Accounts of privacy law have focused on legislation, federal agencies, and the self regulation of privacy professionals. Crucial agents of regulatory change, however, have been overlooked: the state attorneys general (AGs). This Article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources by examining documentary evidence received through Freedom of Information Act (FOIA) requests submitted to attorney general offices around the country and interviewing state attorneys general and current and former career staff.
Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement. State attorneys general have been nimble privacy enforcers whereas federal agencies have been more constrained by politics. Local knowledge, specialization, multistate coordination, and broad legal authority have allowed AG offices to fill in gaps in the law. State attorneys general have established baseline fair-information protections and expanded the frontiers of privacy law to cover sexual intimacy and youth. Their efforts have reinforced and strengthened federal norms, further harmonizing certain aspects of privacy and data security policy.
The privacy norm entrepreneurship of state attorneys general is ripe for assessment. In the past fifteen years, attorneys general have devoted significant time and energy to privacy and data security enforcement. State attorneys general have worked on privacy and data security issues individually, collectively, and through the National Association of Attorneys General (NAAG). (4) The Privacy Working Group, coordinated by NAAG, has enabled offices to share expertise and resources. (5) Some offices have led the charge; (6) others have played a supporting role by joining multistate efforts. (7)
State attorneys general have been on the front lines of privacy enforcement since before the intervention of federal agencies. (8) In the 1990s, while the Federal Trade Commission (FTC) was emphasizing self-regulation, state attorneys general were arguing that consumer protection laws required the adoption of Fair Information Practice Principles (FIPPs). (9) Then, as now, state unfair and deceptive trade acts and practices laws (known as "UDAP laws") were central to privacy-related enforcement activity.
In certain areas, the proactivity of state attorneys general has preceded that of their federal regulatory counterparts. Their offices established baseline protections for privacy policies, data-breach notification, do-not-track browser settings, and certain uses of bank-history databases. (10) Even as attorneys general shaped conceptions of what privacy enforcement should achieve, they extended privacy enforcement to new frontiers, including sexual intimacy and youth. (11)
State attorneys general have been nimble privacy enforcement pioneers, a role that for practical and political reasons would be difficult for federal agencies to replicate. Because attorneys general do not have to wrestle with the politics of agency commissioners or deal with layers of bureaucracy, they can move quickly on privacy and data security initiatives. Career staff have developed specialties and expertise growing out of a familiarity with local conditions and constituent concerns. Because attorneys general are on the front lines, they are often the first to learn about and respond to privacy and security violations. Because constituents express concern about privacy and data security, so in turn do state attorneys general who tend to harbor ambitions for higher office.
This is an auspicious time to study the contributions of state privacy enforcers. Even as Congress has been mired in gridlock, attorneys general have helped fill gaps in privacy law through legislation, education, and enforcement. They have worked with state lawmakers on consumer privacy issues. AG offices have set privacy and security norms in the absence of federal leadership, a trend that may escalate in the coming years. (12) They have reinforced and strengthened federal norms on data security among other issues. As California's Attorney General Kamala Harris aptly put it, "We are at an important inflection point, a convergence of AG interest in consumer protection, emerging technologies, and data privacy." (13) The result is the emergence of stronger privacy and data security protections.
To put into context the material obtained through FOIA requests, I conducted semi-structured interviews with state attorneys general from four states and former and current career staff from thirteen states. (16) Interviews focused on the following questions: In what respect has the AG's office worked on consumer privacy and data security concerns? How do privacy and data security issues come to your office's attention? Has the office worked on proposed state or federal privacy and data security legislation? Does the office devote resources to educating consumers and companies about best practices? Does the office meet with companies to discuss privacy and data security? Are particular investigative techniques and litigation strategies more effective than others? What legal authority does the office rely on when pursuing privacy and data security investigations? Are current laws, notably UDAP laws, sufficient to the task? What has been the office's role in multistate investigations concerning consumer privacy and data security? What are the strengths and weaknesses of informal agreements versus litigation? To what extent has the office worked with federal agencies on privacy and data security issues? Do staff have privacy training or expertise? Does the office have technical experts in house or on retainer? How have the FTC's guidance and white papers influenced enforcement activity? In what areas does the office look to the FTC or other federal agencies for guidance and leadership?
Interviews with career staff varied from interviews with state attorneys general. Discussions with staff tended to focus on the day-to-day experience of working on privacy and data security issues. Staff discussed the enforcement process, including the ins and outs of investigations, pros and cons of enforcement strategies, and practical challenges. They talked about their offices' legislative work and education efforts. Interviews with attorneys general focused on the bigger picture--the office's goals and priorities for privacy enforcement, the practical limits of their work, and the substantive areas in which their activity has had the biggest impact. Public comments of attorneys general and staff, views of privacy professionals, media coverage of AG enforcement, and scholarly perspectives on the work of attorneys general also informed my analysis.
THE PEOPLE'S PRIVACY LAWYERS
The office of the state attorney general has deep roots in American history. All thirteen colonies had offices of attorneys general whose role was to represent the sovereign in England. (17) After the Revolution, these offices were reestablished as state attorneys general under state constitutions or state statutes. (18) Today, all fifty states and six territories have an office of attorney general or its functional equivalent. (19)
The vast majority of attorneys general are publicly elected. (20) In designing a popularly elected AG's office, states aimed to "weaken the power of a central chief executive and further an intrabranch system of checks and balances." (21) The popular election of attorneys general helped...