The Privacy Policymaking of State Attorneys General

Danielle Keats Citron*

Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been overlooked: the state attorneys general (AGs). This Article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources by examining documentary evidence received through Freedom of Information Act (FOIA) requests submitted to attorney general offices around the country and interviewing state attorneys general and current and former career staff.
Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement. State attorneys general have been nimble privacy enforcers whereas federal agencies have been more constrained by politics. Local knowledge, specialization, multistate coordination, and broad legal authority have allowed AG offices to fill in gaps in the law. State attorneys general have established baseline fair-information protections and expanded the frontiers of privacy law to cover sexual intimacy and youth. Their efforts have reinforced and strengthened federal norms, further harmonizing certain aspects of privacy and data security policy.
Although certain systemic practices enhance AG privacy policymaking, others blunt its impact, including an overreliance on weak informal agreements and a reluctance to issue closing letters identifying data practices that comply with the law. This Article offers ways state attorneys general can function more effectively through informal and formal proceedings. It addresses concerns about the potential pile-up of enforcement activity, federal preemption, capture, and the dormant Commerce Clause. It urges state enforcers to act more boldly in the face of certain shadowy data practices.

Continue reading in the print edition . . .

© 2016 Danielle Keats Citron. Individuals and nonprofit institutions may reproduce and distribute copies of this Article in any format at or below cost, for educational purposes, so long as each copy identifies the author, provides a citation to the Notre Dame Law Review and includes this provision in the copyright notice.

*Morton & Sophia Macht Professor of Law, University of Maryland Carey School of Law; Affiliate Scholar, Stanford Center on Internet & Society; Affiliate Fellow, Yale Information Society Project; Senior Fellow, Future of Privacy Forum. This Article received the International Association of Privacy Professionals Best Paper award at the 2016 Privacy Law Scholars Conference. I owe special thanks to Chris Hoofnagle, Neil Richards, and Daniel Solove for commenting on several drafts and to Chris Wolf for his wisdom. This Article benefited from the insights of California Attorney General (AG) Kamala Harris, former Maryland AG Douglas Gansler, Connecticut AG George Jepsen, Illinois AG Lisa Madigan, and Indiana AG Greg Zoeller; current and former AG staff Nathan Blake, Sara Cable, Linda Conti, Justin Erlich, Matt Fitzsimmons, Deborah Hagan, Susan Henrichsen, Erik Jones, Ryan Kriger, Taren Langford, Travis LeBlanc, Michele Lucan, Kathleen McGee, Joanne McNabb, Steve Ruckman, Paula Selis, Melissa Szozda Smith, Matt Van Hise, and Christian Wright; privacy practitioners Julie Brill, Tanya Forsheit, Jim Halpert, Erik Jones, Michelle Kisloff, Jeff Rabkin, Divonne Smoyer, and Kurt Wimmer; colleagues Jessica Bulman-Pozen, Ryan Calo, Julie Cohen, Neal Devins, Andrew Ferguson, Susan Freiwald, Don Gifford, Mike Greenfield, James Grimmelmann, Woodrow Hartzog, Hosea Harvey, Leslie Meltzer Henry, David Hoffman, Margot Kaminski, Orin Kerr, Pauline Kim, Lee Kovarsky, David Law, Tom Lin, Kevin Linskey, William McGeveran, Deirdre Mulligan, Frank Pasquale, Priscilla Regan, Gilad Rosner, Paul Schwartz, Cathy Sharkey, Nancy Staudt, David Super, Peter Swire, Omer Tene, and Felix Wu; privacy advocates Dissent Doe, Claire Gartland, Bob Gellman, Caitriona Fitzgerald, Beth Givens, Jules Polonetsky, Marc Rotenberg, and Jeramie Scott; participants in the Future of Privacy Forum Roundtable, Cardozo Law School’s Data Security Conference, DePaul Law School’s Clifford Symposium on Data Breaches and Corporate Responsibility, 2016 Privacy Law Scholars Conference, Electronic Privacy Information Center’s Big Ideas session, Washington University School of Law’s faculty workshop, Temple University School of Law’s faculty workshop, and the 2016 Privacy and Security Forum. The Future of Privacy Forum kindly gave me a home during my 2015–2016 sabbatical. Camilla Tubbs, Jenny Rensler, Frank Lancaster, Kristen Bertch, Hector DeJesus, Dan Kaprow, Cassie Mejias, David Maher, and Alex Stern provided indispensable research assistance. Susan McCarty, as always, lent her keen editing eye and citation expertise. Dean Donald Tobin, Associate Dean Max Stearns, and Associate Dean Barbara Gontrum supported this project. I am ever grateful to Audrey Beck, Jeffrey Schmidt, and the editorial staff of the Notre Dame Law Review.