New York’s Attorney General Letitia James is a longtime public servant who has regularly and repeatedly shown her commitment to protecting consumer rights and privacy. James began her legal career as a public defender for the Legal Aid Society before becoming an assistant attorney general. In 2013, James was elected as the Public Advocate for the City of New York, becoming the first woman of color to hold a citywide office in NYC. As public advocate, she sponsored privacy legislation that barred prospective employers from asking job applicants about their salary histories on the basis that the practice disproportionately harmed women and members of minority or other vulnerable groups. Following her election in 2018, James became the first African-American to hold the office of New York’s Attorney General. As attorney general, James oversees the Bureau of Internet and Technology, one of the most sophisticated departments of its kind in a state attorney general's office, to protect the privacy of New Yorkers.

The Privacy Advisor had the opportunity to discuss James’ view of consumer privacy, her work to date in enforcing existing laws and her thoughts about the future of privacy in New York and the country.

The Privacy Advisor: The U.S. Supreme Court’s recent ruling in Dobbs v. Jackson Women’s Health Organization has challenged decades of precedent, including the right to privacy. What effect do you think this ruling will have on other rights that are premised on the right to privacy? 

James: The Supreme Court’s decision to overturn Roe was a blatant assault on our reproductive freedom and our rights. It reverses decades of precedent and raises serious concerns about the future of other rights, like the right to same-sex marriage, which have been upheld under the right to privacy. While there are concerns, we will continue to do everything in our power to protect and defend our most fundamental rights.

The Privacy Advisor: With your help, state Sen. Liz Krueger, D-N.Y., introduced the Reproductive Freedom and Equity Program in May, which would establish funds for abortion providers in New York. The legislation prohibits the state from tracking the personal informationof patients who receive abortions from providers funded by the program. Do you believe this privacy protection is necessary? What is the benefit of this protection in a state that allows abortions?

James: Protecting the privacy of individuals seeking abortions in New York is critically important. Having an abortion is a personal, and sometimes difficult, decision. Anyone seeking abortion care should be able to come to New York without worrying that their personal data, like their location or search results, could be exposed or used against them. Nowadays, technology plays a role in access to health care, whether it's searching for the nearest abortion care provider or using a fertility app, many of these digital platforms can collect and sell personal information without the user ever realizing. New York is undoubtedly a safe haven for individuals seeking abortion care and we want to be extra cautious that their privacy is protected.

The Privacy Advisor: According to a press release from your office, internet-related issues, including those related to data privacy and cybersecurity, were the number one source of consumer complaints filed with your office in 2021. A number of consumer privacy bills were introduced in the New York House and Senate during the last legislative session that would follow similar legislation in Colorado, Connecticut, Utah and Virginia, and some also include a private right of action. While those bills did not pass, do you expect New York will join the growing number of states with a consumer privacy laws?  Do you have any items that you believe are a “must have” for robust state level privacy legislation?

James: This is certainly an issue that will only get more significant as our technology advances and our reliance on it increases. I know that we have great New York legislators in both the Assembly and the Senate who will keep advancing bills to address privacy concerns. And my office will continue to use our powers to protect New Yorkers’ right to data privacy given the tools at our disposal.

The Privacy Advisor: As states enact their own versions of privacy laws, a growing trend seems to be to leave the enforcement of those laws to the state attorney general’s office. Do you think this is feasible or effective? Do you think consumers should have the ability to enforce these laws directly?

James: New York has been uniquely successful in protecting and enforcing consumers’ privacy laws. This past June, my office secured $400,000 from the grocery store Wegmans for exposing the personal information of thousands of New Yorkers. Earlier in the year, my office reached a $600,000 agreement with a vision health care provider EyeMed for compromising the personal information of millions of consumers nationwide. Under the terms of that agreement, the company is also required to enact a series of measures to protect consumers’ personal information from future cyberattacks. This is all to say: my office is an example of the fact that when given the tools we need, and with a motivated team, state enforcement of privacy laws work. As we continue to rely on technology in our everyday lives, state attorneys general and individuals should be able to hold companies that undermine personal information and data accountable.

The Privacy Advisor: You recently signed on to a July 19, 2022 letter to congressional leaders regarding the American Data Privacy and Protection bill, led by California Attorney General Rob Bonta and signed onto by the attorneys generals from Connecticut, Illinois, Maine, Massachusetts, Nevada, New Jersey, New Mexico and Washington, in which you oppose a federal bill that would preempt state privacy legislation. What do you see as the benefits of having a federally mandated “floor” for privacy with individual states being able to raise the bar? How would you address the argument that single unified legislation is better than a fragmented, state-by-state approach with potentially confusing and conflicting standards?

James: Federal privacy regulations are needed to rein in big companies that have monetized and exploited consumers’ personal data. However, federal privacy regulations should complement and bolster, not override, existing state regulations. The tech industry is constantly changing, and states, unlike the federal government, can move quicker to pass and enforce laws to protect consumers. As the tech industry continues to rapidly evolve, every state should have the authority to take swift and decisive action to regulate new industry features and protect its residents’ privacy. We need more state-level regulations and enforcement, not less. The federal government is able to review what the various states are doing and determine some “catch all” legislation that would work nationally. That would help improve the privacy protections for Americans living in states without adequate protections and should not interfere or impede states that have more robust privacy protection legislation in place.

The Privacy Advisor: It has been a little over a year since New York City’s biometric ordinance went into effect. The ordinance requires businesses that are open to the public to post clear and conspicuous notice that biometric information is being collected and prohibits those businesses from selling biometric information. What do you think are some of the strengths of this ordinance and do you think it could be improved?  Would you like to see a statewide biometric privacy law? 

James: Consumers should know anytime a business tracks and collects their biometric information. The law as it stands empowers individual consumers to take action against businesses that are not transparent about collecting biometric information. I would support a statewide biometric privacy law that protects New Yorkers in all corners of the state from having their personal information collected, sold and used without their consent.

The Privacy Advisor: Similarly, the Stop Hacks and Improve Electronic Data Security Act, one of the most comprehensive state data breach and cybersecurity statutes, has been in effect in New York since March 2020. The SHIELD Act strengthened existing data security laws in New York by requiring companies to develop and maintain reasonable security measures and expanded security breach notification requirements to more types of data. What impact have you seen this law have on the security practices in New York? Are there any changes that you would like to see?

James: The SHIELD Act has been a tremendous success. Even before it was enacted many data security lawyers were warning their clients about the breath of the law, and the potential for high penalties if they do not comply. Since the SHIELD Act came into effect, many companies have upgraded their security measures to protect consumers’ personal data. My office continues to rigorously enforce the law against unscrupulous companies that disregard security and consumers’ privacy. We have sent warning letters, engaged companies that have violated the SHIELD Act to protect consumers, and secured millions of dollars in penalties.