Privacy Regulator Team Bulks Up With 2 More State AG Offices
Adding two more states to the Consortium of Privacy Regulators will increase the multistate enforcement body’s power, lawyers who previously worked for state attorney general offices said Wednesday. Minnesota and New Hampshire AGs joined the group, the California Privacy Protection Agency (CPPA) announced Wednesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The bipartisan group now includes 10 enforcers from nine states. Minnesota and New Hampshire, which each had comprehensive privacy laws take effect earlier this year, will join the CPPA and AG offices from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.
The additional states boost "the group’s collective investigative resources and negotiating power, should they work together on enforcement activity,” Davis+Gilbert privacy attorney Zachary Klein said in an email to Privacy Daily. Klein previously worked for the New Jersey attorney general’s office.
Kelley Drye’s Paul Singer, an attorney who defends clients facing state AG investigations, said he expects “this consortium will continue to grow as more states expand their privacy authority.” Singer, who worked at the Texas AG office for more than 20 years, said in an email that staff “in these offices have worked together for years, and formalizing this group signals continued cooperation among those offices in identifying trends, modifying legislation, and choosing enforcement targets.”
“It is notable that this group is bipartisan, and continues to bring in both Republicans (New Hampshire) and Democrats (Minnesota),” added Singer. “Despite ongoing increased partisanship in selecting priorities and issues in most areas, privacy enforcement is an area attorneys general remain united on, and I expect that trend to continue.”
After the group was announced April 16, some lawyers speculated it signaled that more enforcement and higher fines could be ahead (see 2506020004).
Outside the auspices of the Consortium, privacy regulators from California, Colorado and Connecticut announced last month that they are jointly sweeping for companies not complying with the Global Privacy Control (GPC).
Singer predicted “more enforcement ‘sweeps’ like we saw from California, Connecticut, and Colorado, but on a larger scale as more states are discussing issues together through the consortium.”
California’s privacy agency looks “forward to collaborating with Minnesota, New Hampshire, and states nationwide as we continue growing our collective privacy enforcement apparatus,” said Michael Macko, CPPA head of enforcement, in a news release. CPPA Executive Director Tom Kemp added, “Collaboration with states across the country makes it easier for us to protect Californians.”
The group was formed “to share expertise and resources, as well as coordinate efforts to investigate potential violations of applicable laws,” said the CPPA news release. “Although each state has its own law, they share fundamental features to protect privacy with rights to access, delete, and stop the sale of personal information, and similar obligations on businesses. These similarities pave the way for like-minded applications across jurisdictions and give the Consortium the ability to work together on a common goal of promoting the privacy rights of consumers.”
“The Consortium holds regular meetings and coordinates enforcement, as appropriate, based on the members’ common interests,” the agency added.
The CPPA noted that New Hampshire AG John Formella (R) last year created a data privacy unit to enforce compliance, while Minnesota AG Keith Ellison is “staffing up his office’s Consumer Protection Division with additional attorneys and an investigator to enforce Minnesota’s new data privacy law.”
“By joining this bipartisan group,” said Formella in his office’s news release, “New Hampshire will strengthen its enforcement efforts and promote better compliance with our privacy law.” Each state will maintain independent authority over its own cases and consumer data, and New Hampshire won’t be required to share private information with other states, the AG’s office noted.
New Hampshire’s data privacy unit is now fully staffed, noted the state office: The unit has opened “multiple privacy investigations, several of which remain ongoing” and issued “several” violation notices during the state law’s cure period, “leading to corrective actions by businesses without the need for litigation.”
Additionally, the unit is doing “proactive compliance reviews of company privacy practices” and responding to consumer complaints, with the most common complaint received relating to deleting personal data, the office said.