2012 was a big year for State AGs in the area of data protection/data privacy, led by California, with other AGs making contributions as well. It appears that trend will continue in 2013.
California AG Kamala Harris made the most data protection headlines in 2012. California was the first state to pass a data breach notification law in 2002, but in the intervening time, other states passed laws with stricter requirements. California’s changes went into effect in 2012 and bring the law in line with some the most stringent state laws, requiring among other things, a company that experiences a data breach affecting more than 500 California residents to notify the AG.
In February, AG Harris announced that she worked with the top six mobile app manufacturers to devise a Statement of Principles designed to protect mobile app users’ personal identifying information. Following up on this success, AG Harris created a new Privacy Protection Division that will handle all privacy and data breach matters.
In late October, the division notified 100 popular app manufacturers that it believed that they were violating the new privacy laws by failing to include privacy policies within their apps. The division gave the manufacturers 30 days to come into compliance. AG Harris capped off her busy data privacy year by filing suit against Delta Airlines, which had allegedly failed to bring its mobile app, “Fly Delta,” into compliance by the end of the 30-day period.
While California led the nation on data privacy issues in 2012, it was not the only state to bolster data protection laws and regulations.
As of March 1, Massachusetts requires that all entities that “own or license” residents’ personal information must select vendors that can and will “maintain appropriate security measures to protect such personal information.”
Vermont joined the growing list of states requiring a company that experiences a data breach to notify the AG. Vermont also now requires notification to consumers no later than 45 days after discovery of the breach, making Vermont one of only four states (including Florida, Ohio, and Wisconsin) to mandate a timeframe for consumer notification.
Connecticut followed on the heels of Vermont and California requiring AG notification from companies that experience a data breach. Since October 1, the notifications go directly to the AG’s Privacy Task Force, created in 2011, the first AG unit dedicated to privacy issues.
Finally, Maryland AG Doug Gansler, the 2012-2013 President of the National Association of Attorneys General (NAAG), announced “Privacy in the Digital Age” as his NAAG Presidential Initiative. As a result of this focus, the attention of all 50 AGs has been brought to bear on privacy issues.
In light of the data privacy developments in 2012, there likely will be additional AG offices opening privacy protection units in 2013 and greater AG enforcement of data privacy laws. Indeed, AG Harris began 2013 focusing on data privacy. Last week, her Privacy Protection Division published “Privacy on the Go: Recommendations for the Mobile Ecosystem,” intended to help cement “best privacy practices” in the new and rapidly expanding mobile app industry. The recommendations go beyond what is currently required by the law and are intended to help app developers consider privacy protections at the outset of development.