The Attorney General Alliance (AGA) held its Annual Meeting last week in California, which brought AGs and AG staff from 32 states and territories together with the legal and business communities to discuss a wide range of hot button issues, including topics of critical importance to the business community such as artificial intelligence (AI), privacy, cybersecurity, organized retail crime, disruptive technology in healthcare, and more. The breadth and depth of issues discussed reemphasized the role of AGs as the nation’s preeminent consumer protection authorities, and made clear that AGs will have a significant impact in shaping the laws and regulations governing emerging technologies and evolving business models in the years to come.
Key takeaways from the conversations most pertinent to the business community are highlighted below.
AI Regulation is Top of Mind
The AGA meeting devoted two panels specifically to AI, and the topic also was raised in many other discussions. The prominence of AI at this meeting reflects the enormous impact that rapidly-developing AI platforms and technologies already are having on the consumer experience, across business and industry, and on state and federal regulatory priorities.
New Mexico AG Raúl Torrez led a panel on The Evolving World of Consumers’ Data & Privacy, which discussed how to best balance the immense potential benefits of AI with consumer concerns in the areas of privacy, safety, and bias. The panelists discussed growing concerns over the use of consumer data, and how any new regulation of data—whether used by AI platforms or otherwise—should apply not only to data traditionally considered “personally identifiable information,” but also to data that allows tracking and targeting of consumers online such as IP addresses. As one panelist aptly noted, while disclosures are important when it comes to data sharing, companies and other entities that hold consumer data have an obligation to protect that data regardless of consumers’ awareness or depth of understanding.
Next, Kansas AG Kris Kobach moderated a panel on AI and the AG, which discussed other potential harms presented by AI, such as biased decision-making, lack of notice to consumers, spread of misinformation, and intrusions on data privacy. AG Kobach and the panelists also discussed how AGs can best weigh in on AI issues, including recruiting staff with relevant expertise to AG offices and weighing in on pending legislation. The panelists agreed that more proactive regulation of AI is needed, since industry stakeholders are currently forced to rely on prior enforcement actions by AGs and other regulators, rather than clear guidelines.
Notably, such guidelines are in the works—there are reportedly over 800 AI policy initiatives at the nation-state level worldwide. Indeed, the European Parliament recently adopted an AI Act, which includes a risk-based framework spanning across industries, with the goal of finalizing the law by the end of 2023. Domestically, a coalition of 23 AGs recently responded to a request for comment by the National Telecommunications and Information Administration (NTIA) seeking input on AI system accountability measures and policies. In their comment letter, the AGs similarly recommended a risk-based approach calibrated to the categories of data used by a particular AI system, although the signatory AGs shied away from a “prescriptive regulatory regime” and instead supported “commitments to robust transparency, reliable testing and assessment requirements, and after-the-fact enforcement.”
Panelists on both AI panels agreed that while a federal standard would be ideal, it is somewhat unlikely in light of the historical congressional and federal regulatory gridlock on data privacy, so a unified regulatory framework shared among the states would be the next best scenario.
Disruption in Healthcare Presents Opportunities and Challenges
Alaska AG Treg Taylor hosted a panel discussion on The Value of Disruptive Healthcare, in which the panelists discussed the opportunities, risks, and challenges presented by innovations in healthcare. AG Taylor noted that healthcare is a space ripe for disruption, and pro-business state regulators are inclined to interpret laws in a manner that encourages innovation. However, he also warned that traditional consumer protection laws still apply, and disruptive businesses in the space should ask themselves whether their messaging about new services or health outcomes has a tendency to deceive consumers. AG Taylor emphasized the need for compliance specifically with regulations surrounding telemarketing, door-to-door sales, and lending laws (particularly for new lenders who intend to cover healthcare procedure costs not otherwise covered by insurance). Innovators also need to ensure that they do not make marketing statements that are unsubstantiated or mislead customers about FDA approval, and they should refrain from sending confusing or delayed medical bills that front-line employees are unable to explain to consumers.
The panelists acknowledged the inherent tension between AGs’ concurrent roles as consumer protection regulators, antitrust enforcers who appreciate the impact disruption can have on the marketplace, and counsel to state agencies tasked with providing legal advice about how existing regulations may apply to innovative new products and services. However, that tension creates an opportunity for the business community to engage with policymakers and regulators about how best to tackle these issues, including identifying and combatting the bad actors that inevitably emerge in any growing marketplace.
In closing, AG Taylor asked the panelists what they recommend companies in disruptive healthcare—including those using AI—can do to ensure they do not run afoul of consumer protection laws or regulatory roadblocks. Meghan Stoppel, a Member in Cozen O’Connor’s State AG Practice (and a former consumer protection chief in the Nebraska AG’s office), recommended that companies proactively engage with the AG’s office to not only help them understand the product, but also explain which other regulators in the state have jurisdiction, so that the state can gain internal alignment and speak with one voice. AG Taylor agreed with this recommendation, and encouraged companies to reach out to AGs sooner rather than later.
Growing Cybersecurity Threats Call for Increased Prosecutions and Regulatory Partnerships
A signification portion of the AGA meeting focused on emerging cybersecurity threats and how to protect against them. The AGA’s Cybersecurity Subcommittee convened to hold a Cybersecurity Threat Briefing, a Roundtable Discussion on Cyber Legal and Regulatory Landscape, and a workshop on Cyber Prosecutions and Disruption. Additionally, a separate panel was held on Remaining Vigilant as Cybersecurity Threats Escalate.
During the Subcommittee meeting, representatives from the Office of the National Cyber Director, Department of Homeland Security (DHS), DHS’s Cybersecurity and Infrastructure Security Agency (CISA), the U.S. DOJ, the Secret Service, and the FBI participated in robust discussions with South Dakota AG Marty Jackley and Virginia AG Jason Miyares, as well as members of the tech sector. The conversations focused on the sheer volume and diverse array of cybersecurity attacks happening on a daily basis and how partnerships among federal, state, and local government are necessary to defeat cyber adversaries. Unsurprisingly, the panels also referenced AI in terms of both how AI and other emerging technologies may change cyber risk profiles, and how AI can be used to improve cybersecurity tools by enabling software to continuously learn about evolving threats and successful defenses.
In leading the discussion of cyber prosecution, AG Miyares observed that cybercrime is the only crime in modern America where it’s acceptable to blame the victim. In that vein, AG Miyares advised that, in his view, where businesses get into trouble is failing to promptly and effectively notify consumers. The law enforcement officials on the panel agreed that they do not want to be having conversations with the private sector after a cyber crime has already been committed—it’s essential to create those partnerships before experiencing an incident.
Illinois AG Kwame Raoul moderated the panel entitled Remaining Vigilant as Cybersecurity Threats Escalate and warned attendees that they do not want to find themselves at the helm of an organization that is hit with a cyber attack, like the Illinois AG’s office was in 2021. In order to bolster security, the panel of experts recommended that organizations adopt a zero-trust architecture, which is quickly becoming the industry standard approach to cybersecurity and is espoused by states AGs, NIST, and CISA, among others. As one example, Utah has passed legislation encouraging state agencies to implement zero-trust principles. Additional recommendations from the panel included implementing multi-factor authentication or using alternative access methods that do away with passwords altogether.
Bipartisan Efforts to Crack Down on Organized Retail Crime
Georgia AG Chris Carr and Illinois AG Kwame Raoul presided over a meeting of the AGA’s Organized Retail Crime working group, the latest in bipartisan efforts to crack down on this growing area of criminal enterprise that saps billions of dollars from the economy every year. Among other things, the working group discussed the federal INFORM Act, which went into effect on June 27, 2023, and requires online marketplaces to collect, verify, and disclose certain information from high-volume third-party sellers; share certain information with consumers in product listings; and provide methods for consumers to report suspicious activity, among other things. This new federal requirement builds on existing similar laws in a number of states which were enacted prior to the federal law.
Coincidentally (or not), last week California AG Rob Bonta also announced an agreement with retailers and online marketplaces committed to combatting organized retail crime, which intends to advance information-sharing between retailers and with law enforcement to stay ahead of criminal trends. For more detail about actions being taken by state AGs in this emerging area, tune into the recent State AG Pulse podcast episode, Wrangling Acronyms: SAGs, ORC and AI.
Exponential Growth in Online Gaming Prompts Consumer Protection Considerations
Maryland AG Anthony Brown presided over a panel entitled Player’s Club: Emerging Trends in Esports, Fantasy Sports, & Online Gaming, where attendees heard from industry leaders on the constant transformation of the online gaming market and ensuing challenges in protecting intellectual property and the integrity of gameplay. As AG Brown noted, there has been exponential growth of players and consumers in this space, including a boom in online sports betting following the U.S. Supreme Court’s 2018 decision in Murphy v. National Collegiate Athletic Association. Unfortunately, the rise in legal gaming has been accompanied by an uptick in illegal gaming operations.
As the panel experts explained, there is a lot of consumer confusion regarding what is or is not legal, and a key challenge to migrating consumers from illegal platforms to the legal market is to ensure that search engines are not returning search results that include illegal platforms. To that end, the panelists encouraged AGs and other state regulators to take action by sending cease and desist letters; reviewing whether companies are operating with the correct license; bringing civil suits against unlawful actors; issuing consumer alerts; engaging with intermediaries such as search engines; and cooperating with other law enforcement agencies for broader impact.
Further, the sheer volume of consumers participating in these online platforms leads to a huge amount of data being collected in this rapidly growing ecosystem—as with any massive consumer data source, it is imperative that data is adequately protected and used appropriately. Other consumer protection considerations in the space include responsible marketing, particularly with regard to the difficulty of games, the true odds of winning, and education about responsible gaming.
