Photo of Kaelyne Yumul Wietelman

Email
(202) 342-8478
Bio   LinkedIn

Our State AG webinar series continues, this time with Consumer Protection Division Director Kevin Anderson and Deputy General Counsel Daniel Mosteller of the North Carolina Attorney General’s Office (NC AGO). During our webinar, we learned about the office’s structure, consumer protection work as it relates to public health issues, and the tools they have pursuant to the consumer protection laws of North Carolina. In case you missed it, here is a recording of the webinar. We have also recapped what we learned below.

General Office Information

North Carolina elects its attorney general (AG) during the same cycle as the US presidential election. The AG oversees the Consumer Protection Division which also handles antitrust and charities matters. The division has approximately 20 attorneys, plus other staff members. The NC AGO promotes a “two-way dialogue” which takes place between the attorneys in the division and the front office to determine the office’s consumer protection priorities. The AG will set an agenda based on constituent needs. In parallel, the division continually works to spot new consumer protection issues to bring to the AG’s attention.

The NC AGO receives consumer complaints about a range of unfair or deceptive acts conducted within the state. Consumers can file complaints with the office, which in turn, sends the complaints to the businesses at issue, asking for their voluntary response, with the ultimate goal of resolving disputes. Complaint specialists handle these complaints, assisting consumers and businesses with the process, and logging complaints into a database so that the office can keep an eye on trends and issues that need investigating. Last year, the office received over 20,000 written consumer complaints—a large increase compared to ten years ago.

Continue Reading State AGs and Consumer Protection: What We Learned from ….North Carolina

While seventeen new state attorneys general are now sworn in and getting settled into their offices across the country, consumer protection continues to be the top of their agenda. Enforcement continues to take shape in different forms including individual actions, multistate investigations, and partnering with the Federal Trade Commission (FTC).  This year we expect states to target particularly salient issues such as dark patterns, autorenewal concerns, and/or data security and privacy, but those priorities will continue to evolve through discussions at the forums of their main national organizations.

For our first State AG webinar of the year, we dove into consumer protection in the Tennessee attorney general office with our guests, Chief Deputy Lacey Mase and Executive Counsel Jeff Hill. If you missed it, we’ve recapped what we learned.

Background of the Office

Unlike other states,  Tennessee is the only state where the AG is appointed by the state Supreme Court, with the AG serving for an eight year term. Qualified attorneys submit applications to the Supreme Court and are interviewed publicly before being selected to serve as AG.

Within the AG’s office, the Consumer Protection Division handles both consumer protection and antitrust work. The AG’s consumer protection priorities are constantly shifting in order to respond to consumer needs. The office evaluates whether resources should be allocated to large scale litigation needs such as multistate actions or whether there are smaller consumer concerns that need to be addressed within the state.

The Consumer Protection Division now houses the Division of Consumer Affairs which serves as the point of contact for consumer complaints about unfair or deceptive acts conducted within the state (until a few years ago, the Division was a separate agency). Tennessee does provide complaint mediation for consumers, where the office will routinely ask businesses for a response.

Continue Reading State AGs and Consumer Protection: What We Learned from….Tennessee

In addition to announcing a new COPPA policy statement and related “crackdown” on children’s privacy issues (discussed here) in its most recent open meeting, the FTC also proposed changes to the FTC’s Endorsement Guides.  The changes would build on and expand previous guidance, including by expressly extending liability to endorsers, intermediaries, and platforms

How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

As companies wait to see whether the Utah Consumer Privacy Act (UCPA) becomes the fourth comprehensive state privacy law, we are providing an overview of some of the Act’s key provisions – and how they depart from comprehensive privacy laws in California, Colorado, and Virginia.

Utah’s Senate unanimously passed the UCPA on February 25.  The House – also through a unanimous vote – followed on March 2.  The Legislature sent the UCPA to Governor Spencer Cox on March 15.  Because the Legislature adjourned on March 4, Governor Cox has 20 days from the date of adjournment – March 24 – to sign or veto the Act.  If Governor Cox takes no action, the UCPA will become law, with an effective date of December 31, 2023.

In broad strokes, the UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).  And, like the laws in Colorado and Virginia, the UCPA borrows some concepts from the CCPA – including a version of the right to opt out of the “sale” of personal data.

However, the UCPA pares back important features of all three of these laws.  Some of the significant changes include:

  • Applicability.  The UCPA’s applicability is narrower than the three other comprehensive state privacy laws.  The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers.  By contrast, the $25 million revenue threshold is an independent basis for the CCPA to apply to a business; and neither the CPA nor VCDPA includes a revenue-based exemption.
  • Exemptions.  In addition to exempting personal data that is subject to sector-specific privacy laws and regulations, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, the UCPA provides that the Act does not apply to certain entities, including a tribes, institutions of higher education, and nonprofit corporations.
  • Sale and Targeted Advertising Opt-Out Rights.  Although the UCPA requires controllers to provide consumers with the ability to opt out of sale and targeted advertising, the Act does not provide a right to opt out of profiling (or otherwise address profiling).  Like the VCDPA, the UCPA restricts the definition of “sale” to “the exchange of personal data for monetary consideration by a controller to a third party.”  This definition does not include “other valuable consideration,” found in the definitions of “sale” under the CCPA and CPA.
  • Opt-Out Consent to Process Most Sensitive Data.  The UCPA does not require opt-in consent to process most sensitive data, unless the data “concern[s] a known child,”  unlike the opt-in requirements of the CPA and VCDPA.  Instead, the UCPA requires controllers to “present[] the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
  • Other Consumer Rights.  The UCPA provides consumers the right to confirm processing and to delete personal data they provided to a controller.  Consumers also have the right to obtain a portable copy of personal data that the consumer “previously provided to the controller.”  This “provided to” language follows the VCDPA’s access and portability right and contrasts with obligations to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer.  The UCPA does not provide a right of correction or accuracy.
  • Enforcement and Regulation.  The UCPA does not include a private cause of action, nor does it authorize the Attorney General or other state official or agency to issue regulations.  The Division of Consumer Protection, in the Utah Department of Commerce, investigates potential violations and can refer an action to the Utah Attorney General for enforcement.  The Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation, but only after a 30 day notice and right to cure period.


Continue Reading How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

ICYMI: Momentum Continues with the Colorado Privacy ActLast week, the Attorney General Alliance hosted a seminar to address the Colorado Privacy Act (CPA)—what it does and how to prepare for its July 1, 2023 effective date. The seminar featured a discussion with the bill’s sponsors, legal experts, practitioners, and the Attorneys General for Colorado and Wyoming. As the third state to enact

Subscription services and other automatic renewals continue to be a hot topic, at both the federal and state levels. The FTC recently announced that it was going to increase its enforcement against companies that don’t comply with the law, while various states have been updating or passing new laws. Next up are new laws in

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed

On September 29, 2021, the Senate Commerce Subcommittee held a hearing titled Protecting Consumer Privacy. The senators addressed the potential $1 billion earmarked to strengthen the FTC’s privacy work, the future of a federal privacy and data protection law, and a myriad of other privacy related topics such as children’s privacy.

Prepared Statements. In