State attorneys general have authority to enforce a number of federal privacy and data security statutes, and they may also have additional authority to protect privacy and data security under state law.
Over the past 8 years, I’ve reported on a number of breaches where state attorneys general joined forces to protect consumers or investigate a breach. What I never understood was whether there was any rhyme or reason to what they would pursue. Would these privacy warriors pursue cases that the FTC might be pursuing, or were they trying to supplement FTC enforcement because FTC resources are limited, or what? And while state attorneys general can resolve a complaint with an Assurance of Voluntary Compliance (AVC), which is similar to an FTC consent order or a UK “undertaking,” I didn’t know that in some cases, state attorneys general respectfully declined to join forces with the FTC because they wanted stronger enforcement and did not want to settle for the kinds of terms FTC generally obtains in consent orders.
In addition to enforcement, some state attorneys general advocate for legislation concerning privacy and security issues.
Until now, however, there has been no academic scholarship on the role state attorneys general play in privacy and data security. Happily, that has now changed with an exploratory study by Danielle Citron, who shared her findings in a paper workshopped at the Privacy Law Scholars Conference this week.
Here’s the abstract of her paper:
Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been ignored: the state attorneys general. This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources—first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.
Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement. State attorneys general have been nimble privacy enforcement pioneers where federal agencies have been more conservative or constrained by politics. Their local knowledge, specialization, multistate coordination, and broad legal authority have allowed them to experiment in ways that federal agencies cannot. These characteristics have enabled them to establish baseline fair information protections; expand the frontiers of privacy law to cover sexual intimacy and youth; and pursue enforcement actions that have harmonized privacy policy.
Although certain systemic practices enhance AG privacy policymaking, others blunt its impact, including an overreliance on informal agreements that lack law’s influence and a reluctance to issue closing letters identifying data practices that comply with the law. This article offers ways state attorneys general can function more effectively through informal and formal proceedings. It addresses concerns about the potential pile-up of enforcement activity, federal preemption, and the dormant Commerce Clause. It urges state enforcers to act more boldly in the face of certain shadowy data practices.
You can download a pre-publication version of the paper from SSRN.
The discussion at PLSC provided a wealth of useful suggestions and comments about future work in this area. One of the many issues that were touched upon during the session was the politics of state attorneys general involvement in enforcement and legislation advocacy. I was not aware that there was actually a Democratic Association of Attorneys General and the Republican Association of Attorneys General. Obviously, I wish there wasn’t and that privacy and data security enforcement was more bipartisan, but hey, this is America, right? I did find it interesting to learn from the discussion that Republican state attorneys general were less likely to cooperate with Citron’s requests for information, although some of them are very active in fighting abortion access and Planned Parenthood, activities that impact the privacy of residents of their states. Hopefully, more states will cooperate with Citron’s requests and FOIA filings in her future research.
My own observations over the past 10 years confirm Citron’s report that some states are more active than others, with California being one of the most active states. But whether a state is active appears quite subject to change and the agenda of whoever is in office. When Richard Blumenthal was AG of Connecticut, that state was very active in data breach investigations and enforcement. In fact, there were years when I would be sure to check the Connecticut, Texas, California, and New York state AG web sites because those sites were more active in enforcing data security. But when Blumenthal became a U.S. Senator, the Connecticut AG’s office appeared to initiate less enforcement actions, even while Blumenthal attempted to introduce privacy and data security legislation on a federal level.
As a privacy advocate, I have – but only once – submitted a data breach complaint to a state attorney general, who did investigate, but then ran into a roadblock of sorts. I think, in light of Danielle’s paper, that I am going to try again to submit complaints to state attorneys general to see if they’ll get involved in some issues. It’s certainly worth a try if I don’t see the FTC responding or don’t know if they’re responding to any complaint I file. As Danielle explained to me, some state attorneys general are more active in certain issues than other. She helpfully gave me some ideas as to which states to submit which type of complaint to.
Danielle’s paper won top prize at the PLSC conference, and rightfully so. Thanks, Danielle, for getting us all to begin to take a more serious look at the role of state attorneys general in privacy and data security issues.