State attorneys general have long served as advocates for consumer protection, making them well-positioned to enforce privacy laws. In addition to their individual efforts, these attorneys general often collaborate through organizations like the National Association of Attorneys General to champion the privacy rights of their constituents.
In the news: 24 state Attorney Generals sign letter in support of stronger HIPAA reproductive healthcare protections
Most states have their own consumer protection laws, which typically mirror the Federal Trade Commission (FTC) Act and prohibit unfair and deceptive practices. State attorneys general have been actively enforcing these laws to safeguard consumers' interests.
One notable example is the Massachusetts attorney general's involvement in a coalition of 40 attorneys general in a settlement with Google. This settlement resulted in a $391.5 million payment, with $9.3 million allocated to the Commonwealth, after Google was found to have misled consumers about its location tracking practices, in violation of state consumer protection laws.
Many states have enacted laws that require companies to report breaches and take responsibility for their data security measures. State attorneys general enforce these data breach notification laws and hold companies accountable for any negligence.
The Pennsylvania attorney general, as part of a coalition of seven attorneys general, reached an $8 million settlement with Wawa, a convenience store chain. This settlement came after a data breach that compromised approximately 34 million payment cards due to Wawa's failure to implement reasonable security measures.
Read also: The basic elements of a HIPAA compliant breach notification
Certain federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA), empower state attorneys general to enforce violations affecting residents of their respective states. This authority allows them to hold businesses accountable for non-compliance with federal privacy regulations.
One notable case is the New York attorney general's participation in a COPPA enforcement action against Google and YouTube. The result was a settlement payment of $34 million to New York as part of a $170 million national settlement.
Read more: Understanding HIPAA violations and breaches
Several U.S. states have passed consumer data security statutes, each entrusting their attorneys general with the responsibility of enforcing these laws. California stands out as the only state to establish a new regulatory agency, the California Privacy Protection Agency. The remaining states rely on their attorneys general for enforcement.
Funding and resources allocated for enforcement impact state authorities' effectiveness in pursuing legal actions. For example, California's attorney general reached a stipulated judgment with Sephora, Inc., resulting in a $1.2 million settlement. This settlement addressed Sephora's violations of the California Consumer Privacy Act (CCPA), including the failure to disclose the sale of personal information and the inadequate processing of user requests to opt out of data sales.
Related: HIPAA Compliant Email: The Definitive Guide