OneTrust_Square Banner_300x250_DD_ROS_01_19

By Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US

As 2013 amply demonstrated, the Federal Trade Commission (FTC) and European data protection authorities (DPAs) are not the only sheriffs in town when it comes to data privacy. State attorneys general (AGs) continue to walk the data privacy beat. Throughout 2013, AGs made data privacy a major policy and enforcement focus with a variety of educational, enforcement and litigation efforts to ensure that they are leaders in protecting the privacy of their citizens. AGs were a force in the privacy movement in 2013 and can be expected to continue to exercise influence for the foreseeable future.

AGs Made Data Privacy a Major Policy Initiative in 2013

Throughout 2013, data privacy (Privacy in the Digital Age) was the Presidential Initiative Topic of National Association of Attorneys General (NAAG) President and Maryland AG Doug Gansler. As a result of this initiative, the attention of all 50 AGs was brought to bear on data privacy issues throughout the year, resulting in a variety of legislative, policy and enforcement actions. This initiative culminated in a Presidential Initiative Summit at which AGs and their senior staff heard from a numerous business interests, state and federal enforcement and regulatory agencies, academia and consumer advocacy groups on multiple novel data privacy topics, including protecting business and government from cyber-risks; protecting the privacy of consumers, especially children, on the Internet, and addressing the impact of “Big Data” on consumer privacy. The largest takeaway was the request for AGs to be more active enforcers of consumer data privacy, coming both from consumer advocates and current and former federal regulators including FTC Commissioner Julie Brill, a former assistant AG in Vermont and North Carolina—two of the most active consumer protection offices in the country, who requested that AGs take action where the FTC cannot.

Many of these issues will be the focus of AGs in 2014 as well, given that there are strong indications that cybercrime and cybersecurity will be among the topics for the next NAAG Presidential Initiative, ensuring that these issues remain a focus of AGs for the coming year.

California Continues To Be a Leader on Data Privacy

In 2002, California was the first state to enact data breach legislation and has remained active on data privacy ever since. This year, however, was a landmark year in California with important new legislation as well as significant activity by California AG Kamala Harris.

On the legislative front, California enacted several new laws in September, with the support and encouragement of AG Harris, to strengthen consumer privacy. Notably, California amended its data breach notification statute, greatly expanding the definition of personal information to include username and/or e-mail address in combination with password, sweeping into its notification law data breaches that do not compromise traditional sensitive financial information. California also amended its laws to require websites to tell visitors how they respond to “Do-Not-Track” signals from web browsers, as well as took a significant step in providing consumers with the “right to be forgotten,” allowing minors to erase content they post on websites.

Harris also was active on a variety of other data privacy fronts as well. She collaborated with six top app developers to release in January “Privacy on the Go,” a best practices guide for mobile app developers that urges them to consider consumer privacy early in the development process. She also issued the state’s first-ever report summarizing the data breaches affecting California residents that occurred in 2012 and providing key recommendations and “lessons learned” for businesses, including stressing the need for data encryption. On the litigation front, although AG Harris’ landmark lawsuit against Delta Airlines for failing to include a privacy policy in its mobile app encountered a setback when the judge tossed the suit on the basis that the federal Airline Deregulation Act preempted enforcement of the California law, AG Harris continues her focus on protecting mobile privacy. Other lawsuits against app developers are likely to follow.

Other States Equally Active on Protection Citizens’ Data Privacy

California was not the only state that made headlines on data privacy this year. AGs around the country remain committed to protecting their citizens’ privacy, and are engaging in a variety of activities to do so.

In addition to his NAAG Presidential Initiative, Maryland AG Doug Gansler joined several other AGs, such as California and Connecticut, in creating his own Internet Privacy Unit to ensure that companies that operate online comply with consumer protection laws. He also called for the state to strengthen its laws to make a violation of COPPA enforceable in state courts and led a coalition of 22 state AGs in commending Google for its efforts to address issues related to transparency and protecting consumer privacy that the AGs had raised with Google previously, although the AGs also noted that Google still had progress to make in the area of privacy protections.

Connecticut AG George Jepsen also was very active on data privacy enforcement. After a joint investigation with California revealed a vulnerability in Citibank’s online account service that permitted hackers to access user accounts, in August the bank agreed to pay Connecticut $55,000 and to submit to a third-party audit of its online credit card account system. Additionally, the Connecticut AG was one of the leaders on the Google Street View investigation, which led to Google’s March settlement with 38 AGs. Google agreed to pay $7 million after admitting that its Street View mapping project violated people’s privacy by collecting passwords, e-mail addresses and other information from nearby computers, and, importantly, agreed to proactively monitor its employees’ actions and to provide consumers with guidance about how to protect themselves from similar invasions of privacy.

Other AGs engaged in their own enforcement actions as well. Acting New Jersey AG John Jay Hoffman reached a $1 million settlement with online advertiser PulsePoint in July. The settlement resolved allegations that PulsePoint improperly accessed and tracked consumer browsing habits by using new technology to bypass web browser privacy settings and then allegedly used that information to target advertisements to New Jersey computers. In September, Vermont AG Bill Sorrell reached a settlement with Natural Provisions grocery store after it failed to timely notify consumers of a data breach and to take corrective measures, requiring it to perform security upgrades and pay $15,000 in penalties. Given Sorrell’s continued interest in data privacy, 2014 is likely to bring additional similar enforcement actions. That said, demonstrating that not all AG attention is negative, Missouri AG Chris Koster in July cleared Schnucks Markets, Inc., of any wrongdoing following a security breach. Koster concluded that Schnucks did not violate any data security laws related to a data breach that exposed the information of 2.4 million payment cards, and declared that the grocer itself was a victim of crime.

Finally, like California, other states also made significant changes in their data breach notification laws, including Texas, which amended its law to expand its application not only to states that have no notification law but to all other states as well; North Dakota, where the legislature expanded the definition of personal information to include health insurance and medical information, and Vermont, which now requires regulated financial institutions to provide notice of a breach to the state’s Department of Financial Regulation.   

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased AG scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the FTC is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and DPAs to consider AGs, who are rapidly becoming the most important data privacy regulators around.

Divonne Smoyer is a Washington, DC-based partner in Dickstein Shapiro’s State Attorneys General Practice, where she advises clients on a wide range of legal matters, including cybersecurity and data privacy issues. She has been recognized repeatedly by Chambers USA: America’s Leading Lawyers for Business as one of the country’s top attorneys in her field. Smoyer has extensive experience counseling major corporations through government investigations and litigation, as well as private litigation. She is also a Certified Information Privacy Professional. Divonne can be found on Twitter @DivonneSmoyer.

Aaron Lancaster is counsel in Dickstein Shapiro’s State Attorneys General Practice, where he primarily represents clients in state investigations and litigation in a wide variety of consumer protection and data privacy matters. He also counsels clients on building relationships with State Attorneys General to minimize their exposure to state-led lawsuits and negative publicity and advises them on dealing with data breaches and other privacy concerns. He is also a Certified Information Privacy Professional.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»