News & Insights

In 2022, Opioids, Data Privacy, and ESG Dominated the State AG Landscape

By: Emily Yu in conversation with the Cozen O’Connor State AG Group

2022 was a landmark year for state attorneys general.  From billion-dollar global settlements with players in each link of the opioids distribution chain to record-setting settlements with a tech giant, this past year AGs joined forces across the aisle to resolve disputes with some of the most prominent companies in the United States.  But the past year also saw increasing divisiveness along party lines as AGs expanded their reach into new areas, such as environmental, social, and governance-focused investing (ESG).  In this article, members of Cozen O’Connor’s State AG Group[1] talk about the most significant AG actions of the past year and what they foretell for AGs’ priorities in 2023.

“If you’re in any way touching pain medication you’re part of the problem”

2022 began with a litany of activity in settlements with opioid manufacturers and distributors, including court approval of settlements with Mallinckrodt, Johnson & Johnson, and Purdue in the first several months of the year.[2]  The opioid settlements were the most important AG action in the past year because they resulted in entities up and down the chain of distribution making payment—manufacturers, distributors, and retailers—explained Bernie Nash.  The manufacturer and distributor settlements were noteworthy in their own right; they totaled tens of billions of dollars.  The payments by retailers, however, were the real game changers, from November’s Walmart settlement of $3.1 billion to December’s CVS Health and Walgreens settlements of $5 billion and $5.7 billion, respectively.

According to Milton Marquis, AGs’ focus has shifted away from concern over pill mills and false advertising about the danger of these medications.  The AGs’ current outlook with respect to the pharmaceutical titans of industry can be summed up as: “If you’re in any way touching pain medication you’re part of the problem.”  Nash added that the settlements are all the more significant because the involvement of local governments means they will play a role in the big multistate settlements as well.

Lori Kalani placed the magnitude of the opioid settlements into a wider perspective, describing these as “legacy settlements.”  “Every 15 years or so there seems to be a big settlement like that.  In the ’90s it was the tobacco settlement, and in the 2010s it was the mortgage servicers settlement,” explained Kalani.  She anticipates that in four to five years we will see the next big settlement, and thinks it will involve another “public nuisance” that affects consumers.

Arizona v. Google a harbinger of aggressive AG data privacy enforcement

Another area that saw substantial AG involvement in the past year was data privacy.  Chris Allen’s belief is that the next big settlement will involve children’s and teens’ online privacy.  He observed that with tobacco, opioids, and subprime mortgage lending, the allegations were, “You knew the risks, you didn’t tell anybody, and you sold it anyway.”  Allen’s prediction of a repeat involving companies that operate social media platforms is in keeping with his pick for the most significant AG action of 2022: Arizona AG Mark Brnovich’s $85 million settlement with Google to resolve allegations that the company unlawfully obtained users’ location data, which it then used to sell advertisements.[3]  Forty AGs separately settled with Google for $390 million to resolve the same allegations in November.[4]

Allen explained, “Arizona v. Google stood out for a couple of reasons.  First, you had a state going it alone in litigation against one of the biggest companies in the world premised on data privacy and the state’s UDAP (Unfair, Deceptive, or Abusive Practices) statute, one of the broadest statutes.  Second, the scope of the settlement was very sizeable, the largest recovery in Arizona history.”  He noted, “If this is going to be a trend and AGs are going to be aggressive through individual action, and not just as a part of a multistate group, it’s something that isn’t going to just be limited to the Googles of the world.  It’s going to affect everyone consumer-facing and consumer-touching.”

Paul Connell suggested that healthcare may be the next industry in which AGs focus on examining companies’ use of “big data.”  His pick for the most significant AG action of the year was California AG Rob Bonta’s look into the impact of AI/big data/machine learning in the healthcare space.  In August, AG Bonta sent requests for information to hospital CEOs across California as part of an inquiry into whether healthcare algorithms used by providers to make decisions for patients have discriminatory impacts.[5]

Ann-Marie Luciano predicted the biggest issues in 2023 will be related to data: consumer privacy, dark patterns, and matters related to how companies use the wealth of information they collect on consumers.  “AGs have said that they are looking closely at how companies use consumer information to influence consumer choice and the consumer experience,” Luciano noted, “and in 2023 we’ll continue to see how AGs draw the line as to what constitutes appropriate disclosure and reasonable use of consumer data.”

Maria Colsey Heard noted another data-related issue that AGs weighed in on in 2022, and continue to be concerned about.  “Electronic waste disposal is an area of concern for AGs and state departments of environmental protection that will continue to rear its head, and this can come into play in a data breach,” she explained.  She warned that a data breach that arises from the insecure disposal of a device with consumer information can morph into an investigation of all of a company’s e-waste disposal practices.

The Group also predicted more state legislative action to protect consumer data privacy.  Luciano noted that state legislatures are continuing to consider privacy legislation like the California Consumer Privacy Act and additional states’ laws will be going into effect in 2023.[6]  Jerry Kilgore agreed, “I think a lot of AGs will focus on the privacy issue now that some states have a history of dealing with it, and states will start working on privacy legislation.”  He predicted that in 2023, legislation will come to fruition in some of the larger states.[7]

Meghan Stoppel cautioned, however, that regardless of how many states pass comprehensive consumer privacy laws, the AGs will continue to use their respective UDAP laws to address misrepresentations or omissions regarding the collection, use, and sharing of consumer data.  “For businesses operating in states that have passed comprehensive privacy laws, the risk of a potential violation has only grown exponentially.”

Businesses in the cross hairs over ESG investing

Another arena with burgeoning AG activity is ESG-focused investing.  In 2022, both Republican and Democratic AGs submitted dueling comments to the Securities and Exchange Commission on proposed rules relating to ESG-focused investing[8] and a group of Republican AGs publicly sought clarification from asset manager behemoth Blackrock regarding the fiduciary duty and antitrust issues raised by ESG-focused asset management[9].  Mira Baylson summarized Republican AG-led actions: “We saw a few states revise their guidelines for investments from their pension funds and create a dichotomy between companies that engage in ESG benchmarking and those that don’t.”  She predicted that in the coming year Republican AGs will continue to target financial institutions’ consideration of ESG factors and that Democratic AGs will start their own investigations and start responding more forcefully than they have in the past, with responses that have mostly consisted of letters to Congress[10] and complaints.

Kilgore observed that Democratic AGs are demanding that corporations employ ESG policies, and noted, “This issue also divides along size lines.  Bigger companies will have the ability to fight it.”  Baylson further explained that businesses, especially big investment firms will likely find themselves in the AG crosshairs as a result.  Nash added, “I think that the proxy advisory firms are going to be the next big target.”  To reduce risk, Baylson suggested that companies should document what they’re doing, have data to back up what they’re doing and why, and figure out a way to make it politics-neutral.

2023 will bring more division along party lines

In 2022 AGs rallied together in a mostly non-partisan manner to settle massive opioid and data privacy suits.  But if the Group’s predictions hold, 2023 promises to bring greater divisiveness among AGs based on party affiliation in such areas as ESG-focused investing.  Another area of potential partisan conflict derives from the Supreme Court’s conservative majority, which seems keen to curb agency powers.  Siran Faulders noted that court action rolling back the authority of federal agencies such as the FTC[11] will encourage Republican AGs to step up in the coming year.  But regardless of the issue, businesses are well-advised to reach out to AGs on both sides of the aisle early and often this year as it is likely to be another eventful one in the AG realm.


[1] The article is based on interviews with the Cozen O’Connor attorneys named throughout.

[2] Maria Chutchian & Dietrich Knauth, Mallinckrodt wins approval of restructuring plan, opioid deal, Reuters (Feb. 3, 2022, 9:38 PM); Geoff Mulvihill, J&J, distributors finalize $26B landmark opioid settlement, AP (Feb. 25, 2022); Geoff Mulvihill, Purdue Pharma, US states agree to new opioid settlement, AP (Mar. 3, 2022)

[3] Attorney General State of Arizona, Attorney General Mark Brnovich Achieves Historic $85 Million Settlement with Google (Oct. 4, 2022)

[4] Attorney General State of Florida, Attorney General Moody Secures $390 Million Through Historic Multistate Action Against Google Over Location Tracking Practices (Nov. 14, 2022)

[5] State of California Department of Justice Office of the Attorney General, Attorney General Bonta Launches Inquiry into Racial and Ethnic Bias in Healthcare Algorithms (Aug. 31, 2022)

[6] The Virginia Consumer Data Protection Act went into effect and is enforceable on January 1, 2023.  Va. Code. Ann. §§ 59.1-575–584.  California’s Consumer Privacy Rights Act, which amended the California Consumer Privacy Act, also became effective on January 1, but is not enforceable until July 1, 2023.  Cal. Civ. Code §§ 1798.100–199.100.  The Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301–1313, and the Connecticut Data Privacy Act, 2022 Conn. Pub. Acts 22-15, are effective and enforceable on July 1, 2023.  Lastly, the Utah Consumer Privacy Act is effective and enforceable on December 31, 2023.  Utah Code Ann. §§ 13-61-101–404.

[7] There are also three bills in New Jersey being carried over into the 2023 legislative session: (1) the New Jersey Disclosure and Accountability Transparency Act, Assemb. 505, 2022 Leg., Sess. 2022-2023 (N.J. 2022); and (2) identical bills Senate Bill 332 and Assembly Bill 1971, Sen. 332, 2022 Leg., Sess. 2022-2023 (N.J. 2022); Assemb. 1971, 2022 Leg., Sess. 2022-2023 (N.J. 2022).

[8] Attorney General of Texas, AG Paxton Opposes SEC’s New Proposed Rule as Unconstitutional, Driving Left-Wing Agenda (Aug. 23, 2022); State of California Department of Justice Office of the Attorney General, Attorney General Bonta Expresses Support for SEC Proposal to Increase Transparency and Accountability of Funds Claiming to Prioritize ESG Factors (Aug. 16, 2022)

[9] Nebraska Attorney General, Nebraska Attorney General Doug Peterson Calls Attention to Potentially Unlawful Market Manipulation by Investment Firm (Aug. 4, 2022)

[10] Office of the Attorney General for the District of Columbia, AG Racine Leads Group of 17 Attorneys General in Warning Congressional Leaders About Republican Misinformation Campaign Against ESG Investing (Nov. 21, 2022)

[11] AMG Cap. Mgmt., LLC v. FTC, 141 S. Ct. 1341 (2021).