During the past year, state attorneys general across the nation continued to extend their consumer protection influence, enforcing state and federal laws. Looking ahead to 2022, we see several areas that appear ripe for state AG enforcement.
With increased coordination among state attorneys general through the multistate investigation process, along with new priorities and regulatory trends, we expect that new dynamics will be introduced into the state regulatory landscape.
While the path forward might appear blurry in some areas at present, one thing is clear: The current landscape presents an irresistible opportunity for state AGs looking to position their offices as leaders in regulatory enforcement, both within state borders and nationally.
Continuing as Lead Enforcers for Data Privacy
State AGs will play an increasingly active role in regulatory oversight of consumer data privacy and will seek to enforce laws while influencing the policy debate. This will take the form of enforcement actions as state AGs grapple with the increasing threats to constituents’ privacy, while state legislatures continue to pass data privacy laws that expand their dictate and strengthen the remedies they may obtain.
Regulatory oversight will take off on the heels of one year of enforcement under the CCPA and as Colorado and Virginia begin enforcing similar new laws. Comparable laws are pending in Connecticut, Massachusetts, Maine, New York, North Carolina, Ohio, and Pennsylvania.
With state AGs increasing their enforcement of data privacy issues, the result is a confusing patchwork of state-specific privacy and data breach laws. This haphazard system is likely to continue until federal legislation emerges. There have been no less than five bills introduced that would bring the federal legislation up to date, but ultimately, none gained any substantial traction. The bills include the Browser Act of 2021, Information Transparency & Personal Data Control Act, Data Care Act of 2021, Consumer Data Privacy and Security Act of 2021, and Data Protection Act of 2021.
Along with consumer privacy initiatives, oversight of data breach and ransomware attacks also will continue to be a significant focus. We anticipate that state AGs may begin to develop a comprehensive framework for regulating companies involved in data breaches to streamline investigations and reach settlements more quickly, thus avoiding protracted investigations that consume scarce state resources.
Paying Attention to the Right-to-Repair Movement
In the regulatory world, the “right to repair” is rapidly gaining momentum in states nationwide. The “right to repair” generally refers to proposed legislation or regulation that ensures consumers (or after-market businesses) can repair, maintain, or modify the devices and equipment they purchase even when the manufacturer of those devices and equipment attempts to require the consumer to use only “original equipment manufacturer” (OEM) replacement parts and services.
Due to consumer-led grassroots movements that gained attention of regulators across the country, in 2021 more than half of all states had pending legislation addressing right-to-repair laws. We do not expect state AGs to wait for state legislatures to pass this legislation, however; instead, we expect state AGs will use existing consumer protection and antitrust laws to increase scrutiny of companies and practices that restrict consumers’ right to repair.
At the same time, companies will likely push back on right-to-repair laws, asserting that they bring unintended consequences, including adverse privacy and safety implications and a loss of desirable functions.
Focusing on Emerging Technologies
Emerging technologies present an area ripe for regulatory oversight. Hybrid transactions involving the combined sale of goods and services, such as a Peloton bike or smart thermostat, present novel legal challenges not addressed by existing laws such as the Uniform Commercial Code. Although the ideal policy solution would be to adopt a uniform legal system, that is unlikely to occur quickly. In the meantime, state AGs will fill the gaps in existing law with regulatory oversight.
We expect states to take the lead on regulation of autonomous vehicles (commercial and private) operating within state borders. According to the Governors Highway Safety Association, legislation and executive orders in 38 states currently regulate the use of autonomous vehicles and four states, including Indiana, Kentucky, Mississippi, and South Carolina currently regulate truck platooning.
Additionally, as artificial intelligence (AI), machine learning (ML) and big data become more ubiquitous, states will be at the forefront of regulating complex technologies and emerging industries. For example, Vermont Attorney General Thomas J. Donovan Jr. (D) in 2020 sued a data broker for using facial recognition technology to map the faces of Vermonters and sell access to the data, in alleged violation of the Consumer Protection Act and the Data Broker Law.
States also will have to learn how to monitor the use of AI/ML products used to make complex decisions to avoid bias, such as guiding lending decisions and setting insurance premiums. Proposed state legislation, including versions of the proposed Algorithm Accountability Act (H.R. 2231, introduced in April 2019), may open the door to additional regulatory oversight.
Expanding Scrutiny of Lending Practices
In the past decade, state AGs have increased their scrutiny of lending practices. Driven by the Covid-19 pandemic’s economic fallout, state AGs have a growing appetite to investigate non-traditional lenders and industries that cater to high-risk borrowers including online, short-term, asset-based, and retail consumer lending at high interest rates.
Through the broad application of state consumer protection laws, state AGs will continue to crack down on practices considered exploitative, for example when lenders provide loans they know or should have known are likely to default.
State AGs also are vigilant regarding non-bank companies regulated solely by the state that lend or extend credit to high-risk borrowers.
Removing Bankruptcy as a Shield from Regulatory Oversight
State AGs have openly expressed their frustration with businesses that sought to circumvent consumer protection actions in bankruptcy. For example, in 2021 state AGs filed objections to a perceived inadequate and insufficient bankruptcy plan by Purdue Pharma, resulting in a New York federal judge rejecting the settlement.
In November, AGs from 41 states, Puerto Rico, and Guam signed a letter supporting the Bankruptcy Venue Reform Act of 2021. The bipartisan legislation aims to stop corporations from filing for bankruptcy in a jurisdiction they deem to be favorable.
Specifically, the legislation limits them to only filing in a jurisdiction where the company’s “principal place of business” or “principal assets” are located. This change will allow more involvement and influence by the AG from a corporation’s primary state in bankruptcy proceedings.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.
Ashley Taylor is a partner at Troutman Pepper in the Consumer Financial Services practice with a primary focus on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau and the Federal Trade Commission.
Stephen Piepgrass is a partner at Troutman Pepper in the firm’s government enforcement, compliance, and investigations group with a focus on enforcement actions and investigations, and litigation.
Chris Carlson is an associate and member of the Troutman Pepper’s State Attorneys General practice and Enforcement Actions and Investigations team. He advises on state and federal regulatory matters, with an emphasis on state consumer protection laws.
Daniel Waltz is an associate at Troutman Pepper. He advises and represents regional, national, and international companies, financial institutions, and insurers in all facets of business and helps clients navigate regulatory and compliance issues.
The authors would like to thank Namrata Kang, law clerk at Troutman Pepper, for her contributions to the article.