States' Privacy Band May Mean More Enforcement and Higher Fines
With few public details about states' privacy consortium, lawyers are questioning what the group's formation means for enforcement and fines in the future. April's announcement could be another sign that enforcement is increasing -- and more reason for companies to bolster compliance efforts, said multiple attorneys who work in privacy or commonly defend businesses facing state investigations.
Sign up for a free preview to unlock the rest of this article
“There's a heightened pressure on companies when they're facing an investigation by a coordinated front of state AGs,” Skadden’s William Ridgway told us. In another interview, Hinshaw’s Cathy Mulrow-Peattie said the group’s creation could foreshadow increased fines.
The bipartisan consortium of state privacy regulators, announced April 16, includes the California Privacy Protection Agency and attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon. They signed a memorandum of understanding “outlining the group's goals, including facilitating discussions of privacy law developments and shared priorities, with a focus on consumer protection across jurisdictions,” said the CPPA at the time (see 2504160037). “The Consortium holds regular meetings and coordinates enforcement, as appropriate, based on the members' common interests.”
It remains to be seen if the group's formation will lead to more enforcement actions, said Keturah Taylor, a Cozen O’Connor attorney who represents companies facing state AG investigations. "This consortium could be targeted more at education and policy development, or it could be targeted more at enforcement,” she said. "If we start seeing more enforcement actions coming out of the participating states that previously have not been particularly active," such as Oregon, Delaware and New Jersey, "that would be a sign that this is more of an enforcement generator rather than a policy development forum” focused on “the ins and outs of privacy law and how it should function.”
The establishment of the states' group facilitates resource sharing and demonstrates privacy is top of mind for regulators, said Taylor. Also, it may show "an inclination to get more aligned on what they're expecting nationwide companies to do" to navigate a patchwork of state privacy laws, the lawyer said. "Maybe they're realizing that they can benefit from being more aligned on their expectations of the companies that they're regulating, and they can also help companies -- who really are trying to do the right thing -- be compliant by being more consistent about what they're asking for."
Kelley Drye’s Paul Singer, another attorney who defends clients facing state AG investigations, said the new consortium signals that “certain states are going to continue to ramp up coordination and enforcement due to perceived gaps in the federal government” and that AGs “recognize that other state and federal agencies may serve as partners in enforcement efforts.”
That said, the group is “really just a formalization of the type of collaboration that has already been taking place among the states,” said Singer, noting that establishing the group might partly be a way to protect the confidentiality of communications among the regulators.
Mulrow-Peattie, a New York-based privacy attorney, said the lack of a national privacy law might have motivated the group's formation. “It shows that the states are gearing up on privacy enforcement, and it shows that they're going to coordinate” and pool resources, she said. For businesses, that could mean “higher fines and penalties … and more states investigating them.” However, “on the positive side,” it could also lead to more harmonization of how states enforce privacy laws, she said.
The fact that the group is holding regular meetings signals a serious commitment to privacy, added Mulrow-Peattie. It gives participating regulators an “easy process to collectively review a case against a company and escalate the potential risk and damages.”
In possibly good news for business, however, the announcement seems to show the enforcers understand the difficulty of complying with a patchwork of privacy laws across many states, the lawyer said. The group has an opportunity -- through its actions or advisories -- to clarify what’s required of companies, she added.
Ridgway, co-head of Skadden’s cybersecurity and data privacy practice, said he sees “the consortium as a sign of overall increased activity and focus” on privacy. It seems a “natural progression” from recent, aggressive hiring by AG offices to develop expertise in this area.
More Effective Enforcement
Ridgway drew a parallel with how states coordinated data breach investigations years ago. At first, following a breach, there might be one-off AG inquiries from states.
Soon, however, state AGs formed an informal group “so that if it was a pretty significant data breach,” the affected business would “almost immediately” be on a call with representatives from many states’ offices. “The state AGs probably saw” they were “more effective as an enforcement arm when they are coordinated.”
With data breaches previously, states tended to divide and conquer, said Ridgway. Often, one or two states were designated as the lead and others would divide work to help “deal with the resource constraints that all government bodies" have, said the lawyer, predicting that would happen with privacy enforcement also.
Seeing a similar pattern emerge with data privacy enforcement, which, so far, has mostly involved single-state probes, is a good “reason for folks to be doubling down on their compliance in this space, because this will be a pretty active area in the years to come.”
Ridgway added that there’s a key difference between privacy and the data breach space, where a specific event tends to trigger an investigation into whether a company has adequate cybersecurity. In data privacy, regulators can detect problems simply by reviewing a company’s website and reading its privacy policy, he said.
Taylor said it’s interesting to see a bipartisan group of states formalize a privacy group outside "the auspices of the other existing ways that states usually coordinate on privacy enforcement," such as through groups like the National Association of Attorneys General.
The new group's membership includes a mix of "the old privacy guard and offices that might have an interest in becoming more active in the privacy space,” added Taylor. It makes sense that Texas isn't in the group because its AG office is positioned as "out front" and independent, said the lawyer: Also, the Texas office is well-funded and well-staffed, so it doesn't need resource support from other states.
Singer, who worked at the Texas AG office for more than 20 years, said he “wouldn’t read anything into Texas, or any state, not joining the consortium.” Like most states, Texas "participates in working group conversations, leads multistate investigations, and often has informal conversations with other states on privacy trends and enforcement,” he said.
“The AG consumer protection bar is a small one, and the staff that focus on privacy enforcement is an even smaller group,” added Singer. “These attorneys all know each other well and are in constant communication on issues, and I don’t see that trend changing just because of this smaller consortium of states.”