State Attorneys General

2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.

Data Privacy Regulatory Enforcement Trends

Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.

An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent.  The allegations note that the app included a “Kids” category that was targeted to children.  The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology.
Continue Reading Washington Becomes the Third State with a Biometric Law

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

On Monday, the International Association of Privacy Professionals (IAPP) hosted a discussion that featured state and federal privacy regulators.  The panel included Maneesha Mithal, Associate Director for the Division of Privacy and Identity Theft at the Federal Trade Commission; Marty Jackley, Attorney General of South Dakota; and Bill Sorrell, Attorney General of Vermont.  The panel was intended to discuss privacy generally, however, the conversation quickly focused on the latest hot topic:  data breach. 

It was acknowledged at the outset of the conversation that the important role state attorneys general play in regulating privacy, both individually and in tandem, is often overlooked.  Ms. Mithal suggested that, for example, while the EU is familiar with the FTC’s enforcement authority and the existence of some federal law, the “story often not told” is that there are “cops on the beat,” and specifically, that the United States has robust state enforcement of privacy protections.Continue Reading A Conversation with State and Federal Privacy Regulators Turns to State Data Breach Enforcement

Google has entered into a $17 million settlement agreement with attorneys general from 37 states and the District of Columbia over allegations that the company engaged in unauthorized tracking of users of Apple’s Safari browser in 2011 and 2012.  The allegations stemmed from 2012 reports that Google had bypassed Safari’s default privacy settings and placed

The New Jersey Attorney General and Division of Consumer Affairs have announced a settlement with 24x7digital, the developer of the “TeachMe” mobile apps for preschool through second-grade children, to resolve claims that the company violated the federal Children’s Online Privacy Protection Act (“COPPA”).   

The state alleged that children were encouraged to submit their full names, along with a

As we previously discussed here, the House of Representatives is considering a bill to amend the Telephone Consumer Protection Act (“TCPA”). The bill, known as the Mobile Informational Call Act of 2011 (H.R. 3035), has bipartisan and industry support but also has drawn opposition from some consumer groups and state attorneys general.

On December 29, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law.  The legislation prohibits e-commerce retailers from passing customers’ billing information to post-transaction third-party sellers, and also requires post-transaction sellers to meet certain requirements before charging consumers’ financial accounts.  Specifically, the post-transaction seller must (1) disclose all material terms of the transaction, including the fact that the post-transaction seller is not affiliated with the initial retailer; and (2) obtain billing information and affirmative consent for the transaction directly from the customer. 

The Act arose out of an investigation by the Senate Committee on Commerce, Science, and Transportation into the sales practices of Affinion, Vertrue, and Webloyalty.  These post-transaction sellers offered membership club enrollment to consumers who were completing transactions at popular online retail sites, although consumers often did not understand that they were entering into a separate relationship with the membership club or that they would be charged periodic fees. Continue Reading New Law Restricts Misleading Online Sales Practices