benefit from a chief technology and data privacy expert on staff to serve the states?
Miller: You know, it’s a good question and I commend the FTC for leading the way on this. Unfortunately — with a few exceptions — I think most attorney general offices do not have the resources to have a full-time technologist on staff. However, as you point out, it would make sense to collectively develop a system where a technologist could be made available to states as a shared resource, either through NAAG or perhaps through State Center, which is another organization that supports collective attorney general action, including providing experts like antitrust economists in other cases. That is an idea we are actively exploring.
The Privacy Advisor: A number of your attorney general colleagues in recent public comments and enforcement actions (and you yourself through your NAAG Presidential Initiative) have made clear that ensuring consumers are protected against deceptive or otherwise harmful algorithms is a priority. Issues from discrimination in lending to use of dark patterns by online retail platforms were the subject of significant discussion at the 2021 NAAG Capitol Forum meeting in December in Washington, D.C. Can you talk about your thoughts on algorithms and why you think attorneys general have a role in policing them?
Miller: To put it simply, we want to shine a light on these opaque practices that can affect consumers, whether they realize it or not. How are algorithms hooking young users to Instagram, TikTok or other social media sites? Are some algorithms biased against certain consumers, when they seek access to credit, for example? How does Google Maps or other location apps track consumers, and what do they do with the information? How are Amazon and other companies using tricks to make it difficult for consumers to cancel their Prime accounts or other subscriptions? These are the type of questions we want to examine. Intended or not, these techniques can be unfair and deceptive, and ultimately cause harm to consumers. As part of my presidential initiative, we’re holding training sessions and meetings so attorney general staff around the country can learn more about these practices and their effects.
The Privacy Advisor: As you know, attorneys general are not the only ones suing over privacy and other emerging tech issues. The trial bar has been very active as well, often bringing individual and aggregated actions under private rights of action in state consumer protection laws. Additionally, there has been a rise in municipalities, including major cities, teaming up with plaintiffs’ lawyers to bring their own actions over a variety of issues, including data breaches. As the top lawyer in your state, how do private rights of action and municipal lawsuits impact your work on behalf of Iowans?
Miller: Look, these are important issues that affect everybody, so it’s not surprising that there is interest from other actors. In many ways, they can be valuable allies in protecting consumers when our offices run up against resource constraints. In some situations, it can make it more difficult to resolve cases when there are so many interested parties, sometimes with motivations that don’t line up with the attorneys’ general priorities. This is certainly a topic of conversation among state attorney generals. We believe we are often best situated to act on behalf of all of our states’ residents, particularly given the law enforcement and consumer protection claims we can bring.
The Privacy Advisor: Three states have now enacted comprehensive privacy laws (the California Consumer Privacy Act, the Virginia Consumer Data Protection Act , and the Colorado Privacy Act). With the partisan logjam on Capitol Hill and resulting federal inaction, more states are poised to take data privacy regulation into their own hands. Is Iowa looking at developing its own comprehensive state privacy law? If so, what has your office’s role been in that discussion and what will it be moving forward?
Miller: Consumer data privacy is an area where there is bipartisan interest, at least at the state level, in passing comprehensive consumer privacy laws like those that have been passed in California, Colorado and Virginia and are working through state legislatures elsewhere. My office has monitored various proposals in the Iowa Legislature and worked with members of both parties to strengthen the protections for consumers and the enforcement mechanisms available to my office if one of these proposals becomes Iowa law. Ultimately, I would like to see consumers regain ownership over their personal data and reasonable limits placed on Big Tech’s ability to use that data, especially in ways consumers never consented to and that may be harmful to them.
The Privacy Advisor: If we have learned anything over the past few years about data security and data breaches, it is that entities of all shapes and sizes are susceptible to attacks and breach events, including state agencies. As your state’s top lawyer, in addition to representing Iowa’s residents and consumers, you also represent the state’s agencies. How do you approach and balance your role as an enforcer on behalf of consumers, when a data breach that impacts them occurs, with your role as a legal advisor to state agencies that are themselves the custodians of sensitive personal information and the potential targets of cyberattacks?
Miller: This has been an area of growing concern as state agencies maintain more and more data while at the same time appear to be growing targets of malfeasance in the digital space. Of course, state attorneys general are accustomed to dealing with complicated issues of representation, conflicts of interest and competing policy priorities. As in other areas, my first instruction to my staff is to do the right thing, regardless of politics. One consistent layer of analysis when it comes to data security is respecting the privacy expectations of consumers. That is often the basis of our inquiry when we see a data breach has occurred in the private sector, but it also helps guide our advice to state agencies when they’re assessing risks and making funding decisions. This year, our office made a specific budgetary request to our legislature for cybersecurity infrastructure; we have been working closely with our state (chief information security officer) and believe this is a priority across state government in Iowa.
The Privacy Advisor: Your office is one that is known to be very approachable when it comes to businesses seeking to do the right thing, as well as for treating them fairly when they do so. Can you talk about how your office approaches a privacy investigation? How should an entity that suffers a data incident or learns that it is subject to an investigation work with your office?
Miller: My office approaches data incidents first and foremost with the goal of protecting consumers from the potential negative effects of a breach, such as identity theft. I would encourage any business that suffers a data incident to act swiftly and share as much information with my office as possible. We have had past instances in which many Iowans received data breach notifications, but for various reasons my office was not informed in a timely manner, which made it more difficult for my staff to assist consumers who contacted the office. So in my view, prompt notice to my office and open lines of communication are keys to responding to data incidents and protecting consumers whose information has been breached.