Morrison Foerster’s State and Local Government Task Force is pleased to provide our bimonthly newsletter summarizing some of the most important and interesting developments from state attorneys general across the country and local government agencies and legislative bodies, with links to primary resources. This month’s topics include the following:

• New York attorney general (NYAG) announces legislation to strengthen regulations on the cryptocurrency industry
• Texas passes a new data privacy law
• State attorneys general urge adoption of standards to create “trustworthy” Artificial Intelligence (AI)
• State attorneys general call for recall on vehicles that are highly susceptible to theft
• NYAG and California attorney general commence an investigation into alleged employment discrimination practices by the National Football League

1. The NYAG Proposes the Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act

In early May, New York Attorney General Letitia James announced proposed legislation, the CRPTO Act, that her office characterized as “the strongest and most comprehensive set of regulations on cryptocurrency in the nation.” The CRPTO Act would create additional regulation on the digital asset industry and would grant the NYAG specific enforcement authority with the power to seek civil penalties. The proposed legislation also would increase the authority of the New York State Department of Financial Services to regulate digital assets. More specifically, the CRPTO Act:

• Imposes regulations designed to address potential conflicts of interest by prohibiting the following:
  • Common ownership of “crypto issuers, marketplaces, brokers, and investment advisers”
  • Trading by brokers or marketplaces for their own accounts
  • Custody of customer funds by marketplaces and investment advisors
  • Borrowing or lending customer assets by brokers
  • Referrals from marketplaces to investment services for compensation
• Requires additional public disclosures and transparency measures, including:
  • Mandatory independent auditing and publication of audited financial statements
  • Disclosure of material information, including risks and conflict-of-interest disclosures
  • Establishment and publication of listing standards for marketplaces
  • Registration requirements for “promoters” as well as reporting requirements of an interest they have in entities whose crypt assets they promote
• Increases protections for individuals who purchase digital assets by:
  • Enacting and codifying “know-your-customer” (KYC) provisions, requiring brokers know essential facts about their customers and requiring crypto brokers and marketplaces to only conduct business with firms that comply with KYC provisions
  • Banning the use of the term “stablecoin” to describe or market digital assets, unless the assets are backed on a one-to-one basis with U.S. currency or high‑quality liquid assets, as defined in federal regulations
  • Requiring platforms to reimburse customers who are the victims of unauthorized asset transfers and transfers resulting from fraud

The proposed CRPTO Act reflects the NYAG’s ongoing focus on regulating and bringing enforcement actions in connection with digital assets. For instance, also in May, the NYAG announced a $4.3 million settlement with Coin Cafe, a bitcoin platform that was accused of defrauding investors. In the absence of definitive federal guidance on regulating the digital asset industry, state actors like the NYAG should be expected to continue to be very active in both the enforcement and legislative space.

2.Texas Legislature Newest State to Pass Broad Consumer Data Privacy Bill

On June 18, 2023, Texas became the 11th U.S. state to enact a state privacy law, which will take effect on July 1, 2024. The Texas Data Privacy and Security Act (TDPSA) is similar in scope to the existing Virginia Consumer Data Protection Act with respect to business obligations and consumer rights. However, the TDPSA differs in scope from other states’ privacy statutes in that it does not contain a minimum threshold for corporate revenue or affected consumers before a cause can be brought.

The TDPSA defines a broad range of individuals and business as “controllers” under the statutes. The statute defines a controller as an individual or entity that determines the purpose and means of processing personal data. Under the statute, controllers need to abide by the following practices and take the following actions:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer
• Establish, implement, and maintain reasonable data security practices that are appropriate to the volume and nature of the personal data at issue
• Follow data minimization practices so no unnecessary data is collected
• Complete data protection assessments for some processing activities, e.g., those involving the sale of personal data, processing of sensitive data, or processing that presents a heightened risk of harm to consumers (including for purposes of targeted advertising)
  • Notably, the statute does not provide significant detail on the required content or form of such assessment, although it requires the assessment to engage in a risk/benefit analysis, comparing potential benefits to consumers from data processing to the risks associated with the processing

The TDSPA enumerates certain rights for consumers, including the following:

• The right to know whether a “controller” is processing one’s data
• The right to receive a portable copy of one’s personal data
• The right to request deletion of personal data or correction of inaccurate data
• The right to opt out of sales of personal data and targeted advertising
• The right to appeal refusal of any of these requests

As with most other state privacy laws, the TDPSA does not include a private right of action. The Texas Attorney General has the exclusive authority to enforce the TDSPA and provides a 30-day cure period for violations. If a violation is not cured within 30 days, then civil penalties of up to $7,500 per violation and/or injunctive relief may be imposed on the violating party.

Two weeks before the TDSPA passed, Texas Governor Greg Abbott signed Senate Bill 768, which tightened Texas’ data breach notification law. The bill amended Texas’s notification requirements relating to data breaches, which previously required persons to notify the Texas attorney general within 60 days of discovering a breach affecting more than 250 Texas residents. The amendment shortened the 60-day window to “as soon as practicable and not later than 30 days” and also requires such persons to submit the notification via an electronic form on the Texas attorney general’s website.

3. State Attorneys General Urge Implementation of Federal Standards for AI

On June 13, 2023, Connecticut Attorney General William Tong and a bipartisan coalition of 22 additional state attorneys general provided comments to the National Telecommunications and Information Administration (NTIA) on proposed AI system accountability measures and policies.[1] The NTIA had requested public comments to assist it in drafting and issuing a report on “AI Accountability” aimed at advancing “trustworthy” AI.

In response, the state attorneys general urged a risk-based on approach to any proposed regulation, noting the challenges of a prescriptive approach given the rapidly changing AI landscape. More specifically, the state attorneys general urged the following:

• The NTIA and/or the National Institute of Standards and Technology should develop consistent criteria and standards for testing and auditing AI systems
• Such standards should be transparent to the public and should be independently developed
• A regime of both internal audits and impact assessment and required external third‑party audits should be developed

The letter also noted that, as any federal regulatory regime is developed, state attorneys general should maintain concurrent enforcement authority. They noted that the state attorneys generals often are the offices to which consumers turn to raise concerns and complaints, and thus need to be able to address those complaints and take action on discrete cases. Further, the state attorneys general noted that states already are actively legislating on data privacy issues that will be impacted by AI issues and thus expanding the available resources to identify and combat those issues is necessary.

Given the pace at which AI is developing and what appears to be a bipartisan consensus that additional regulation is necessary (even if there is not yet agreement on the substance of any such regulation), it is likely that states will play an active role in the coming months, as efforts are made to create a regulatory framework for AI. As noted in the state attorneys general’s letter, state attorneys general’s offices are often the first line of defense on consumer protection matters. As such challenges emerge to potential risks and/or harms caused by AI, it is very likely that those offices will be active participants in the enforcement actions that emerge.

4. State Attorneys General and Local Police Take Action to Address Theft-Prone Cars

In late April 2023, a group of 18 state attorneys general sent a letter to the National Highway Traffic Safety Administration (NHTSA) urging a recall of certain models of Hyundai and Kia automobiles whose “easily‑bypassed ignition switches” have made them vulnerable to theft.[2] The group, led by California Attorney General Rob Bonta, noted that this vulnerability allows those vehicles to be hotwired and stolen in a matter of minutes and thefts across the country had “led to at least eight deaths, numerous injuries and property damage.” Notably, this vehicle vulnerability was exposed in a viral social media trend on TikTok, which popularized the trend and caused a surge in stolen cars. The state attorneys general voiced concern that the thefts associated with these vehicles were diverting resources from public safety agencies that have been required to respond to this issue.

The state attorneys general acknowledged in the letter that Hyundai and Kia announced that they will offer software updates for certain affected vehicles but claimed that such response was “insufficient” and did “not adequately remedy the safety concerns.” More specifically, the state attorneys general expressed concerns that the software update could take months to complete and might not be successfully implemented on certain affected vehicles.

Further, the state attorneys general alleged that the affected Hyundai and Kia models lack engine immobilizers, which operate as antitheft devices that provide “a second line of defense against theft by preventing vehicles from being started unless a unique code is transmitted form the vehicle key.” They further noted that immobilizers have been the industry standard for years and that the failure of Hyundai and Kia to include them on certain vehicles has left those vehicles vulnerable to theft. As such, the state attorneys general contended that a proposed remedial voluntary service campaign is insufficient to address the risk presented by these vehicles and thus called on the NHTSA to order a recall (or work with the companies to conduct a voluntary recall) of impacted vehicles produced by Hyundai and Kia in order to protect consumers.

The concerns expressed by state attorneys general have been echoed by local police departments. In early July, the New York City Police Department (NYPD) announced that it was taking the unprecedented step of establishing a specialized unit focused on investigating car thefts, with a particular focus on two areas in New York City (the Bronx and Queens) that have seen a significant uptick in car thefts. The NYPD attributed the increase specifically to thefts of certain models of Hyundai and Kia vehicles and noted that the dedicated unit would focus on building cases that could be prosecuted by district attorneys’ offices throughout New York City.

5. State Attorneys General Launch Investigation into NFL

In May 2023, the state attorneys general of California and New York announced a joint investigation into the National Football League (NFL) on alleged racial and gender-based employment discrimination and creation of a potentially hostile work environment. These two state attorneys general indicated that their investigation was focused on potential violations of federal and state pay equity laws and anti-discrimination statutes.

The investigation follows public reporting of allegations made by former employees relating to instances of sex and racial discrimination. This investigation, which has included the issuance of a civil subpoenas, follows an April 2022 letter to the NFL, signed by six state attorneys general, expressing “grave concerns” about the allegations of a hostile workplace culture towards women in NFL workplaces.

That announcement and the recent investigation signal the continued willingness of state attorneys general, and particularly those with active affirmative bureaus such as New York and California, to open investigations into matters where media reporting and private litigants’ complaints have identified potential areas for investigation. Further, where, as here, the investigations are civil in nature and thus not subject to grand jury non-disclosure requirements, the investigations may proceed in the public eye despite the lack of any findings that violations of law occurred.

[1] The letter was signed by the state attorneys general of Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Illinois, Maine, Minnesota, Nevada, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, South Dakota, the U.S. Virgin Islands, Tennessee, Vermont, Virginia, and the District of Columbia.

[2] The letter was signed by the State Attorneys General of Arizona, California, Colorado, Connecticut, Illinois, Massachusetts, Maryland, Michigan, Minnesota, New Jersey, New Mexico, New York, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, and the District of Columbia.

[View source.]