The willingness of U.S. and state-level privacy enforcers to crack down on alleged privacy harms has been on display throughout 2024. According to enforcers speaking at IAPP Privacy. Security. Risk. 2024, the enforcement work will only continue to strengthen based on bandwidth and growing legal tools.
Representatives from the U.S. Federal Trade Commission, the California Privacy Protection Agency and attorneys general offices in Colorado and Texas came together on a panel discussion to unpack their respective workloads over the last year while offering tips regarding their near and long-term priorities.
The FTC and Texas representatives spoke of their more aggressive track records of late, explaining respective strings of enforcement action in recent months. Representatives from California and Colorado outlined their efforts to promote compliance and craft regulations under unique rulemaking authority, while representatives from those offices indicated "seeds are planted" and "germinating" on potentially impactful enforcement actions.
Privacy and consumer protection
Between the FTC's privacy enforcement powers and the 19 enacted comprehensive state privacy laws across the U.S., the regulatory toolkits for potential privacy violations are expanding.
However, the privacy-specific enforcement instruments are being added to a broader consumer protection belt. Depending on the jurisdiction and interpretation of a violation, regulators may dip into a consumer protection statute for a privacy claim rather than invoking the comprehensive privacy law.
Texas is among the states applying the full complement of its consumer protection tools, with actions and ongoing investigations that are not siloed to one statute.
Texas Attorney General's Office Director of Data Privacy and Security Enforcement Tyler Bridegan, CIPP/E, explained the depth of statutes the Texas Legislature has provided his office in recent years, listing off a handful of laws that could apply to privacy harms. Recent examples include the application of the Texas Deceptive Trade Practices Act in a privacy lawsuit against General Motors while issuing Data Broker Law noncompliance notices to more than 100 companies.
Bridegan said his team is "absorbing information" about the data ecosystem in order to apply the proper statute to a given claim.
"I think we try to be intentional with our investigations about using those different laws," Bridegan said. "One, we're trying to be responsive to the legislature's mandate. And two, we want to try to help set precedent in different areas."
FTC Regional Director, Western Region Los Angeles, Maricela Segura offered a similarly extensive view on how privacy and consumer protection are in lockstep with one another.
She pointed to the agency's settlement with NGL Labs and its co-founders in July over Children's Online Privacy Protection Act Rule and Restore Online Shoppers’ Confidence Act claims. The case had elements of privacy and deception, which fall into the bigger consumer protection bucket.
"We're trying to use all the tools at our disposal to attack the problem," said Segura, whose unit worked on the exclusively on the NGL settlement with the Los Angeles District Attorney’s Office. "Notice and consent alone is not sufficient sometimes to attack some of the practices we see out there, so you'll see us lean into our unfairness authority."
She added the unfairness allegations arise with "an unprepared business practice," which is characterized by the likeliness of "substantial" consumer harm that is "unavoidable" and "is not outweighed by the benefits to consumers and competition."
Regulator coordination
Notably, enforcers were very open about their growing engagement with one another.
The U.S. comprehensive state privacy law network is increasing fears of fragmentation and compliance issues with each new law that comes to pass. However, regulators do not see the patchwork in the same light thanks to their collaborations.
"The multi-state (enforcer's network) has been in existence for decades at this point," said Bridegan, who pointed to states coalescing around common harms while maintaining "strong relationships" and "great communication" as it relates to information sharing and interpretations of similar provisions contained in states' respective laws.
Bridegan added, "Texas' (Data Privacy And Security Act) was designed to really not be overly burdensome on companies and take into account what other states are doing. So we are always willing to hear from companies about the reasonable basis for why they did a certain action."
The coordination among enforcers is not far off from the interstate partnerships state lawmakers are forging as they draft comprehensive privacy laws. Bill sponsors in recent years made clear that dialogue with legislators in other states is necessary and intentional to arrive at foundational principles consumers and businesses can count on.
Enforcers are working with the same type of goal. Jill Szewczyk, the Colorado attorney general office's assistant attorney general for data privacy and cybersecurity, explained there are many formal channels for enforcers to collaborate through. She spoke of a recent enforcement symposium that drew staff from 44 states while noting states are also providing stakeholder feedback in Colorado's rulemaking efforts as well.
The informal connections are yielding results as well.
"I will have lunch with other regulators and come with a really annoying list of questions for them. Just when they don't think they're going to have to work," Szewczyk said. "I think we have a fairly close-knit group of regulators."
Joe Duball is the news editor for the IAPP.
