Meghan Stoppel, who spent over a decade serving as an Assistant Attorney General, and later a Consumer Protection Chief, to both Democratic and Republican state attorneys generals, talks to Andy Baer, Chair of Cozen O’Connor’s Technology, Privacy and Data Security practice, about how state AGs are weighing in on both policy and enforcement with respect to privacy.
Andy: Meghan, the state privacy legislation landscape is evolving rapidly, as you discussed in your recent article in WestLaw. What other “hot” topics in privacy drew the state AGs’ attention in 2021? How might that affect their priorities in 2022? Are there any takeaways for the business community?
Meghan: No doubt, 2021 was a revealing year. We saw state AGs publicly express concern, in multiple forums, about algorithms and the potential for bias-based discrimination in automated decision-making. A number of AGs called for both cooperation and increased transparency from the business community, while the D.C. Attorney General introduced his own legislation in late 2021 to ban “algorithmic discrimination.” And although the AGs did not announce any formal enforcement actions in this area in 2021, I would not be surprised if investigations are already underway. Businesses that rely on algorithms to make automated decisions should be aware of increased AG attention in this area, especially with respect to essential products and services such as housing and financial products (e.g. credit).
2021 was also a remarkable year for ransomware and cybersecurity – a fact which did not escape the AGs’ attention. We saw the California AG issue a reminder for health care facilities and providers in August, outlining the minimum steps those entities should take to protect patient data from potential attacks. Then, at the beginning of this year, New York announced the findings from its 2021 “credential stuffing” investigation. Along with a press release, the AG issued guidance for businesses on how to protect themselves from credential stuffing – a common attack vector used online. While these materials are certainly helpful, the more important lesson for businesses is, “Ignore this advice at your peril.” Businesses risk not only being the subject of an attack by failing to implement the recommended safeguards, they also risk being the target of an AG enforcement action.
Finally, we know from the parallel lawsuits filed against Google in January that location tracking has been on the radar of several state AGs since at least 2018. Right now, the lawsuits only involve four AGs from D.C., Indiana, Texas and Washington, but the bipartisan nature of this coalition indicates substantial concern within the state AG community about location tracking, in general, and the related disclosures made to consumers. We will be watching this litigation closely because the AGs also have alleged various consumer protection violations related to Google’s use of “dark patterns” – or design tricks allegedly used to circumvent or manipulate consumer choices. We saw the FTC articulate its concerns regarding dark patterns in 2021, and I think we will continue to see state AGs (and the FTC) focus on this issue in 2022. To the extent dark patterns are purportedly used to influence consumer consent regarding the collection and use of personal information, these types of cases will certainly bolster the state AGs’ calls for robust privacy legislation at the state level.
Andy: With more state laws on the books, how will the state AGs continue to shape the debate in Washington D.C. over federal privacy legislation? When the FTC initiates rulemaking on this topic, should we expect to hear from the AGs?
Meghan: With the 2022 midterms quickly approaching, and little consensus on existing privacy proposals in D.C., I think few privacy advocates are holding out hope for movement this year on federal legislation. But in any federal debate the state AGs will continue to be vocal opponents of any proposal that undermines their ability to protect consumers, including any language that purports to preempt existing and more expansive state laws – an objection that the state AGs have lodged repeatedly with Congress since at least 2005. In a July 2015 letter regarding federal breach notification legislation, for example, 47 state AGs told Congress that “any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers[.]”
In fact, as more states enact increasingly comprehensive laws governing the collection and use of consumer data, I believe it will be increasingly difficult for Congress to pass legislation that preempts such laws – despite the fact that the mere existence of these laws seemingly gives businesses a better argument regarding the need for a federal privacy law.
Rather, the longer Congress takes to act on this issue, the more time the state AGs have to demonstrate their own effectiveness and expertise in this area. As the laws in Virginia, Colorado and Utah come into effect in 2023, and as California continues to enforce its Consumer Privacy Act, I expect the AGs to aggressively publicize both their educational material and their enforcement efforts – if for no other reason than to demonstrate to policymakers at home and in D.C. that the states are well positioned to respond to consumers’ privacy concerns.
This will certainly be the gist of any comments the state AGs file with the Federal Trade Commission during the agency’s impending rulemaking “to curb lax security practices” and otherwise “limit privacy abuses.”  Although the FTC has yet to publish proposed rules on these topics, the state AGs will more than likely weigh in – both in support of any rule(s), but also to remind the FTC that the states are uniquely positioned to detect and respond to emerging privacy concerns through their existing consumer protection authority and their own state privacy laws. The AGs made similar assertions in a comment filed with the FTC as recently as 2018, following the agency’s announcement that it would hold public hearings on “Competition and Consumer Protection in the 21st Century.” I was the Consumer Protection Chief in Nebraska (a state that joined the comment letter) at that time and in the letter the AGs noted their “significant expertise in state and federal privacy laws and regulations” dating back to the 1990s.
Andy: Thanks, Meghan, for sharing your insights with readers of Cyber Law Monitor. It’s been great talking with you.