State attorneys general have long served as advocates for consumer protection, making them well-positioned to enforce privacy laws. In addition to their individual efforts, these attorneys general often collaborate through organizations like the National Association of Attorneys General to champion the privacy rights of their constituents.
In the news: 24 state Attorney Generals sign letter in support of stronger HIPAA reproductive healthcare protections
Enforcement of state consumer protection laws
Most states have their own consumer protection laws, which typically mirror the Federal Trade Commission (FTC) Act and prohibit unfair and deceptive practices. State attorneys general have been actively enforcing these laws to safeguard consumers' interests.
One notable example is the Massachusetts attorney general's involvement in a coalition of 40 attorneys general in a settlement with Google. This settlement resulted in a $391.5 million payment, with $9.3 million allocated to the Commonwealth, after Google was found to have misled consumers about its location tracking practices, in violation of state consumer protection laws.
Enforcement of state data breach notification laws
Many states have enacted laws that require companies to report breaches and take responsibility for their data security measures. State attorneys general enforce these data breach notification laws and hold companies accountable for any negligence.
The Pennsylvania attorney general, as part of a coalition of seven attorneys general, reached an $8 million settlement with Wawa, a convenience store chain. This settlement came after a data breach that compromised approximately 34 million payment cards due to Wawa's failure to implement reasonable security measures.
Read also: The basic elements of a HIPAA compliant breach notification
Enforcement of federal law
Certain federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA), empower state attorneys general to enforce violations affecting residents of their respective states. This authority allows them to hold businesses accountable for non-compliance with federal privacy regulations.
One notable case is the New York attorney general's participation in a COPPA enforcement action against Google and YouTube. The result was a settlement payment of $34 million to New York as part of a $170 million national settlement.
Read more: Understanding HIPAA violations and breaches
Enforcement of state consumer privacy laws
Several U.S. states have passed consumer data security statutes, each entrusting their attorneys general with the responsibility of enforcing these laws. California stands out as the only state to establish a new regulatory agency, the California Privacy Protection Agency. The remaining states rely on their attorneys general for enforcement.
Funding and resources allocated for enforcement impact state authorities' effectiveness in pursuing legal actions. For example, California's attorney general reached a stipulated judgment with Sephora, Inc., resulting in a $1.2 million settlement. This settlement addressed Sephora's violations of the California Consumer Privacy Act (CCPA), including the failure to disclose the sale of personal information and the inadequate processing of user requests to opt out of data sales.
In the news
In 2024, state data privacy laws in the US have become more varied and challenging for businesses to navigate. With seven more states adding their own laws, bringing the total to nineteen, states are moving away from a one-size-fits-all approach. Maryland’s new law stands out with its stricter limits on data collection, setting an example that might influence future laws. Legislative efforts in Vermont and Maine hint at a push for stronger protections despite opposition. As more states adjust or introduce privacy rules, companies need flexible, proactive strategies to keep up with these changes and protect consumer trust.
FAQs
What role do state attorneys general play in enforcing data privacy laws?
State attorneys general are primary enforcers of state-specific privacy laws, working to protect consumer data and privacy rights. They enforce state and sometimes federal laws, ensuring businesses comply with the relevant privacy standards.
How do state and federal data privacy laws interact when enforced by state attorneys general?
While federal privacy laws like HIPAA provide a baseline, many states have more stringent standards. State attorneys general can enforce both federal and state laws, meaning companies must adhere to both sets of regulations to avoid overlapping enforcement actions.
Can multiple states enforce privacy laws against a single business simultaneously?
Yes, state attorneys general can collaborate across states, often forming coalitions to address widespread violations. This multi-state approach can lead to significant settlements and requires companies to prioritize privacy compliance across all states.
Are state attorneys general involved in enforcing laws related to data breaches?
Absolutely. Most states have data breach notification laws that mandate businesses to disclose breaches and safeguard data security. State attorneys general are responsible for holding companies accountable under these laws, as demonstrated in cases like the Wawa settlement.
How does California’s privacy enforcement differ from other states?
California has established a dedicated regulatory body, the California Privacy Protection Agency, which works alongside the state attorney general. This unique approach enhances California's ability to enforce its privacy laws, including the California Consumer Privacy Act (CCPA), more comprehensively.
Related: HIPAA Compliant Email: The Definitive Guide
Farah Amod
