Skip to content

All (Privacy) Is Not Lost


By: Mitchell Noordyke, Volume 101 Staff Member

In March, the House and Senate voted to prevent portions of the FCC Privacy Rule from going into effect.[1] This rule would have required more demanding protocol from broadband internet access service and telecommunications service providers to ensure protection of consumer data.[2] It sought greater transparency into service provider privacy practices and prioritized choice for consumers regarding the handling of their data.[3] The striking down of the FCC Privacy Rule is a signal for what the federal government’s approach to privacy will be under the new administration. “Given the . . . presidential administration of Donald Trump and the Republican Party’s control of both Houses of Congress, federal agencies like the FTC and FCC will likely slow down their consumer privacy enforcement efforts.”[4] However, consumers need not rely on federal agencies to protect their privacy, as state attorneys general have played an important role policing privacy and establishing privacy norms in the past and are likely to play a larger role in the future.[5]

Predictions that federal consumer privacy enforcement under a Trump administration would slow have proven to be correct.[6] The response from proponents of consumer privacy and net neutrality regulation to Donald Trump’s appointment of Ajit Pai as chairman of the FCC indicate fear for the fate of consumer privacy.[7] Additionally, acting FTC chairwoman, Maureen Ohlhausen’s, philosophy of “regulatory humility” alludes to a diminished role for the FTC in regulating privacy under the Trump administration.[8] However, the decreased role of federal agencies in the protection of consumer privacy does not mean consumers will be without protection. Instead, those concerned about the future of consumer privacy should look to state attorneys general to take a leadership role in defending privacy.[9]

In a first-of-its-kind summary of the practices employed by state attorneys general, The Privacy Policymaking of State Attorneys General, Danielle Keats Citron explores the “privacy norm entrepreneurship of state attorneys general” and encourages further discussion about state attorneys’ general policymaking while offering future paths forward.[10]

State attorneys general offices have often led the way on privacy issues, not waiting for federal agencies to act before coordinating their own efforts to address the concerns of citizens.[11] Free from bureaucracy, state attorneys general offices have the flexibility and enforcement authority to have a broad impact on privacy regulation within the U.S.[12] Common privacy norms—including the prevalence of accessible privacy policies, notification of data breaches, and consumer choice regarding settings that impact an organization’s ability to track user activity when using applications or services—are the result of sustained efforts by state attorneys general offices.[13] Working independently, or in coordination during multistate efforts,[14] state attorneys general have established norms that form the bedrock of U.S. privacy policy.

Attorneys general have various tools at their disposal to influence privacy policy. Beyond formal methods, like warning letters and enforcement actions under state UDAP laws—which mimic Section 5 of the Federal Trade Commission Act—they can utilize softer methods of persuasion by establishing task forces or partnering with experts to establish best practices.[15] “[I]t is more efficient to help companies ensure their privacy and security policies comply with the law than to catch them after they have broken it.”[16] Publicity has also been an effective way for attorneys general to influence company behavior regarding privacy. California Attorney General Kamala Harris drew an immediate response from United Airlines when she used her Twitter account to tweet, “Fabulous app, @UnitedAirlines, but where is your app’s #privacy policy?”[17] Within one day United Airlines made a mobile privacy policy available.[18] Further, in a concerted effort to achieve “surprise minimization,” Harris’s office was credited with playing a major role in increasing the number of mobile applications in the Apple App Store with privacy policies from forty percent to eighty-four percent from September 2011 to June 2012.[19]

Not only can state attorneys general offices move more nimbly than their federal counterparts in response to changing privacy concerns, they are positioned to respond to local matters.[20] As “the first to see and understand the cons and conmen working their way through the system, receiving and fielding consumer complaints about everything . . . . [They] often see problems consumers are facing before [the FTC] . . . .”[21] These local matters soon develop into specialties that allow states to act as bellwethers for the industries in which they specialize.[22] For example, California has developed a specialty responding to privacy issues in the technology sector, Massachusetts and Connecticut have particular strength in health privacy and data security matters, and New York specializes in financial sector privacy.[23]

State attorneys general offices have played an active role developing the privacy standards the U.S. enjoys today. Though subject to less fanfare than federal agencies, their impact should not be overlooked. Critiques to state attorneys general privacy action fear a “pile-up” effect in which organizations face “all 50 attorneys general [jumping] on [them] separately.”[24] However, this has been shown to be an “illusion” due to limited resources and “AG offices [looking] for partners to share the burden of litigation.”[25] With a history of success protecting privacy, a broad tool belt for enforcement, and valuable specialties in high-interest industries, state attorneys general will likely play a more prominent role in U.S. privacy regulation under the current political conditions.

  1. S.J. Res. 34, 115th Cong. (as passed by House, Mar. 28, 2017).
  2. Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 87,274, 87,274–276 (Oct. 27, 2016) (to be codified at 47 C.F.R. pt. 64).
  3. Id.; see also Ronald Waclawski, Looking Back at the FCC’s Privacy Rules, Minn. L. Rev. De Novo (Apr. 18, 2017), (detailing the content of the FCC Privacy Rule, the FCC’s move to block its enactment under new FCC chairman Ajit Pai, and the industry response to the Rule).
  4. Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 Notre Dame L. Rev. 747, 750 n.12 (2016).
  5. See id. at 811 (concluding that “[s]tate attorneys general have played a critical role in U.S. privacy law” and urging for more action in the future).
  6. Daniel Cooper, Trump’s FCC Head Is Doing Exactly What We Expected: A Summary of Ajit Pai’s First Two Weeks as Head of the FCC, Engadget (Feb. 9, 2017), (summarizing Pai’s activities during his first two weeks as Chairman, which included beginning “the process of undermining the principles of net neutrality” and cancelling the FCC’s zero rating investigation).
  7. See, e.g., id.; Jacob Kastrenakes, Trump’s New FCC Chief Is Ajit Pai, and He Wants To Destroy Net Neutrality, The Verge (Jan. 23, 2017), But cf. Harold Furchtgott-Roth, President Trump Designates Ajit Pai As Chairman of FCC, Forbes (Jan. 22, 2017), (approving of Pai’s appointment due to the author’s perception that Pai will push for more deregulation). Pai has a track record of opposition to net neutrality and consumer privacy regulation. See Brian Fung, Trump Taps Net Neutrality Critic To Lead the FCC, Wash. Post (Jan. 23, 2017), (emphasizing Pai’s recent opposition to FCC net neutrality and consumer privacy decisions).
  8. See Remarks by FTC Commissioner Maureen K. Ohlhausen, Antitrust Policy for a New Administration, Jan. 24, 2017,
  9. The author does not seek to diminish state attorneys’ general already impactful role in protecting privacy.
  10. See Keats Citron, supra, note 4, at 748, 811.
  11. See id. at 752–85 (2016) (summarizing the efforts made by state attorneys general to address a wide array of privacy-related issues). “State attorneys general have been on the front lines of privacy enforcement since before the intervention of federal agencies. In the 1990s, while the Federal Trade Commission (FTC) was emphasizing self-regulation, state attorneys general were arguing that consumer protection laws required the adoption of Fair Information Practice Principles (FIPPs).” Id. at 749 (citing Denise Gellene, Chalk One Up for Privacy: American Express Will Inform Cardholders That It Sorts Them for Sales Pitches, L.A. Times (May 14, 1992),; Chris Woodyard, Lungren Joins Suit Accusing TRW of “Illegal Practices”, L.A. Times (July 9, 1991),; Telephone Interview with Susan Henrichsen, Cal. Assistant Att’y Gen. 1990-2005 (July 14, 2015); Chris Oakes, Michigan Warns Sites on Privacy, Wired (June 14, 2000),; Dee-Ann Durbin, Privacy Rights on Web Sought: State Attorneys General Take Lead on Privacy, Ledger (Feb. 10, 2001),,6993124&hl=en).
  12. Id. at 750.
  13. Id. at 763–71. State attorneys general are also responsible for norms pertaining to use restrictions, sexual privacy, youth privacy, and telephone privacy. Id. at 771–77.
  14. Id. at 755 (recognizing California, Connecticut, Illinois, Indiana, Maryland, Massachusetts, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, Vermont, and Washington as “a core group of states [that] have taken the lead on privacy enforcement . . . .”). Twenty-seven states have joined multistate enforcement efforts in the past five years. Id. at 757.
  15. Id. at 753–54, 759–60.
  16. Id. at 760 (quoting Connecticut Attorney General George Jepsen).
  17. Kamala Harris (@KamalaHarris), Twitter (Oct. 12, 2012, 8:27 AM),
  18. Keats Citron, supra note 4, at 766.
  19. Annie Bai & John Kennedy, Apps Gone Wild? The FTC and California AG Seek To Rein in Mobile App Privacy Practices, Int’l Ass’n of Privacy Profs.: The Privacy Advisor (Mar. 1, 2013),
  20. See Keats Citron, supra note 4, at 786.
  21. Id.
  22. See id. at 786-88 (describing the different industry-specific privacy specialties develop by state attorneys general).
  23. Id.
  24. Id. at 796 (quoting Sara Cable, Assistant Attorney General of Massachusetts).
  25. Id. at 796.