State AG Monitor

AGs Continue Focus on Data Privacy

By Bernard Nash , Divonne Smoyer , and Aaron R. Lancaster on Posted in Data Privacy, State AGs in the News

Even in the midst of high-profile activities like the national mortgage settlement and the U.S. Supreme Court argument over challenges by States (among others) to the “Obamacare” health care law, AGs still have time to continue their focus on data privacy, which remains a hot-button issue.

For example, numerous AGs recently have been investigating a variety of Google’s privacy practices, suggesting that AGs doubt that Google is living up to its corporate motto (“Don’t be evil”). More than three dozen AGs sent a letter to Google last month outlining concerns with newly announced changes to Google’s privacy policy, which allow Google to combine users’ personal information across all Google platforms, with no opt-out option. More recently, a group of AGs (led by New York AG Eric Schneiderman and Connecticut (CT) AG George Jepsen) started investigating Google for bypassing the privacy settings of users of Apple’s Safari Web browser, allowing Google to track their Web browsing activity.

Individual AGs also have been very active in data privacy efforts, none more so than California AG Kamala Harris. In late February, AG Harris announced a sweeping agreement with the six largest mobile app distributors (Google, Apple, RIM, Hewlett-Packard, Amazon and Microsoft), requiring all apps distributed on their platforms to have privacy policies, to allow app purchasers to review the privacy policies before purchase, and to require app developers to disclose to consumers what private information they collect, how they use and with whom they share it. More recently, AG Harris entered into an agreement with three of the largest online dating services (eHarmony, Match.com and Spark Networks), under which the companies will use a variety of online tools to protect members, including checking subscribers against sex offender registries and providing a rapid reporting system for abuse (including physical safety concerns and fraud).

Other AGs who have been very active in this area recently include:

  • CT AG Jepsen, who recently entered into settlements with MetLife (in late January) and Wells Fargo (in early February) as a result of large data breaches and who is continuing investigations into data breaches suffered by Central Connecticut State University and the CT Department of Labor;
  • Illinois AG Lisa Madigan, whose office just released guidance on complying with the State’s information and security breach notification laws. The guidance, much like that issued by Vermont AG Bill Sorrell’s office, suggests that companies that experience data breaches should notify the AG’s office and affected consumers despite the absence of a legal requirement to do so; and
  • Maryland AG Doug Gansler, whose 2012-2013 NAAG Presidential Initiative will focus on protecting  personal information privacy, particularly financial data and the use of personal data for marketing.

Companies that hold consumers’ personal data should take note of this recent activity and ensure that they: have robust privacy policies in place; maintain and enforce those policies strictly; and are cognizant not only of their obligations under federal law, but also of  state data privacy laws.