Leading consumer brands are facing increased and often highly politicized scrutiny from state attorneys general and other state regulators. The landscape of state AG complaints, investigations, and litigation is evolving rapidly, and it can be challenging to keep pace with shifting enforcement priorities. Jenner & Block’s State Enforcement and Regulation practice is closely tracking these issues to help clients understand the latest developments and navigate the inherent business and reputational risks.

In this State AG Update, we look at state AG enforcement priorities concerning data privacy laws, with a focus on companies doing business in California, Colorado, Connecticut, and Virginia. We also briefly explore the willingness by state AGs to leverage state consumer protection laws to probe corporate ESG efforts. Lastly, we summarize the status of challenges to controversial laws that would regulate how large social media companies moderate content posted on their sites.

State AG Enforcement Priorities of Data Privacy Laws

Michelle Kallen and Daniel Echeverri

Comprehensive data privacy laws have been a highlight of 2023. Since the beginning of this year, three states’ comprehensive data privacy laws have taken effect (Colorado, Connecticut, and Virginia), along with amendments to California’s first-in-the-nation law, and a fifth (Utah) is coming at the end of December. And over the course of this year, seven more states have passed their own laws which will take effect over the next 24 months. These laws create certain privacy rights for consumers, including the right to opt-out of targeted advertising, and require businesses to inform consumers about their data privacy practices, assess risks of certain data processing, and enable consumers to exercise their privacy rights. Nearly all these laws delegate enforcement authority to the state’s attorney general,^[1] and thus, a key aspect of understanding the on-the-ground effect of these privacy laws depends on the enforcement priorities of the respective AG. This article highlights statements from the State AGs of the four states with data privacy laws currently in effect regarding how they are approaching enforcement.

California. California was the first state to enact a comprehensive data privacy law, passing the California Consumer Privacy Act (CCPA) in 2018. California voters amended the California Privacy Rights Act. AG Bonta has thus had a head start on enforcement, which included an “investigative sweep” in January 2022 of businesses with loyalty programs for potential violations of the CCPA’s requirements for financial incentives in exchange for personal information.^[2] In fact, AG Bonta is the first and only State AG so far who has publicly announced an enforcement action under a state comprehensive privacy law. In August 2022, AG Bonta entered into a $1.2 million settlement with cosmetics retailer Sephora for alleged violations of the CCPA; the violations at issue included: failing to disclose that the company sold personal information and not providing consumer opt-out rights or processing certain consumer opt-out requests.^[3] Specifically, AG Bonta’s suit focused on Sephora’s failure to implement the Global Privacy Control (GPC), a signal-based browser setting that allows users to automatically send opt-out requests to a website.^[4] AG Bonta also announced an “investigative sweep” focused on popular apps in the retail, travel, and food service industries and their compliance with the CCPA’s requirement to honor consumer’s opt-out rights, including the use of the GPC, and processing the exercise of these consumer rights through an agent.^[5] Most recently, AG Bonta announced^[6] he had sent inquiries this summer to various large businesses in California regarding their compliance with provisions in the CCPA governing employee and job applicant data—unlike other states, California does not exempt employee data from the requirements of its privacy law.^[7] The Sephora enforcement action and AG Bonta’s recent inquiries demonstrate that his office is particularly focused on the opt-out right and the GPC.

Colorado. The Colorado Privacy Act (CPA) went into effect in July. But AG Phil Weiser has made it clear since early in his tenure that data privacy and security is a priority.^[8] And in anticipation of the CPA’s effect, AG Weiser made clear that his focus would be “willing noncompliance” rather than violations that occur despite “good faith, well-intentioned compliance.”^[9] In the months before the CPA took effect, AG Phil Weiser led a rulemaking proceeding to draft and refine the implementing regulations, which also went into effect in July.^[10] As part of this process, AG Weiser released a list of “considerations” that highlighted areas of interests for his office, including: (1) a universal opt-out mechanism, like GPC; (2) consumer consent; (3) standards for assessing dark pattern and other deceptive design choices; (4) data protection assessments; (5) the use of profiling; (6) how to provide opinion letters and interpretive guidance; and (7) offline data collection.^[11] The final regulations provide detailed compliance obligations under the CPA, including the requirement to honor a universal opt-out mechanism, like GPC, and to conduct data impact assessments for certain types of “higher risk” data processing. Within weeks of the CPA and the accompanying regulations taking effect, AG Weiser sent a series of letters to businesses regarding the beginning of CPA enforcement.^[12] These initial letters were not inquiry letters or other investigative requests—instead AG Weiser’s letters informed businesses of the beginning of enforcement and the various obligations if the company is subject to the CPA as a business, a data broker, or processes sensitive data.^[13] Since these informational letters, however, AG Weiser has not publicly announced any inquiries or enforcement actions. AG Weiser’s significant work on the regulations and his focus on directly informing businesses of their obligations under the CPA indicates his keen interest in the CPA.

Connecticut. Connecticut AG William Tong has taken some initial actions with respect to the Connecticut Data Privacy Act (CTDPA). In anticipation of the law, AG Tong issued a press release regarding the consumer rights and businesses’ obligations under the CTDPA.^[14] And in an interview, AG Tong noted that he would pay particular attention to healthcare data privacy and that he would take a more proactive stance of “ensur[ing] that privacy policies and practices comply with the law and are clear to consumers” before a violation has occurred.^[15] Once the law went into effect, AG Tong published a frequently asked questions page on his official website on the CTDPA.^[16] The Connecticut AG’s office also has a dedicated privacy and data security department, which predated the CTDPA, but now serves as the central hub for enforcement. AG Tong has also issued letters of inquiry to some companies in connection with the CTDPA—most recently, AG Tong sent a letter to 23andMe regarding a data breach, wherein he noted that the breach “calls into question 23andMe’s compliance with the [CTDPA]” and requested information regarding 23andMe’s compliance with the law.^[17] With a focus on health data, AG Tong has taken steps to begin bringing the weight of his office behind the CTDPA.

Virginia. Virginia AG Jason Miyares has remained quiet regarding the Virginia Consumer Data Protection Act (VCDPA). AG Miyares issued a press release in February of this year, a month after the VCDPA went into effect, which provided an overview of the consumer data privacy rights under the law.^[18] As AG Miyares has not yet provided any insight into their enforcement, Virginia remains a sleeping giant regarding its approach to its data privacy law.

State AG ESG Investigations

Michelle Kallen and Christopher Blythe

Over the last year, Republican state Attorneys General have scrutinized financial institutions’ net-zero pledges and membership with net-zero coalitions, specifically against signatories to five sector-specific Alliances of the Glasgow Financial Alliance for Net Zero (GFANZ). The five sector-specific alliances include: the Net-Zero Banking Alliance (NZBA), the Net-Zero Insurance Alliance (NZIA), the Net Zero Asset Owner Alliance (NZAOA), the Net Zero Managers initiative (NZAM), and the Net Zero Financial Service Providers Alliance (NZFSPA).

On October 19, 2022, 19 State AGs launched a coordinated investigation by issuing CIDs to six major US banks, seeking information related to the banks’ membership in NZBA. On May 15, 2023, twenty-two State AGs sent a letter to several insurance companies that are members of NZIA and NZAOA, warning that the companies’ ESG policies may violate the antitrust laws. On March 30, 2023, 21 State AGs sent a letter to 53 investment fund managers criticizing their ESG efforts as members of NZAM and Climate Action 100+.

Most recently, on September 13, 2023, 22 State AGs sent a letter to the signatories of NZFSPA, alleging the coalition’s global goal of net-zero greenhouse gas emissions by 2050 could represent antitrust and consumer protection law violations. The letter claimed the signatories to the alliance’s pledge wield enough combined market power to potentially pressure other companies to comply with the organization’s “policy preferences,” and sought additional information from the letter recipients.

Even without litigation, these letters and CIDs reflect a willingness by state AGs to leverage state consumer protection laws to probe corporate ESG efforts.

State AGs Defending Social Media Restrictions

Michelle Kallen and Christopher Blythe

The Supreme Court agreed to weigh in on the constitutionality of controversial laws in Texas and Florida that would regulate how large social media companies moderate content posted on their sites.^[1] The Florida law, commonly called the “Stop Social Media Censorship Act,” bars social-media platforms from banning political candidates and journalistic enterprises. NetChoice (an organization comprised of a coalition of trade associations, eCommerce businesses, and online consumers) challenged the law and sought preliminary injunctive relief, which the district court granted.^[2]

Reviewing Florida’s law, the Eleventh Circuit affirmed in part and reversed in part. The Eleventh Circuit held that “[w]hen platforms choose to remove users or posts, deprioritize content in viewers’ feeds or search results, or sanction breaches of their community standards, they engage in First-Amendment-protected activity.”^[3] The Fifth Circuit, however, departed from the Eleventh Circuit’s reasoning in Moody, and upheld Texas’s law. Texas’s HB 20 bars social-media platforms with at least 50 million active users from blocking, removing, or “demonetizing” content based on the users’ views. The law also prohibits social media companies from removing hate speech, political disinformation, violent videos, and other harmful content. In September 2022, the Fifth Circuit rejected NetChoice’s argument that content moderation involves protected speech. The Fifth Circuit held that the statute neither compelled the host to speak nor did it restrict the host’s own speech.^[4]

NetChoice filed a petition for certiorari in the Supreme Court, asking the justices to weigh in. Texas agreed that the Court should grant review, and it urged the justices to consider both the Texas and Florida laws. As states enact legislation regulating online activity, the Court’s consideration of the NetChoice cases will provide insight into the constitutional boundaries of such regulation.

Footnotes

State AG Enforcement Priorities of Data Privacy Laws

[1] California has split enforcement between the California AG and its new privacy agency, the California Privacy Protection Agency. See Cal. Civ. Code §§ 1798.155, 1798.199.90.

[2] https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-puts-businesses-operating-loyalty (Jan. 28, 2022).

[3] People v. Sephora USA, Inc., No. CGC-22-601380, Final Judgment and Permanent Injunction (S.F. Sup. Ct. Aug. 24, 2022).

[4] See People v. Sephora USA, Inc., No. CGC-22-601380, Compl. ¶¶ 15–16 (S.F. Sup. Ct. Aug. 24, 2022).

[5] https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99 (Jan. 27, 2023).

[6] https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance (July 14, 2023).

[7] See Cal. Civ. Code § 1798.145(m)(4) (previous exemption for employee and job applicant sunset on January 1, 2023).

[8] See https://coag.gov/blog-post/prepared-remarks-attorney-general-phil-weiser-on-the-way-forward-on-data-privacy-and-data-security-jan-28-2022/ (Jan. 28, 2022).

[9] https://iapp.org/news/a/colorado-attorney-general-details-his-cpa-enforcement-priorities-at-iapp-gps22/ (Apr. 13, 2022).

[10] See 4 CCR 904-3.

[11] https://coag.gov/app/uploads/2022/04/Pre-Rulemaking-Considerations-for-the-Colorado-Privacy-Act.pdf (Apr. 2022).

[12] https://coag.gov/press-releases/attorney-general-phil-weiser-launches-enforcement-of-colorado-privacy-act (July 12, 2023).

[13] See, e.g., https://coag.gov/app/uploads/2023/07/Letter-1_CPANoticeOfApplication-Colorado-Companies-2.pdf; https://coag.gov/app/uploads/2023/07/Letter-1_CPANoticeOfApplication-Data-Brokers-2.pdf; https://coag.gov/app/uploads/2023/07/Letter-1_CPANoticeOfApplication-Sensitive-Data.pdf.

[14] https://portal.ct.gov/AG/Press-Releases/2023-Press-Releases/AG-Tong-Advises-Connecticut-Consumers-of-Upcoming-Rights-Under-the-Connecticut-Data-Privacy-Act (June 5, 2023).

[15] https://iapp.org/news/a/attorney-general-tong-on-enforcement-priorities-and-the-evolving-legislative-landscape-in-conn/ (Apr. 27, 2021).

[16] https://portal.ct.gov/AG/Sections/Privacy/The-Connecticut-Data-Privacy-Act.

[17] https://portal.ct.gov/-/media/AG/Press_Releases/2023/10-30-2023-William-Tong--23andMe-Inc-Inquiry-Letter-final-002.pdf (Oct. 30, 2023).

[18] https://www.oag.state.va.us/media-center/news-releases/2542-february-13-2023-attorney-general-miyares-highlights-virginians-new-data-protection-rights (Feb. 13, 2023).

State AGs Defending Social Media Restrictions

[1] NetChoice v. Paxton, No. 22-555 (Texas law); Moody v. NetChoice, No. 22-277 (Florida law).

[2] NetChoice, LLC v. Moody, 546 F. Supp. 3d 1082 (N.D. Fla. 2021), aff’d in part, vacated in part, remanded sub nom. NetChoice, LLC v. Att’y Gen., Fla., 34 F.4th 1196 (11th Cir. 2022), cert. granted in part sub nom. Moody v. NetChoice, LLC, No. 22-277, 2023 WL 6319654 (U.S. Sept. 29, 2023), and cert. denied sub nom., NetChoice v. Moody, No. 22-393, 2023 WL 6377782 (U.S. Oct. 2, 2023)

[3] Id. at 1213. The Eleventh Circuit also held that the online platforms’ content-moderation practices constitute inherently expressive conduct protected by the First Amendment. Id. at 1212.

[4] NetChoice, LLC v. Paxton, 49 F.4th 439, 459 (5th Cir. 2022), cert. granted in part sub nom. NetChoice, LLC v. Paxton, No. 22-555, 2023 WL 6319650 (U.S. Sept. 29, 2023).

[View source.]