Imagine you receive an inquiry from a state Attorney General (AG) about your privacy or security practices, and you aren’t sure what to do next. Maybe it’s because you have been concentrating on compliance efforts related to the California Privacy Rights Act (CPRA) and other new state privacy laws coming into effect, and you haven’t focused as extensively on the existing suite of state privacy or security laws, or on state AG enforcement of federal privacy laws, that may in fact apply to you. In this advisory, we provide a snapshot of recent privacy and security enforcement efforts by state AGs.1 Next, we offer some general tips on how to avoid getting into trouble with state regulators. Finally, we suggest what to do if, despite your best efforts, you become the subject of an inquiry.
Recent significant state AG enforcement efforts include:
- Data security and breach notification: Always a bread-and-butter issue for state AGs, the past few years have seen many individual and multistate actions involving data breaches and data security issues (see, e.g., Home Depot, Anthem). For example, recently, the New York Attorney General’s office announced the results of an investigation into credential stuffing, where it found that attackers compromised 1.1 million online accounts at 17 well-known companies.
- Standalone “unfair or deceptive practices” (UDAP): Several states have brought actions alleging that a company’s privacy practices violate state prohibitions on unfair or deceptive practices, also known as “little FTC Acts.” For example, a coalition of state AGs announced that they are investigating Instagram and how it affects young users and their well-being.
- Children’s privacy: The federal Children’s Online Privacy Protection Act (COPPA) calls for dual federal and state enforcement, and in the past few years, state enforcement has certainly picked up. New Mexico announced a settlement with Google last month and has initiated a lawsuit against Rovio, maker of Angry Birds. New York settled allegations with Oath and YouTube. Other states like Washington and New Jersey have also settled COPPA lawsuits.
- Health: With a similar federal-state enforcement scheme as COPPA, states have stepped up HIPAA enforcement, with notable multistate enforcement actions in the past few years, like those against Anthem and Premera Blue Cross.
- Biometrics: Several states, including Texas and Illinois, have enacted laws governing the collection, retention, and disclosure of biometric data. The Texas AG has announced that it is investigating Facebook for a potential violation of its biometric privacy law. Notably, the Illinois law includes a private right of action, and has been the subject of significant litigation. For example, Facebook paid $650 million to settle a class action lawsuit based on alleged violations of the Illinois law.
- Data brokers: California, Nevada, and Vermont require registration of data brokers. Vermont announced its first enforcement action under its law, against Clearview AI, Inc.
- Broadband privacy: Maine has enacted broadband privacy legislation, which recently withstood a constitutional challenge by ISPs, but there has been no enforcement activity as of yet.
How can you avoid being in the state AG’s crosshairs?
- Be “in the know”: Be aware of privacy and security legislation in each state where you do business and determine if it applies to you. Monitor the status of pending legislation, and if you can, provide comments to shape it. You never know when it will be enacted into law and start the clock for compliance. Experienced privacy counsel can help you.
- Practice privacy-by-design: As you develop products and services, consider privacy from the ground up. Put someone in charge of these issues. Figure out what data you’re collecting, whether you need it, how you will store it (and for how long), and who will access it. Ask yourself, would consumers be surprised by how you are collecting, using, maintaining, or sharing data? If so, tread carefully.
- Implement reasonable security: Make sure you have a reasonable security program, with administrative, technical, and procedural safeguards. That means designating someone in charge, writing down your program, conducting a risk assessment, and mitigating risks through administrative policies, training, and technical measures.
- Examine your statements to consumers: Many state AG actions involve companies failing to abide by their statements to consumers. Make sure you’re substantiating your statements and communicating across the organization to make sure they continue to be true. If you’re providing consumers with choices, periodically make sure those choices are continuing to be honored and are not undermined by other settings.
- Get ahead of any stories: If you do experience a breach, or suspect upcoming press or social media attention about a privacy issue within your organization, it helps to be proactive. In some cases, state AG notification will be required; in others, it will be prudent to reach out, particularly if the public may not see the whole story.
So, now you’ve done everything right, yet you still receive an inquiry from a state AG. What should you do?
- Hire outside counsel: It helps to have people on board who may know the relevant staff and AGs. For multistate investigations, consider counsel who have been involved in these investigations, either on the government side or the private side.
- Implement a document hold: Set up a document hold within your organization, if you don’t have one in place already. Put someone in charge of the hold, develop its parameters, distribute a hold notice, ensure compliance, and modify the hold as necessary. Distribute periodic reminder notices.
- Establish communication with the staff of the state AG office: It can help to establish a relationship, offer to tell your story, and proactively present your case to clear up any misconceptions, rather than presenting responses in writing alone.
- Be prepared: This one may be obvious, but it will go a long way to establishing credibility if you know the facts and can answer follow-up questions. For example, if an administrative subpoena (also known as a Civil Investigative Demand, or CID) is too burdensome, don’t just make general assertions of burden—be specific about hours calculations, staff involved, and gigabytes of documents involved.
- Be forthright: Don’t feel that you need to stick too closely to the specific questions being asked if you have a story to tell. If there’s a mitigating fact or narrative, tell that up front. You may save yourself a lot of money by getting an investigation closed early.
For more information on state privacy and security laws and state AG enforcement efforts, or if you receive an inquiry from a state AG, contact Maneesha Mithal, Chris Olsen, Lydia Parnes, Tracy Shapiro, or Libby Weingarten.
 This advisory does not address California Consumer Privacy Act (CCPA) enforcement; a summary of CCPA enforcement actions can be found here.