Understanding the AG’s Role in Consumer Data Protection

By Antonia Dumas, Esq.

Two trends are rapidly changing the legal liabilities of data privacy and cybersecurity: (1) private rights of action and (2) Attorney General enforcement actions. Many states are providing increasing ability for both the Attorneys General and individuals to enforce newly adopted privacy requirements. And, these methods of holding a company liable for the personal information collected are not mutually exclusive. 

Yes, you can be confronted on multiple fronts, by both private and public adversaires, and required to defend your privacy and security practices. 

One the one hand, companies can face private lawsuits, especially as more states expressly allow for such actions within newly adopted privacy regulation. The most recent example of this trend is the California Consumer Privacy Act of 2018 (“CCPA”) which went into effect on January 1, 2020. Already, there are a number of new lawsuits that are testing this new private right of action pending in California courts (you can read more on this topic in our prior post, “2020 is Here and Data Subjects Are Ready To Execute Their Rights Under the CCPA”). 

Even though private rights of action for data privacy are new to the US, the second rapidly growing area of liability is the increasing role of government agencies, and states Attorneys General, to enforce privacy protections. This evolution is not in a vacuum, but it builds on the evolving framework of general consumer protection enforcement and litigation that is a common role for government agencies to take in protecting individuals from private business. More and more, data privacy violations beyond just data breaches are a focal point of Attorney enforcement under the umbrella of consumer protection.

And, while there is substantial information available to consumers to understand how to initiate an investigation by a state Attorney General’s office, many businesses are unaware of the process they could undergo with the state Attorney General’s office if there is an investigation initiated regarding their data privacy and security activities. But, it is important to understand government enforcement, and how best to prepare for a potential knock on the proveriable front door. 

Let’s shed some light on this process (and, be thankful if you do not already have this knowledge through first hand experience!).  

AG Role In Data Protection  

State Attorneys General (AG or AGs) considered themselves the people’s attorney (i.e., the attorney representing the interest of the state’s residents). The AG office usually has separate sections and divisions of which (in most states) the consumer protection function has the strongest presence. 

AG Role 

AGs are the top legal officers of their state or territory. On the one hand, they advise and represent their state legislature and agencies. On the other hand, they have the key role of being the “People’s Lawyer” for its residents. Most attorney generals are elected (e.g., California, Illinois, Massachusetts, Nevada, District of Columbia, etc.) though a few are appointed by the governor (e.g., New Hampshire, Tennessee, Wyoming, etc.).

AG Authority 

AGs are usually granted authority to bring suit on behalf of their residents and maintain a broad pre-litigation discovery power which allows them to conduct investigations to determine violations of the law (including issuing demands for records and testimony). 

Sources of data privacy related authority for enforcement include the following: 

Generally, investigatory powers are granted to a state AG via state consumer protection legislation (e.g., the CA AG under the CCPA and DC AG under DC’s breach notification law). The requirements that trigger the AG’s investigatory power are usually subjective and based on the AG’s determination that the business has, is currently or is about to engage in unlawful practices affecting consumers. This is often based on the presentation of a complaint by a consumer, but in the case of independent AG, it may be triggered by the AGs own judgement and concern to protect the consumer. The applicable state law will usually delineate the AG’s authority, investigatory activities and limitations. 

AG Enforcement Activities 

Some well known examples of AG enforcement activities include single state investigations and settlements such as those against Zoom (by NY AG and recently decided not to sue), Aetna (by CA AG), Equifax (by Mass AG) and others as well as multi-state enforcement activities including Target (by 48 states) and Uber (by 50 states). 

Evolution of AG Enforcement 

In a virtual panel presentation by Attorney General for DC, Karl A. Racine, and other prior members of the DC AG office, the discussion focused on the evolution and trends of AG enforcement.  The panelists highlight some factors that  demonstrate that the AG offices around the country are preparing to take on more investigations and litigation: 

  • An increased number of independent AGs (i.e., elected by state residents); 
  • An increase in available funds for staffing and complex litigation experience to handle cases in-house (e.g., creation of litigation support funds in DC); 
  • An increase in resources to rely on outside consumer protection lawyers (e.g., DC AG state it relies more and more on outside counsel); 
  • Emerging alliances between AGs across states; and 
  • Proposed creation of privacy agencies (e.g., CA November ballot initiative for creating a new privacy agency to enforce CCPA).

 This evolution coincides with the emergence of data privacy regulations across the country (discussed above), defined data security requirements (like the NY DFS), and the evolution of federal enforcement actions led by the Federal Trade Commission (FTC)

What To Expect for Future AG Enforcement 

The DC AG panel discussion supported our observation that enforcement actions in consumer protection and data privacy will increase (especially post-Covid-19). It was mentioned that generally there is an increased desire of consumers to file complaints and even wanting to litigate rather than settle. There has been a general trend in consumer protection of an increased need for an AG to step in to protect consumer rights, which the DC AG commented isdue to the challenges consumers  face to bring suits on their own due to mandatory arbitration clauses or harder rules to establish a class for class action cases. This is heightened in the data privacy context where consumers often lack transparency in the data being collected and subsequently processed. 

Also, it is likely that there will be a general shift beyond primarily targeting the dangers and consequences of data breaches. The panel highlighted that the new focus is likely to be on emerging areas of concern regarding the misuse and misallocation of consumer data and as well as the unauthorized disclosure or sale of consumer data. This is not surprising as it is in line with other data privacy and security enforcement activities we have seen increased in the United States, in particular by the FTC (see 2019 Security and Privacy Update). Furthermore, we have seen that enforcement actions continue even during Covid-19

What To Know About An AG Investigation 

Typically, an investigation is triggered by a consumer complaint. When a complaint is filed with the AG, initially the AG does not represent the individual but it will investigate the allegations and potential violations of consumer rights. These can include violations of a right or obligation under a specific law but could also fall under general deceptive or unlawful activities against consumers and fall under a general consumer protection law. However, as mentioned before, AGs do not need to wait for a consumer complaint and can investigate a company based on its own observations. 

If the AG determines that action should be taken against the business, they will initiate litigation in-house or may look for support from outside counsel to litigate. 

Although the AG has the main goal of protecting the consumer, they encourage collaboration and the ability to resolve issues without having to conduct an investigation or file an action. For example, the DC AG strongly encourages consumers to resolve the issue prior to contacting the AG, including mediation (see consumer tips here). 

Typical Phases Of An AG Investigation:

  1. Trigger: Investigation is triggered by consumer complaint or AG initiated investigation (by independently because elected or part of multi-state coalition).
  2. Notice: AG sends letter to the business as notice that activities are identified as potentially violating the law. 
  3. Response: Business is required to provide a prompt response to the AG’s letter according to the instructions provided and applicable process requirements. 
  4. Pre-Suit Resolution: 
    1. Informal resolution by providing information or materials that satisfies that there is no violation and action is closed. 
    2. The AG typically gives the business an opportunity to become compliant and to execute a letter agreement, in which the business agrees to be compliant with law in agreement. This is typically an Assurance of Voluntary Compliance (AVC) and is usually filed with the court.  Under the AVC, the business will be required to stop unlawful practices and agree to not violate the law in the future.
  5. Litigation: If an issue between a consumer is not resolved and the AG determines that action should be taken because they believe there has been a consumer protection violation under the applicable law, then the AG may file an action against the business (depending on the applicable law) in court. 
  6. Fines: If it is a case where the business was engaged in conduct that resulted in financial harm to consumers, then AG may ask for penalties for each violation (depending on the applicable law) as well as attorneys fees and restitution in some cases. In some limited and justified cases, penalties could include payment of investigative costs. 

Key Considerations For Your Businesses

As attorneys working deeply in the areas of privacy and cybersecurity, our goal is to help our clients avoid regulatory scrutiny. And, ere are some key considerations for a business to prepare for, and ideally avoid, an AG investigation: 


  • Take steps to be compliant with potential data privacy obligations 


The best way to prepare is to avoid an investigation entirely by staying up-to-date and compliant with applicable data privacy obligations. Conduct an assessment today to determine your current compliance, and mitigate gaps in your current compliance infrastructure. 


  • Get ahead of an investigation/action (whether brought by consumer, AG or group of AGs) 


You should take steps to forecast/determine what strategy the plaintiffs/AG will take (i.e., based on prior activities, trends, etc). Also, you can look at prior enforcement targets (i.e., consumer protection concerns in data privacy and security) to gauge your company’s potential exposure. 


  • Be prepared to respond


If you have taken steps to get ahead of an investigation, then you will be better prepared to respond to initial inquiries. First, make sure you are prepared to quickly provide information such as details regarding your data processing activities, data storing and sharing activities, data security measures, consumer privacy notices, data subject request procedures, etc. Second, understand the AG investigation requirements for responding and options to resolve pre-litigation.  


  • Take Steps to Become Complaint 


If the intuition of the AG is correct and you are conducting activities that are violation of the data privacy rights of consumers or in violation of data privacy and security requirements, then take the steps necessary to become compliant and to avoid future non-compliance. 

Being prepared for potential AG enforcement will also put you in a good position to be prepared for any future federal legislation. A number of the AG offices have supported and even participated in proposals of a federal data privacy law (e.g., the most recently proposed Covid-19 privacy law). Understanding the AG offices concerns and approach to consumer protection in the area of data privacy in their jurisdictions will better prepare your company for potential federal enforcement measures if and when a federal data privacy law is passed in the near future. 

Starting Preparing TODAY to demonstrate your compliance

To effectively mitigate the impact of an Attorney General investigation, it is important to proactively address cyber and privacy compliance. Review your network infrastructure and information governance practices, and then document your efforts to minimize cyber and privacy risk. 

And, if the Attorney General does contact your company, find strong partners who can help you to quickly and effectively address questions and minimize any investigation. Our team at XPAN is prepared to help you to address cyber and privacy liability, both before any enforcement and during any investigation. We walked through all components of an AG investigation and litigation in our Weekly Team Videos (available here). And, remember, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.