Morrison Foerster’s State + Local Government team is pleased to provide our bimonthly newsletter summarizing some of the most important and interesting developments from state attorneys general across the country, with links to primary resources, as well as local government agencies and legislative bodies. This edition’s topics include:

• Nearly identical enforcement actions brought by the New York attorney general against two cryptocurrency trading platforms.
• Pressure from state attorneys general on pharmacies related to the U.S. Food and Drug Administration rules on dispensing mifepristone.
• State attorneys general push for transparency regarding corporate ownership.
• Iowa’s recently enacted statewide privacy legislation.
• Increased scrutiny of social media companies related to the impact of certain content on adolescents.

1. The New York State Attorney General’s Continued Focus on Cryptocurrency Enforcement

The intense regulatory scrutiny by the New York state attorney general (NYAG) on digital asset platforms continues unabated. On February 22, 2023, the NYAG filed an enforcement action against a cryptocurrency platform, CoinEx, seeking to enjoin CoinEx from doing business in New York. In that action, the NYAG asserts that CoinEx failed to register as a securities and commodities broker-dealer, as required by New York law. Additionally, the NYAG alleges that CoinEx falsely represented itself as a crypto “exchange” when, in fact, it is not registered with the U.S. Securities and Exchange Commission (SEC) or the Commodity Futures Trading Commission (CFTC) to act in this capacity. The NYAG also claims that its investigators have been able to buy and sell cryptocurrencies on CoinEx in New York, even though CoinEx is unregistered in the state. The lawsuit seeks to permanently enjoin CoinEx from operating in New York through its website and mobile apps. Signaling that more enforcement actions may be forthcoming, Attorney General Letitia James warned that “[t]he days of crypto companies like CoinEx acting like the rules do not apply to them are over.”

On March 9, 2023, the NYAG filed a nearly identical enforcement action against KuCoin, alleging that the crypto trading platform failed to register as a securities and commodities broker-dealer and that it had falsely represented itself as an “exchange.” Similar to its allegations in the CoinEx matter, NYAG investigators purportedly were able to buy and sell KuCoin in New York even though the company was not registered to do business in the state. The NYAG’s action seeks to permanently bar KuCoin from operating in New York through its website and mobile apps. Notably, the NYAG also alleges that Ether (ETH), one of the largest cryptocurrencies available and traded on KuCoin, is a security under both New York law[1] and federal law.[2] The court’s determination as to whether ETH is a security as a matter of law will undoubtedly have broader ramifications beyond the KuCoin matter. Notably, this is the first time a regulatory authority in the United States has taken such a position, and while it is merely an allegation, it reflects an increasingly aggressive posture on the issue of whether cryptocurrencies are, in fact, securities.

2. State Attorneys General Take Opposing Positions on Pharmacies’ Decision to Dispense Abortion-related Medication

In the wake of the Dobbs decision, state Attorneys General actively have engaged with the nation’s large pharmacy chains regarding the dispensing of mifepristone, which is an abortion-related medication. After the U.S. Food and Drug Administration (FDA) announced in January 2023 that it would permit certified retail and online pharmacies to dispense the drug mifepristone, state Attorneys General took opposing positions. The conflicting guidance creates uncertainty and potential legal risk for retail and online pharmacies confronted with inconsistent state guidance.

On February 1, 2023, 20 state Attorneys General[3] sent a letter to CVS and Walgreens stating that they could face legal consequences if they began mailing and dispensing mifepristone, specifically citing potential violations of a federal law that “expressly prohibits using the mail to send or receive any drug that will be used or applied for producing abortion.” A few weeks later, Oregon Attorney General Ellen Rosenblum, joined by a coalition of 23 state Attorneys General,[4] sent a letter to CVS and Walgreens indicating their hope that the pharmacies would offer to dispense mifepristone consistent with state and federal laws.On March 9, 2023, New York’s Governor and Attorney General issued a letter to Walgreens, Rite Aid, and CVS to ask that the pharmacies “commit to making medical abortion available in your retail and mail-order pharmacies.” At the same time, the Governor of California announced that he would not renew a multimillion-dollar contract with Walgreens, following what the Governor’s office characterized as “the company’s preemptive decision not to dispense the abortion medication Mifepristone in 21 states.”

3. State Attorneys General Push for Corporate Transparency

On February 15, 2023, a bipartisan collation of 42 state and territorial attorneys general submitted a letter to provide their comments to the Financial Crimes Enforcement Network (FinCEN) with respect to proposed FinCEN regulations related to corporate ownership transparency. FinCEN’s proposed regulations seek, among other things, to clarify the circumstances in which beneficial ownership information may be accessed by entities authorized to receive data from FinCEN. The purpose of the proposed regulations is to strengthen security and confidentiality protections relating to corporate ownership data collected and maintained by FinCEN. While the attorneys general did not oppose the overall goals of the proposed regulations, they strongly urged FinCEN not to implement regulations that would hinder the access of state, local, and tribal authorities to corporate ownership information, indicating that any such limitations would significantly hinder their national security and anti-corruption enforcement abilities.

• The attorneys general raised concerns that a requirement that they provide “written justification” for their information requests (in addition to securing court authorization) was unnecessarily burdensome, was not supported by a statute, and would result in unwarranted delays.
• The attorneys general also proposed amendments to the proposed regulations to permit them to access FinCEN data for the purposes of administrative enforcement actions (in addition to civil and criminal violations) and to obtain data, as necessary, after a case has been charged (and not solely during the investigative phase).

As understanding information about the beneficial ownership of corporate actors can be relevant to the investigation of financial crimes, the advocacy of the attorneys general on this issue reflects their desire to improve their access to what they view as critical information contained in FinCEN’s data repository.

4. States Continue to Promote Data Privacy Protections

States continue to be active on the legislative, executive rulemaking, and enforcement fronts in promoting privacy and consumer protection with respect to online data. These developments will have a broad impact on e-commerce sites which, in the absence of a uniform federal statute, should monitor state-by-state developments to ensure that their practices comply with the laws of each jurisdiction where they operate.

Legislative

• On March 29, 2023, the governor of Iowa signed into law broad privacy legislation, Senate File 262, which made Iowa the sixth state in the nation (along with California, Colorado, Connecticut, Utah, and Virginia) to enact statewide privacy legislation.
  • The Iowa law does not break new ground, as it largely tracks obligations in other states’ privacy laws.
  • The law provides for a 90-day “cure period” to resolve any deficient practices before any enforcement proceedings can be brought.
  • Notably, the law does not create a private right of action and leaves enforcement of the statute solely to the Iowa attorney general, who can seek injunctive relief and civil penalties up to $7,500 per violation.
  • The law will take effect on January 1, 2025.

• At present, privacy legislation similar to the Iowa statute is pending and has passed at least one legislative chamber in Hawaii, Indiana, Kentucky, Montana, New Jersey, and Oklahoma.

Rulemaking

• On March 15, 2023, the Colorado Attorney General, in conjunction with the Colorado Department of State, finalized rules to implement the Colorado Privacy Act (CPA).
  • Among other things, the CPA rules require a “universal opt-out” mechanism that allows consumers to communicate their decision to opt out of certain data sharing across multiple businesses.
  • The CPA rules include regulations governing automated decision-making or “profiling” and require covered businesses to conduct data protection impact assessments before engaging in certain activities deemed to be of a higher potential risk to consumers.
  • The CPA rules will take effect on July 1, 2023.

5. States Take Aggressive Actions Focused on Social Media and Young Consumers

Social media companies and their impact on adolescents continue to be a significant focus of scrutiny at every level of government. At the state level, social media concerns continue to face litigation and new legislative and enforcement initiatives that will impact the way social media companies do business.

• State Attorneys General Investigation of TikTok: In early March 2023, a bipartisan group of 46 state attorneys general filed an amicus brief in Tennessee state court urging the court to compel the social media company TikTok to provide certain discovery materials sought by the Tennessee attorney general. To reduce the administrative burden on TikTok, the attorneys general have agreed to consolidate their information requests and have such request made by eight designated attorneys general, including the Tennessee attorney general. The attorneys general allege that TikTok failed to provide materials relevant to a nationwide investigation being conducted by multiple state attorneys general into purportedly deceptive trade practices that allegedly are harmful to children and teens.
  • The attorneys general further allege that TikTok has not taken sufficient steps to preserve evidence in the face of various investigative subpoenas and, in particular, has not preserved messages on its internal messaging application.

  • The court’s decision on the motion to compel is pending.

• Utah Legislation: On March 23, 2023, the state of Utah took unprecedented legislative steps to curtail the impact of social media on young users. Two pieces of legislation signed by Utah’s governor provide notable restrictions as outlined below but the legislation is expected to face challenges on First Amendment and other grounds before it becomes effective in March 2024:
  • Prohibiting children under 18 from using social media between the hours of 10:30 p.m. and 6:30 a.m.

  • Requiring age verification for anyone who wants to use social media in the state.

  • Giving parents access to their children’s accounts.

  • Reversing the burden of proof for claims alleging harm caused by social media relating to children under 16, with the companies bearing the burden of proving that their conduct is not harmful.

[1] In re Waldstein, 160 Misc. 763, 767 (Sup. Ct. Albany Cty. 1936) (“any form of instrument used for the purpose of financing and promoting enterprises, and which is designed for investment, is a security”).

[2] SEC v. W.J. Howey Co., 328 U.S. 293, 298-99 (1946) (“an investment contract . . . means a contract, transaction, or scheme whereby a person [1] invests his money [2] in a common enterprise and [3] is led to expect profits solely from the efforts of the promoter or a third party”).

[3] The letter warning of legal consequences for dispensing mifepristone was authored by the Attorney General of Missouri and co-signed by the Attorneys General of Alabama, Alaska, Arkansas, Florida, Georgia, Indiana, Iowa, Kentucky, Louisiana, Mississippi, Montana, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Texas, Utah, and West Virginia.

[4] The letter supporting the dispensing of mifepristone was authored by the Attorneys General of Oregon, California, and Washington and co-signed by the Attorneys General of 20 additional states, including Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Pennsylvania, Rhode Island, and Vermont.

[View source.]