State attorneys general (AGs) have in many ways been the tip of the spear on prioritizing consumer protection in conversations around emerging digital technologies—perhaps more so than even any federal government agency. With newsworthy data breach incidents, ransomware attacks, and personal data misuse allegations plaguing a new major U.S. company seemingly every week, state AGs are increasing looking to better understand this landscape and beef up their investigations and enforcement teams accordingly.
Just last week, the National Association of Attorneys General (NAAG) held a conference entitled, “The Surveillance Economy: How Attorneys General Protect Privacy, Safety, and Equality in the Information Age” on October 7th and 8th, 2021, in Burlington, Vermont. This conference brought together state AGs from across the country to hear from one another, as well as industry and consumer protection experts, about the issues of the day, ranging from benefits and concerns associated with artificial intelligence to regulation of cryptocurrency markets.
The conference also featured panel debates about whether, and how, the responsibility for enforcement of digital privacy should be allocated among state and federal authorities, or if instead there should only be one “cop on the beat.” This discussion gave way to another one about the role of private rights of action, particularly in data privacy legislation, a divisive issue hotly debated between governments, the business community, and consumer protection groups. Throughout these spirited discussions, the AGs in attendance made clear time and again that they intend to play a prominent role in addressing these emerging issues by leveraging their consumer protection authorities. Panelists from consumer protection organizations encouraged such engagement from the AGs and called for further funding for state-level oversight and enforcement.
The truism that “all companies today are tech companies,” combined with a clear appetite from state AGs to increase their role in investigating and suing companies who find themselves involved in a data privacy incident, even in the many cases where the company itself is a victim, means that companies need to develop a proactive and coherent plan to work with state AGs before such incidents occur. Many times, developing a strong working relationship with key state AG offices to educate them on a company’s processes, procedures, and best practices can make a world of difference when, inevitably, an issue occurs.