Headlines for state Attorneys General have been dominated by pursuits with the Trump Administration – whether the travel ban case going to the U.S. Supreme Court or challenges to legacy regulations at federal agencies. Less visible, state AGs are pushing forward on their interests and influence in technology-oriented consumer products, as highlighted in panel topics at various Attorney General meetings this summer. What is discussion now among state AGs can often result in legal action, and technology companies should be aware of what’s on the agenda.
An Attorney General is often known as the “Top Cop” in his or her state. However, rather than having widespread criminal prosecutorial powers, state AGs utilize broad consumer protection authority. Particularly in assessing deceptive and unfair acts and practices with consumer-facing business, AGs are market regulators and enforcers. Further, state AGs enforce certain federal regulations, and even the elusive “abusive” standard of the CFPB. Combining into potential multi-state actions, AG investigations can be pervasive. And on top of that, as predominantly elected officials, state AGs are highly motivated by policy interests affecting consumers and businesses.
For years, data breaches have been big news for state AGs as there remains no federal compliance standard. Individual states maintain their own requirements for notification in case of a breach, enforced by state AGs. Some states take the opportunity to establish heightened privacy standards for the types of data that companies can collect, for instance, the Illinois legislature recently passed legislation to restrict geo-location data and to be enforced by the Attorney General. Moving from reactive roles to proactive interests, state AGs are mapping out technology sectors where they see significant instances of security and privacy at stake.
Three “HUGE” technologies that will shape the future of consumers have the current interest of state AGs: driverless cars, the Internet of Things, and artificial intelligence. The inter-connectedness of computing devices along with the capture of personal data, including at times when a consumer may be unaware, has some state AGs on high alert. The concern from AGs is not a particular innovation itself, but it is self-realization of how AGs themselves should react to the seismic shift in consumer preferences where a desire for efficiency, personalization, and freedom is trumping traditional notions of consumer protection.
First, driverless vehicles, connected cars, or “AV” – whatever they are called, this is the Jetsons becoming reality. A fleet of cars without drivers roams the streets of Pittsburgh, and a production vehicle will be summoned to your doorstep. The National Highway Traffic Safety Administration (NHTSA) categorizes five levels of automated driving from Level 1 such as cruise control to Levels 4 and 5 where the vehicle monitors all roadway conditions and reacts appropriately. Between the ends of this spectrum is an incremental revolution as more and more driver assistance features are introduced into vehicles.
With the productivity and safety gains for those no longer seated behind a steering wheel, state AGs recognize potential privacy concerns with location data, driving habits, or occupant identification that could be at risk of unauthorized use or disclosure. State AGs will also seek to defend their state laws from the preemptive effects of federal regulations that may otherwise be necessary to usher the advancement of driverless technology. With state AGs clearly having a role to influence the driverless industry and its future, proactive engagement with AGs, even in spite of their enforcement role, is critical.
Second, the Internet of Things (IoT) describes smart devices connected together. Smart devices may be activated remotely, may detect information independently, or may be able to learn and repeat functions. IoT devices collect information from a person’s home or surroundings, some which may be personal. For instance earlier this year the FTC and the New Jersey Attorney General settled charges of $2.2 million with a TV manufacturer that collected viewing histories.
For state AGs, IoT enforcement considerations involve unfair and deceptive acts and practices (UDAP), for example, no notice to consumers about personally identifiable information that may be collected, or possibly HIPAA violations in sharing health information. The proliferation of non-secure connected devices creates growing risks – for instance, last year the “Mirai” virus searched the internet for vulnerable IoT devices, attacked them using common manufacturer default settings, and infected devices to control them for additional attacks. State AGs heard at a recent meeting of ways in which IoT devices – from a wireless tea kettle to a webcam to a connected medical device – could be compromised when unsecured mundane devices open up possibilities to gain access to a wireless home network.
Third, artificial intelligence, or AI, certainly brings images of science fiction. AI involves computers performing tasks in ways that would otherwise require human intelligence whether recognizing speech, having visual perception, or making decisions. Last year, an AI “robot journalist” wrote 450 stories on the Olympics, and such superhuman feats will continue as AI learns to understand pictures and videos of events.
State AGs understand how AI may be useful for law enforcement, for instance in managing unregistered drones by taking them safely out of the sky. This kind of technology-advances-to-manage-technology-risks is certainly appealing and needs to be better understood by AGs across a variety of industries. State AG already have been receiving a similar education with their regulatory and enforcement authority toward the sharing economy as traditional methods of consumer protection do not fit. More so, AI will transform our economy as a whole which has state Attorneys General considering how their consumer protection roles must change.
A version of this posting was originally published in The Hill.