Chris Allen (00:02)

Welcome to the fifth season of State AG Pulse. In this season, we’ll be digging into the weekly state AG news to bring you our insights on the impact of state attorneys general across a broad range of industry sectors. From technology to healthcare and telecommunications to consumer financial services, state attorneys general continue to wield extraordinary influence, not only in their own states, but also on the national stage. Now, on to this week’s episode.

Hello everyone and welcome back to State AG Pulse. I am Chris Allen, a partner in Cozen O’Connor’s State Attorneys General Practice. And today I am excited to be joined by one of my colleagues again, Hannah Cornett-Land. Hey Hannah, how are doing?

Hannah Cornett Land (00:50)

Hey Chris, doing well, how are you?

Chris Allen (00:51)

I am just fine, thanks. Thank you for everybody that joined us last week when we were very excited to introduce our new colleague Chuck Slemp who is a former chief deputy of Virginia and now a valued member of the Cozen O’Connor team. Today we’re going to shift gears a little bit and go back to one of our running themes here, which is to discuss a big story in the AG news and then to step back and take a look at what it means in the broader context of state attorneys general and regulations and the business community and compliance in general. So today, Hannah, I see that you found for us a whopping settlement announced by Texas Attorney General Ken Paxton, $1.375 billion with the tech company Google. Now, of course, for Google, $1.375 billion may not be all that much, relatively speaking, but as far as…

Hannah Cornett Land (01:45)

Pocket change.

Chris Allen (01:47)

This is a mammoth one, especially for just one state. So Hannah, how about you give us some of the background on this.

Hannah Cornett Land (01:54)

Yeah, sure Chris. So this settlement came after Texas had filed a lawsuit in 2022 against Google, claiming that they violated Texas’s privacy laws by allegedly tracking user location, incognito browser activity, and biometric data like voice prints and facial geometry without providing sufficient notice and consent. Now, the settlement is not available to the public, so we can’t see exactly what the terms are aside from the penalty amount that the AG’s office has shared in their press release, but Texas is claiming that this is the largest recovery against Google for any AG enforcement action ever, specifically relating to privacy laws, including the multistate that happened several years ago. I think that settlement actually happened in 2022 along similar location tracking allegations. Google is also quoted in a Law 360 article [of] stating that the settlement is resolving claims without an omission of wrongdoing and that any of the required product changes and disclosures are already in place. Again, where we don’t have the settlement in hand, we can’t verify what those changes exactly are. But that’s the information we have to go off of.

Chris Allen (03:03)

Yeah, even if we don’t have all the details, a $1.375 billion settlement is something that certainly grabs everybody’s attention.

Hannah Cornett Land

Oh yeah, it’s huge.

Chris Allen

Hence our reporting on it now in a timely fashion. But you know, even though this may be the marquee settlement that Texas has reached in this area so far, Hannah, I think it’s safe to say it’s certainly not the only thing Texas has been doing in this area.

Hannah Cornett Land (03:12)

Right, no, Texas has definitely like, they’re positioning themselves, I think, to be a key player in the privacy enforcement space among AG offices. They announced last year that they are creating their own data privacy section under the Consumer Protection Division. That’s going to be focusing exclusively on enforcement actions under Texas’s Data Privacy and Security Act, the Biometric Identifier Act, data broker laws, and then federal laws such as COPPA and HIPAA. In terms of enforcement activity in this space, the location tracking issue seems to also be a point of contention for this office. They filed a lawsuit against Allstate and its data subsidiary, Arity, alleging that they were embedding tracking software into apps, like the app Life360.

Chris Allen (04:14)

I had not heard of the Life360 app. I’ve become familiar with it as a result of learning about the Allstate lawsuit. I use a different insurance company, shall we say, so perhaps that’s why I didn’t know about it.

Hannah Cornett Land (04:27)

Well, I only know about it because I have sister-in-laws with teenage boys and they have Life360 and the amount of tracking that these parents can do these days, it’s just, it’s incredible. Anyways, so the allegations here were that they were embedding tracking software in this app to covertly collect driving behavior data similar there, similar to the Google lawsuit that they’re alleging that there wasn’t a proper notice and consent. Also this, according to AG’s office, that particular lawsuit is it marks the first enforcement action under the TDPSA, which is Texas’s data privacy and security act.

Chris Allen (05:03)

Yeah, I know you were joking when you were talking about the amount of tracking that parents can do on their kids and I will just say as a child of the 90s, I’m kind of glad that that didn’t exist back then.

Hannah Cornett Land (05:14)

Yeah, no

Chris Allen (05:15)

We didn’t have cell phone cameras either, so our lives were not nearly the open book that they are right now. But it does get to the point of, you know, why Texas, and it’s not just Texas, we’re focusing on Texas for right now, we’ll zoom out and talk about other states in a second, but just kind of why they are so focused on this, right? Because so much data is out there. And it’s not just data about driving habits. It plays into the controversy over TikTok. It plays into the controversy over what artificial intelligence is allowing now. It plays into the controversies over social media, for example, and the kind of information they’re collecting. So it’s an area where Google obviously being a giant tech company is a logical target, I think, when you’re talking about data privacy, but really it’s a symptom of the proliferation of data collection and data sharing, not just with the big tech companies, but really across everybody. I mean, we’re talking about auto companies for Pete’s sake…

Hannah Cornett Land (06:07)

Right. You know, I think another concern, particularly for Allstate in this case, is that they’ve got the investigation against General Motors as well, and a broader investigation against several different car manufacturers alleging that they’re using similar data to share with insurance companies specifically, and that it could hike up insurance rates based on your driving data.

Chris Allen (06:27)

Yeah. And gets to the nub of it, is they’re sharing this data. And it’s very logical if you think about it. If you are able to tell what a consumer is doing, what a driver is doing in their vehicle, that [would] very obviously is relevant to what their insurance rates probably could be. And so if I’m an insurance company and somebody tells me, I can tell you how often Chris Allen speeds when he’s trying to get to work in the morning because he had to stop at Starbucks like he always does, that’s something I think my insurance company would like to know. But at the same time, if that information is being collected and it’s being sold or transferred without me or any consumer knowing about it, that’s where the AGs, I think, really have problems,

Hannah Cornett Land (07:09)

Right, yeah, I think the notice and consent is the crux of the issue, just making sure that consumers are aware, you know, that this data is being collected and what it is being collected for.

Chris Allen (07:19)

Yeah, and that’s not a new thing. I mean, we talk about the TDPSA and I know I personally have clients that I’m counseling on this issue. I know many, many other companies are dealing with it. I know that Texas has already sent out letters to a wide range of companies, again, not just tech companies, asking how they’re going to comply with this law or whether they’re in compliance with this law. But I think it kind of really goes back to the broader wellspring of powers that state AGs have, and that is under their traditional unfair and deceptive acts and practices or UDAP authority (which is the broad consumer protection statutes that every state has that’s enforced by the AG) really the fundamental question they’re asking is: What do consumers understand about what they’re engaging with? Are they being misled? Are they being deceived? Are key facts being omitted? And I know Hannah, you and I have worked on data security cases before where the question in that case was: What were consumers being led to understand about the security of their data? And now you have data privacy acts, have data breach notification acts, but really a lot of this started back under UDAP where states became concerned once again about the information that was being kept about customers, whether that’s payment information or what kind of prescriptions you have, and how is that information being safeguarded, which then metastasized into, in the modern information economy: How is that information being shared and what are consumers understanding about If my information is being collected at point A, number one, do I even know that? But if it is, who is getting it at point B, C, and D? And I think that it’s just a really interesting way of watching how state AG power has evolved and really has kind of led the legislatures because obviously the Texas legislature implemented the TDPSA, the California legislature has the CCPA, which we’ll talk about in a second. But it’s really like the AGs were the leaders on this issue from the get-go and I think they really do continue to kind of push this in terms of their consumer protection focus.

Hannah Cornett Land (09:14)

Yeah, absolutely. And do you want to get into the Chinese companies first or do want to go ahead and jump into the broader privacy?

Chris Allen (09:24)

Well, we can talk about the Chinese companies in the sense that, you know, there were enforcement letters recently sent by Texas against Alibaba, against CapCut. My children have CapCut. They love CapCut. So obviously it’s out there. Their Dad is already out there in the ether. I’m perhaps a bad father. But again, like in that situation, Texas kind of gets a twofer because those are Chinese companies. Obviously that’s wound up in all of the controversy around TikTok and what kind of information Chinese companies are collecting and who has access to that, which I think, that really is something that’s still kind of a black box, which is why TikTok has had some of the issues that they have. In that case, it’s perhaps even more concerning on the face because it’s arguably a foreign nation state that’s ultimately getting the data. But I think the concern ultimately becomes the same. What does a consumer understand when they’re engaging with anyone? What do they understand about what kind of data is being collected and where is that data going?

Hannah Cornett Land (10:19)

I do feel like a lot of this might be linked to the political clout associated with the TikTok stuff.

Chris Allen (10:23)

Yeah, in Texas, right. Texas is not the only state that’s looking at TikTok, right? I think Montana AG Austin Knudsen is in litigation right now because the Montana legislature actually attempted to ban TikTok in the state. So, you know, there are a lot of issues wrapped up in that. It just goes to show when we’re talking about foreign adversaries, I think there’s a national security interest that comes in there.

But the AGs don’t need that national security hook in order to initiate investigations like this or go after Google. mean, Google is as American as apple pie at this point. And they got rapped, again, I can’t emphasize this enough, $1.375 billion. Because again, they were collecting information about consumers. according to what we publicly know about this, it was because the consumers were not informed that the information was being collected, much less what Google was actually doing with it. And that’s something that really transcends. It’s the action itself. It’s not necessarily even who doing the action. Obviously the AGs are no lovers of Google. They have litigation against them right now in the anti-trust context. But at the same time, this is an area that they are taking particular interest in.

Hannah Cornett Land (11:35)

Yeah, absolutely. that also I think gets into your point earlier of this is at its crux, it does get into stuff that they could get just under their baseline UDAP authority. Like you said, you don’t need to necessarily have a specific privacy law in place. The UDAP is structured so broadly that you can… anything, if there’s any like notice and consent issue, there could be enforcement action.

Chris Allen (11:55)

Sure, yeah, that’s the theme that we’ve talked about again and again is just how creative state AG offices are in using their UDAP authority. You know, it’s been something that’s allowed them to become very flexible as regulators and every time a new technology comes out, I think there’s consumer protection staff who often rightly think about: OK, this is brand new. What do consumers understand about it? How is it going to impact them? Are they really getting all the details as to how this works?

When you come to information sharing, you’re talking about something that’s just incredibly lucrative because behavioral data on what people do, what they want, what kind of websites they visit, what kind of magazines they order, assuming people still order hard copy magazines. All of that are things that not only advertisers, but also whole industries want to understand. And so there’s a lot of value in that data. We’ve talked about the insurance industry, but obviously Google is collecting it for its own purposes. These Chinese companies are collecting it for their purposes.

We could sit here all day and go through just the various different kinds of industries that would find value in understanding their consumers better. That’s what people have been trying to do for as long as people have been trying to sell stuff to other people.

Hannah Cornett Land (13:07)

They can also use that data to train their products. I’m thinking of AI here. I know at the NAAG Consumer Protection Conference, that was a big concern. There was a panel on chatbots specifically, and the concern of, they’re using consumer inputs into this AI to train their model and improve it. How does that play into data security concerns and privacy concerns in general?

I think this is something that is continually evolving with new technologies and companies need to keep an eye out for it. AG certainly are.

Chris Allen (13:39)

Not only are AGs doing that, but they are the leaders here, right? I mean, in the United States, Congress has tried, I’ve lost count of how many times they’ve tried. First, I mean, they couldn’t even get a basic data security notification law passed at the federal level, something that would empower the FTC to do that. So the FTC has kind of played around with this Section 5 power. Again, it’s analog to AG UDAPs trying to say that if data wasn’t properly secured or if consumers didn’t really understand what was being done with their data, that’s misleading or unfair conduct and therefore subject to FTC enforcement. Really, it’s been the AGs that have led all this. I mean, I remember the TJX action, which I think again was Texas leading that, but that was back, that was almost 20 years ago at this point. And that was all done under consumer protection authority. But ever since then, whether it’s a data breach, or now, as we’ve moved into, maybe the data is completely secure, but a customer just doesn’t know what’s being done about it, the AGs have been that leader here. And it’s fascinating to me, I mean, because you can see, you I know that you’ve done a lot of things under the California Consumer Privacy Act. I’ve also done stuff under that. And it’s remarkable to remember that that was created really with California looking to what the Europeans were doing and how the Europeans were using data.

And it’s always an interesting thing when Americans and Europeans look at each other, because we have such fundamentally different approaches to things like free speech, things like privacy. But you can’t help but see the really heavy influence of laws like the European laws on the CCPA, which is certainly the farthest reaching of the law and actually sets up its own independent regulatory regime. But also other laws, laws in Colorado, in Virginia, in Connecticut. We could go down that list of 18 or 20 states and they all now have this concept that it’s not enough to safeguard the data. You have to tell people what you’re collecting, why you’re collecting it, and who you’re sharing [it with]. And it’s been an area in the law, think, that AGs, again, they’ve been pushing even out in front of their legislatures, it just kind of goes to show, to your point, the creativity that AGs have under their existing statutes and how much more power they have when they’re actually empowered by laws like the TDPSA, for example. Again, like, Google discovered those laws have teeth, right? Because it’s not just broad AG enforcement authority, but it’s also the ability to drop the hammer in terms of millions, tens of millions, hundreds of millions, billions.

Hannah Cornett Land (16:00)

Billions, billions now.

Chris Allen (16:05)

This isn’t an area, this isn’t limited to tech companies. It’s not limited to Chinese companies. It’s not limited to insurance companies. It’s everybody, right? So Hannah, when we think about this, like what should people take away from this? What are the key things that they need to be thinking about? You’re sitting in the compliance office or the C-suite. Somebody comes to you and they have this really great idea about how they can buy consumer data from this source or they can analyze that data and figure out a new directed micro-targeted advertising campaign, what kind of thoughts would you tell them in terms of making sure that you at least, that you don’t attract the kind of AG attention that Google unfortunately just experienced.

Hannah Cornett Land (16:42)

Yeah, I think it’s really important for companies to make sure they have their house in order before they, to the extent feasible before they actually get into, anything that is collecting data or sharing data. You really need to be aware of A, what your restrictions are in because, know, as Chris mentioned, we have 20 states now that all have different privacy laws. Yes, while they are similar in lot of respects they also have nuance and variation. So you really need to be aware of those, hire counsel to look into it and maybe develop some privacy principles for you. But I think this is a rapidly evolving area.

Chris Allen (17:21)

You have a lot of people that are very good at data privacy, at data security, but there is an AG angle to this and understanding how consumer protection divisions generally, and now the more specialized units like the ones that you were talking about that states like Texas have set up, approach these kinds of issues. Why do they bring investigations? What are they seeking if they propose settlements?

Obviously a big payday. I keep talking about the paydays. I’m not that obsessed with money, but it’s just like the number just boggles my mind. But AGs are not always just after the money. In fact, I would say they’re rarely just about the money. They want to send a message, sure, sometimes with a big number, but really there’s also things having to do with the conduct provisions and making sure that businesses are acting in the way that AG offices believe they should vis-a-vis consumers.

And so the injunctive provisions and the conduct provisions in an AG-proposed settlement can sometimes be even more important to resolving an issue. so I guess my point is it’s good if you’re facing an investigation or an AG inquiry to make sure that you have somebody who has gone through that before, who understands where the AGs are coming from. And it’s always great to have technical know-how and people that really understand how data security works and the requirements of these specific state statutes, but equally important is being able to engage effectively with the regulators, understand their concerns and figure out an off-ramp if they come to you and say, we think you’re doing something wrong.

Hannah Cornett Land (18:50)

Yeah, and you know, further to that point on the injunctive provisions, these settlements, you know, they could last up [to] 20 years sometimes. And especially in a space like data privacy, what is considered industry best practice today is not going to be the same three years from now. So like when you’re actually looking at the injunctive provisions that AGs propose, you really have to look at it and think about, okay, is this broad enough that I’m still going to be in compliance five years down the line if technology changes and we have to take a different approach here.

Chris Allen (19:23)

I think there’s benefit to be had to remember that AG offices like dialogue. They like understanding things. They recognize that the world is a very fast moving place. And you mentioned AI and obviously AGs are in every single consumer office I’ve talked to, you know, they’re both intrigued and worried about what that’s going to do and just whether the world’s going to move even faster.

But my point is, keeping in mind that you can go to an AG’s office, even if you are not under an investigation, and educate them about something you want to do, and understand from them what they think about that, that may be a good prophylactic strategy to avoid a billion dollar judgment coming down the line.

Hannah Cornett Land (20:07)

Yep, absolutely. Always good to be proactive when you can.

Chris Allen (20:11)

Well, I enjoyed talking about this with you, Hannah. Thank you so much. And again, Google, I guess, drinks are on me next time. No, I’m not offering that.

Hannah Cornett Land (20:19)

Yeah, I was going to say, Google is still closer to being a millionaire than I’ll ever be.

Chris Allen (20:25)

That’s true, we still got the money, man. All right, well, we hope all of y’all have enjoyed this episode. Hopefully you’ve had some takeaways here. Chris Allen, a member of Cozen O’Connor’s State AG Practice. I’ve been joined by Hannah Cornett-Land and I really enjoyed talking about this and we hope you did too and we’ll see you next time.

You have been listening to State AG Pulse brought to you by Cozen O’Connor State AG Group and the State AG Report. Please leave us a five star rating and of course tune in again in two weeks for our next episode. Thank you so much for joining us.