The privacy policymaking of state attorneys general.

• Author: Citron, Danielle Keats

ABSTRACT

Accounts of privacy law have focused on legislation, federal agencies, and the self regulation of privacy professionals. Crucial agents of regulatory change, however, have been overlooked: the state attorneys general (AGs). This Article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources by examining documentary evidence received through Freedom of Information Act (FOIA) requests submitted to attorney general offices around the country and interviewing state attorneys general and current and former career staff.

Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement. State attorneys general have been nimble privacy enforcers whereas federal agencies have been more constrained by politics. Local knowledge, specialization, multistate coordination, and broad legal authority have allowed AG offices to fill in gaps in the law. State attorneys general have established baseline fair-information protections and expanded the frontiers of privacy law to cover sexual intimacy and youth. Their efforts have reinforced and strengthened federal norms, further harmonizing certain aspects of privacy and data security policy.

Although certain systemic practices enhance AG privacy policymaking, others blunt its impact, including an overreliance on weak informal agreements and a reluctance to issue closing letters identifying data practices that comply with the law. This Article offers ways state attorneys general can function more effectively through informed and formal proceedings. It addresses concerns about the potential pile-up of enforcement activity, federal preemption, capture, and the dormant Commerce Clause. It urges state enforcers to act more boldly in the face of certain shadowy data practices.

INTRODUCTION

Accounts of privacy law have focused on legislation, (1) federal agencies, (2) and the self-regulation of privacy professionals. (3) Crucial agents of regulatory change, however, have been neglected: the state attorneys general. This Article fills that void with the first in-depth study of the privacy policymaking of state attorneys general.

The privacy norm entrepreneurship of state attorneys general is ripe for assessment. In the past fifteen years, attorneys general have devoted significant time and energy to privacy and data security enforcement. State attorneys general have worked on privacy and data security issues individually, collectively, and through the National Association of Attorneys General (NAAG). (4) The Privacy Working Group, coordinated by NAAG, has enabled offices to share expertise and resources. (5) Some offices have led the charge; (6) others have played a supporting role by joining multistate efforts. (7)

State attorneys general have been on the front lines of privacy enforcement since before the intervention of federal agencies. (8) In the 1990s, while the Federal Trade Commission (FTC) was emphasizing self-regulation, state attorneys general were arguing that consumer protection laws required the adoption of Fair Information Practice Principles (FIPPs). (9) Then, as now, state unfair and deceptive trade acts and practices laws (known as "UDAP laws") were central to privacy-related enforcement activity.

In certain areas, the proactivity of state attorneys general has preceded that of their federal regulatory counterparts. Their offices established baseline protections for privacy policies, data-breach notification, do-not-track browser settings, and certain uses of bank-history databases. (10) Even as attorneys general shaped conceptions of what privacy enforcement should achieve, they extended privacy enforcement to new frontiers, including sexual intimacy and youth. (11)

State attorneys general have been nimble privacy enforcement pioneers, a role that for practical and political reasons would be difficult for federal agencies to replicate. Because attorneys general do not have to wrestle with the politics of agency commissioners or deal with layers of bureaucracy, they can move quickly on privacy and data security initiatives. Career staff have developed specialties and expertise growing out of a familiarity with local conditions and constituent concerns. Because attorneys general are on the front lines, they are often the first to learn about and respond to privacy and security violations. Because constituents express concern about privacy and data security, so in turn do state attorneys general who tend to harbor ambitions for higher office.

This is an auspicious time to study the contributions of state privacy enforcers. Even as Congress has been mired in gridlock, attorneys general have helped fill gaps in privacy law through legislation, education, and enforcement. They have worked with state lawmakers on consumer privacy issues. AG offices have set privacy and security norms in the absence of federal leadership, a trend that may escalate in the coming years. (12) They have reinforced and strengthened federal norms on data security among other issues. As California's Attorney General Kamala Harris aptly put it, "We are at an important inflection point, a convergence of AG interest in consumer protection, emerging technologies, and data privacy." (13) The result is the emergence of stronger privacy and data security protections.

This Article has three Parts. Part I provides an overview of the state attorney general's consumer-privacy mission. It identifies AG offices leading consumer privacy efforts and offices supporting their work. Part II describes the regulatory tools available to states to shape privacy practices. Then, it documents key areas where offices of attorneys general have set, shaped, and entrenched privacy and data security norms. Part III evaluates the strengths and weaknesses of AG privacy policymaking and offers suggestions for improvement. It addresses concerns about the potential pile-up of enforcement activity and interest group capture. It explores limits imposed by federal preemption and dormant Commerce Clause doctrine. Part III ends with suggestions about potential new directions for privacy enforcement.

Before turning to my analysis, let me explain my methodology. Because so little had been written about the privacy enforcement of state attorneys general, my research focused on primary sources. I filed open sunshine requests with AG offices around the country. FOIA requests sought materials related to AG offices' education campaigns, legislative efforts, and enforcement activity related to consumer privacy and data security. (14) An overwhelming majority of states responded, providing crucial evidence of AG privacy policymaking. (15)

To put into context the material obtained through FOIA requests, I conducted semi-structured interviews with state attorneys general from four states and former and current career staff from thirteen states. (16) Interviews focused on the following questions: In what respect has the AG's office worked on consumer privacy and data security concerns? How do privacy and data security issues come to your office's attention? Has the office worked on proposed state or federal privacy and data security legislation? Does the office devote resources to educating consumers and companies about best practices? Does the office meet with companies to discuss privacy and data security? Are particular investigative techniques and litigation strategies more effective than others? What legal authority does the office rely on when pursuing privacy and data security investigations? Are current laws, notably UDAP laws, sufficient to the task? What has been the office's role in multistate investigations concerning consumer privacy and data security? What are the strengths and weaknesses of informal agreements versus litigation? To what extent has the office worked with federal agencies on privacy and data security issues? Do staff have privacy training or expertise? Does the office have technical experts in house or on retainer? How have the FTC's guidance and white papers influenced enforcement activity? In what areas does the office look to the FTC or other federal agencies for guidance and leadership?

Interviews with career staff varied from interviews with state attorneys general. Discussions with staff tended to focus on the day-to-day experience of working on privacy and data security issues. Staff discussed the enforcement process, including the ins and outs of investigations, pros and cons of enforcement strategies, and practical challenges. They talked about their offices' legislative work and education efforts. Interviews with attorneys general focused on the bigger picture--the office's goals and priorities for privacy enforcement, the practical limits of their work, and the substantive areas in which their activity has had the biggest impact. Public comments of attorneys general and staff, views of privacy professionals, media coverage of AG enforcement, and scholarly perspectives on the work of attorneys general also informed my analysis.

1. THE PEOPLE'S PRIVACY LAWYERS

   The office of the state attorney general has deep roots in American history. All thirteen colonies had offices of attorneys general whose role was to represent the sovereign in England. (17) After the Revolution, these offices were reestablished as state attorneys general under state constitutions or state statutes. (18) Today, all fifty states and six territories have an office of attorney general or its functional equivalent. (19)

   The vast majority of attorneys general are publicly elected. (20) In designing a popularly elected AG's office, states aimed to "weaken the power of a central chief executive and further an intrabranch system of checks and balances." (21) The popular election of attorneys general helped...