Recently, attorneys general from 47 states and the District of Columbia announced a settlement with Target regarding its massive 2013 data breach. The company will pay $18.5 million, with New York and California taking the largest sums based on state population — that is, most consumers affected. It is the largest attorney general settlement on record.
While the fine might be the highest ever, the collaboration isn't anything new. State attorneys general have been collaborating for many years. But after eight years of a Democratic administration that made privacy part of its agenda — even creating a Federal Privacy Council and a report on privacy and innovation (though that has since been deleted from the White House website by the new administration) — many are looking to the states and the role they might play in protecting consumer privacy if the Trump administration chooses either not to prioritize it, or, as we saw with the reversal of the Obama-era’s FCC privacy rules, roll priorities back.
In addition to the FCC rules’ rollback, the FTC, now led by Acting Chairman Maureen Ohlhausen, looks poised to take a much less active role in privacy and data security enforcement action. On the speech circuit since she was appointed the acting chairman, Ohlhausen has touted her prioritization of "process reform" and indicated her preference for harms-based investigations and consumer education over bringing down the hammer.
"It's inevitable now, with things in flux at the FCC and the fact that the FTC only has two commissioners now, with others yet to be appointed, that they're ready to serve in their role as laboratories of democracy." — Divonne Smoyer
From a bird's-eye view then, it seems reasonable to anticipate state legislation and state attorneys general would fill in perceived gaps in consumer privacy and data protection. In fact, there has been a flurry of activity recently. For example, more than 28 states have introduced legislation in response to the repeal of FCC privacy rules by Congress. (For a list of states as of press time, see sidebar.)
Will attorneys general pick up enforcement slack?
The recent Target settlement was a result of the longstanding National Association of Attorneys General Privacy Working Group, which the state of Illinois attorney general has headed since its inception. Matt Van Hise, CIPP/US, is assistant attorney general and consumer privacy counsel there.
He's not willing to state outright that there's a strategic effort among the states to get more aggressive on privacy, but that doesn't mean what's happening nationally isn't a factor.
"It's obvious and should be obvious to say we are affected by the federal system," Van Hise said. "The Federal Trade Commission is the overarching system for the country, and they do great work. It's fairly open and apparent that there have been, on the federal side, some rollbacks to certain privacy and data security protections. I think the states have always embraced and recognized the extreme importance that we maintain a constant presence in this area. We really are the individuals on the ground."
Divonne Smoyer, CIPP/US, an attorney at Reed Smith, has done extensive work with a number of state attorneys general in recent years (see her article for The Privacy Advisor, "State AGs: The Most Important Regulators in the U.S.?"). She said while state attorneys general have long been a powerhouse in U.S. enforcement, they also pick up the slack when necessary.
"State AGs and the states [themselves] have always been really proud of acting either in the face of federal inaction or via the proliferation of data breach laws or new laws governing data collection disclosure or data use," she said. "It's inevitable now, with things in flux at the FCC and the fact that the FTC only has two commissioners now, with others yet to be appointed, that they're ready to serve in their role as laboratories of democracy. And because privacy is a very hot topic and consumers care about it, and the vast majority of AGs are elected, I think they're going to be more and more active."
"I would certainly expect state AGs to sort of fill that void, but not to fill the void just to do it. This is important work, and our feelings on it don’t change because the federal government is doing less or looks at things differently." — Matt Fitzsimmons
Matt Fitzsimmons, CIPP/US, is assistant attorney general at the Connecticut AG's office and co-leads the multistate efforts on consumer privacy and data protection. He said it matters little to him, professionally, which administration is in charge at the federal level.
"I think the way we look at it is there's a universe of privacy and data security work to be done, and just because the federal government may scale back on what they're doing, doesn't mean the work to protect consumers scales back, they just have a different idea of what that means. So naturally, states are left to fill the void in that area. Maybe we're seeing a little of that now. I think it's probably too early to tell. I think people expect the federal government to pull back on some of these things."
"They have really ramped up the work in the last five years," Citron said, adding, "God, these issues have only spiraled. The more we collect data and share, the more it is at risk." Citron sees AG action, then, only increasing in months and years to come.
Why state attorneys general are sometimes more effective than the feds
"There are different ways in which we've seen state AGs really make privacy, and make privacy in a way that has not just a regional impact, but also across the nation," Citron told The Privacy Advisor. She cited, for example, what's known as "the California effect" following former State Attorney General Kamala Harris's work in the app space. According to a study by the Future of Privacy Forum, before Harris took action, 75 percent of apps had no privacy policies. Now, 75 percent do.
"It's just cheaper and easier to comply with the strictest requirement," she said.
From an attorney general perspective, multistate investigations are effective in that they allow attorneys generals to punch above their weight, as Citron recalls one attorney general telling her. That is, depending on each office's staff, certain states tend to have more expertise in particular areas, expertise the group can share. Texas is smart on bankruptcy, California on tech issues, Indiana on telephone privacy, New York on financial privacy.
“We’ve seen very aggressive multistate work,” she said. “They bring these cases and have the expertise they leverage, basically for 40 other offices that join and sign settlement agreements.”
Besides their strength in numbers, attorneys general are nimble. They don't suffer the same constraints state or federal governments face. They also have the power of the Civil Investigatory Demand, or CID, "which is immensely powerful," Citron said. "They are unencumbered by bureaucracy. They can be nimble. They don't have those layers." If Connecticut's Fitzsimmons wants to investigate something, "You just ask George [Jepsen, state AG]," Citron said.
In addition, attorneys general need not wait for the Federal Trade Commission to get consensus among commissioners to take an action; they need not wait for a lawmaker to introduce a bill, for that bill to make it to the house and senate, for a vote to take place, for the bill to be signed into law. And consumers have a pipeline straight to the attorney general's office itself, which is often how investigations begin.
Fitzsimmons said attorneys general can and do react quickly because attorneys general are, in all but a few states, elected and therefore "accountable to the people and the consumers they represent and are trying to protect here. And this whole area of privacy and data security is really at its core a consumer issue, which AGs really take seriously."
Citron isn’t sure attorneys general offices are always as affected by politics as other political posts. That’s partly because attorney general offices, Citron found in her research, tend to retain their staff in ways federal government offices don’t, and because most attorneys general are responsive to their public – the public that elected them into office.
“I’m skeptical as to whether [prioritization] lines up to ideology,” Citron said. She points to Texas, which term after term elects a Republican attorney general, “But their entire thing is bankruptcy,” a consumer-focused concern. Or, there’s Indiana Attorney General Tom Zeller, a Republican who has made telephone privacy a priority because his constituents voiced significant concern about robocalls.
How do attorneys general investigations, like Target's, work?
The multistate privacy group convenes once a month to discuss ongoing or potential cases, among other things. The Target case went down the way most collaborations do, Van Hise said. It started with a phone call to Target, which included any affected state that wants to be part of the investigation.
"The way these things work is that a lot of states have questions. So what I think we both try to do is set up a call with a company to talk about things, where we can get all the states on the phone at one time, instead of multiple phone calls. The attorneys for Target, or any other company, don't want 50 phone calls [either]," he said.
"The companies are sometimes very nervous," Van Hise said. "Any company, regardless of size, scope and complexity, is nervous and apprehensive to engage their regulators. Having a call with all of us together is much more advantageous to an entity trying to reach out to the regulators."
That kind of approach, he added, makes it much less likely for a company to receive subpoenas and investigatory demands, investigatory tools each state attorneys general have at its disposal.
In the Target case, the company was responsive to more informal inquiries, as many companies are, Van Hise and Fitzsimmons said.
"We know it's an adversarial process to a certain extent," Fitzsimmons said. "But goodwill and an ability and an initiative to work with regulators and provide us with what we need in a relevant time period without being overly adversarial to the extent we have to take more advanced procedures — those are all items to take into consideration."
He added, "Nobody ever gets knocked harder or fined more because they've been cooperative. But it absolutely cuts the other way."
In multistate investigations, an executive committee conducts an investigation, whether via phone calls – in cooperative situations – or civil investigatory demands or subpoenas if necessary. The committee reports back to the states where consumers have been affected. Any state involved needs authorization from their attorney general before any enforcement action is taken.
“We look at things like the size, nature, scope and complexity of the investigation, and how many consumers were affected,” Van Hise said.
The proposed settlement is based on those factors, as well as how egregious the incident was and the willingness of the company to “right the wrong and make steps on their own prior to being asked by any regulator, and also the level of turnaround starting from where they were baseline, prior to the breach. Those are all definitely factors that play a crucial role,” Fitzsimmons said. While Republicans, nationally, might be known for a light regulatory touch, attorneys general are much closer to the entirety of their state's consumers, whether Republican or Democrat. So if robocalls are a problem in that state and the consumers want the problem solved, an elected attorney general is likely to make moves on the issue even if it's incongruent with party lines.
Smoyer thinks state attorneys general are going to move to biometrics next as a focus area.
"They're supportive of state legislation that is more protective of biometric data, and one of the things I think the business community is and should be concerned about is what those statutes say, and also are there minimum penalties in those statutes for noncompliance," she warned.
As for Van Hise and Fitzsimmons, they plan to continue steadily beating the drum on consumer protection and data privacy.
"I think it really comes down from the top in both our offices," Fitzsimmons said. If the federal government continues to pull back on consumer privacy protections, Fitzsimmons said, "I would certainly expect state AGs to sort of fill that void, but not to fill the void just to do it. This is important work, and our feelings on it don’t change because the federal government is doing less or looks at things differently."
Following the FCC privacy rules rollback, many states saw bills introduced to address perceived consumer concerns. Refer to the individual state’s legislative website for bill status.
SB 117 – Geolocation Privacy
- Relating to the collection, use, storage, and disclosure of geolocation information and establishing an unfair trade practice under the Alaska Unfair Trade Practices and Consumer Protection Act
HB 232 and 230 (almost identical bills, same purpose, slightly different language) – Telecommunications & Internet Privacy
- Relating to the collection of customer information by telecommunications and Internet service providers and establishing an unfair trade practices under the Alaska Unfair Trade Practices and Consumer Protection Act
House Joint Resolution 17-1032 – Concerning the Protection of Online Privacy for Colorado Citizens
- Bill text identifies it as being formed in response to the FCC privacy rollback
- Calls on internet service providers to follow the FCC’s 2015 Enforcement Advisory and the FTC’s longstanding privacy framework and legally enforceable Privacy Principles
SB17-304 – Authority of the Joint Technology Committee
- Adds definitions of “cybersecurity” and “data privacy” and expands the powers and duties of the Joint Technology Committee
S.B. 1201: An Act Relating to Technology
- Establishes a Broadband Task Force to address fee updates, regulations, advancements
- The privacy provisions previously included are left out of the current version
SB 1502: The Right To Know Act (subsumed HB 2774 and changed after the FCC rollback and subsequent amendments to the “Illinois Right to Know Data Transparency and Privacy Protection Act”)
- Introduced before FCC privacy rollback
- Operator of commercial website or online service collecting PII about Illinois residents must notify those customers of information sharing practices and make information available to the consumer
HB 3449: Geolocation Privacy Protection
- Introduced before the FCC privacy rollback
- Provides that private entities cannot collect, store, use, disclose geolocation information from an app on an individual’s device unless the private entity has affirmative, express consent
HB 2332: Relating to Disclosure of Electronic Communications and Electronically Stored Data
- Introduced prior to the FCC privacy rollback
- Bars electronic communications service providers from sharing content of communications with anyone other than the customer
HB 2432: Prohibiting the collection and sale of personal data by ISPs
SP0566/LD 1610: An Act to Protect Privacy of Online Customer Personal Information
- Prohibits Internet providers from using, disclosing, selling or allowing access to customer personal info without express consent
SB 1200: Internet Consumer Privacy Rights Act of 2017
- Declares that an Internet service provider selling or transferring a consumer’s PII under certain circumstances would constitute unfair or deceptive trade practice
H.3698: An Act Relative to Internet Privacy
- Prevents internet service providers from disclosing customer proprietary information without consent
S.2053: An Act Ensuring Internet Security and Privacy
- Internet service providers may not disseminate personal consumer information without express written approval from the consumer and ISPs may not punish through fees or service denial any consumer who does not give approval
SS1937a51: Amendment to a Budget and Jobs Bill
- Bars telecommunications and internet service providers from selling or collecting consumer personal information without express written approval
HF2606: Bill for an Act Relating to Telecommunications, Data Privacy, etc.
- Same text as above
- HB2579, SB2323, SB2303 and SB2309 all have same title and text
A budget provision (S.B. 95) introduced by Senator Ryan Osmundson bars ISPs from being awarded state contracts if they collect consumer data without consent and prohibits ISP collecting consumer PII without consent
LR136: Introducing a Study of the Effect of Repeal of FCC Final Rules for Consumer Privacy
- Commissions a study to examine effect of rule repeal on consumers and propose legislation to counter any negative effects
SB538: An Act Relating to Internet Privacy
- ISPs are required to provide details of what information they collect, how it is stored, and with whom they share it
- Consumers must be notified of all collection
Sen. Dan Feltes, D-N.H., has introduced a bill that would require ISPs to alert customers before selling information about online practices to other parties
A4800: Requires ISPs to keep confidential and prohibit disclosure, sale, or unauthorized access to consumer PII without express written consent
- Parallel to A4819, S3156, A2037 and A4838
A07191: An Act to prohibit the disclosure of PII by ISPs without express written approval from the customer
- Amends the general business law of the state
- Parallel to S05603
- Parallel to S05576
A07495: An act in relation to the sale of personal information by ISPs
- Parallel to S05516
H.B. 2015: Original Version provided for a study of telecom service providers and ISPs privacy policies, though current version does not include this
Rep. Mark Schlossberg, D-Pa., submitted a bill that would require ISPs to send consumers notifications whenever they sell a consumer’s personal information
H.B. 6086: Prevents any state or municipal agent’s telecom or ISP from collecting and/or disseminating consumer PII
H.B. 4154: No telecom or ISP provider that collects personal customer information without express written approval will be eligible for contract with South Carolina or its agents
H.B. 535: Relates to privacy and data security rules applicable to telecom service providers and ISPs
- Parallel to S.B. 147
H.B. 2200: Protecting the Privacy and Security of Internet Users
S.B. 5919: Concerns Consumer Protection of Internet Privacy
S.B. 49: Relates to Info Tech Block Grant program, appropriations, broadband expansion grant program, etc.
S.B. 233: Relates to Privacy and Security of Consumer Info obtained by broadband access service provider
— Research done by Westin Fellow Calli Schroeder
If you want to comment on this post, you need to login.