A bi-partisan coalition of 33[1] state Attorneys General sent a comment letter[2] to the Federal Trade Commission (FTC) highlighting the risks to consumers from corporate surveillance and data collection. The November 17, 2022, letter was filed as part of the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security.[3] The Attorneys General raised concerns about the collection of particular types of data, including health information, location tracking, and more seemingly innocuous information like calendar appointments. The officials, who are often the top consumer protection officers for their respective states, also highlighted concerns about how the data is stored, sold, and how difficult it is for consumers to opt out of data collection.

This bi-partisan effort comes in a time of increased state-level data privacy enforcement actions.  Virginia,[4] Connecticut,[5] Colorado,[6] Utah,[7] and California[8] all have state laws that protect their citizens’ data security, or have privacy laws taking effect in 2023. And attorneys general have recently brought a series of enforcement efforts that run the gamut of data and company types, including a recent multi-state settlement with Google regarding location tracking, a New York agreement with EyeMed Vision Care LLC, and a settlement between 46 attorneys general and Carnival Cruise Line regarding an “unstructured” data breach. The attorneys general’s attention to “unstructured” data is particularly noteworthy because it focuses on data that is collected and retained in a disorganized fashion, often in email.

Despite the attorneys general’s letter, many businesses will continue to obtain and keep sensitive information in the ordinary course of business. Companies should consider minimizing the data retained, and keeping only that required, while making it easier for consumers to opt out of providing information. The states’ enforcement efforts—and the pending FTC rule-making—suggest that scrutiny of data collection will increase in the future. This will be an area to watch in the new year.

For more information about McGuireWoods’ State Attorneys General Practice, please visit the page here.

[1] The coalition was led by Massachusetts, Connecticut, Illinois, New Jersey, North Carolina, and Oregon, and joined by Arizona, Colorado, Delaware, Washington D.C., Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Minnesota, Michigan, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and Wisconsin.

[2] https://www.mass.gov/doc/ftc-comments-letter-on-corporate-surveillance/download

[3] https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking

[4] https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392

[5] https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF

[6] https://leg.colorado.gov/bills/sb21-190

[7] https://le.utah.gov/~2022/bills/static/SB0227.html

[8] https://oag.ca.gov/privacy/ccpa