State Enforcers Say They Won't Play 'Gotcha' With Privacy Laws
State privacy officials in Delaware and New Hampshire aren’t intentionally looking to catch businesses breaking rules, they told an International Association of Privacy Professionals webinar Wednesday. Both states’ privacy laws took effect Jan. 1 (see 2501060066).
Sign up for a free preview to unlock the rest of this article
“We’re not really interested in playing games of gotcha,” said Brandon Garod, chief of the New Hampshire AG office’s Consumer Protection and Antitrust Bureau. Instead, the office wants to give businesses tools so they can comply and then find “bad actors who are not complying despite being given all the opportunities to do so.”
The Delaware AG office’s "objective is to promote privacy … not to have enforcement actions,” said the state’s Deputy Attorney General John Eakins. "When we're examining compliance for data privacy, we're looking for institutional buy-ins of privacy" from corporate leaders, he said. The AG office isn’t “looking for ticky-tack … technical violations, although we will enforce them if we need to."
Moreover, New Hampshire will consider a company’s size initially, said Garod: Smaller companies are subject to the same requirements, but there "needs to be some discretion and understanding from enforcers that ... compliance will not be as quick and will not be as easily achieved as those that have ... unlimited resources to get themselves in compliance."
Eakins, though, warned companies not to assume they can ignore privacy rules. Even if an entity "technically [is] not covered" under the privacy law’s applicability threshold, it doesn't mean another measure doesn't apply, he said. For example, an unfair practice under privacy law could also be an unfair practice under Delaware’s consumer fraud act, he noted. Eakins added that Delaware has an online privacy law from 2016 with no threshold other than that it covers internet businesses. Also, the privacy law could cover an app developer with as few as three employees, said Eakins: Companies must consider how much personal data they collect.
As the states begin to enforce their new laws, privacy policies are at the “forefront” of Garod’s mind, said the New Hampshire official: They should be easy to find and use. Universal opt-out mechanisms are also key because it’s unreasonable to expect consumers to opt out from every company separately, he said. One of the biggest challenges ahead is getting consumers comfortable with how to exercise their privacy rights, especially elderly users, he added.
Sensitive data including location-based data will be an enforcement priority for many states, said Eakins, alluding to a Texas lawsuit filed against Allstate earlier this week (see 2501130047). Also, the Delaware official said he sees room for AI regulation within state privacy laws, including on automated decision-making technology and prohibiting using personal information to discriminate. No need for a “completely new law,” he said.
Garod expects state AGs’ history of collaboration will continue with privacy laws. Eakins agreed, adding that enforcement in California and Texas shows it’s a bipartisan issue.