State AG Election Winners

With the majority of votes tallied, the projected state AG election winners include:

Pennsylvania is the only state AG race where the party flipped, with Republicans winning the office. In addition, as not all state AGs are elected by popular vote, two states and two territories may have AG changes that will be determined at a later time. In Maine, the AG is selected by a secret ballot of state legislators for a two-year term. The current attorney general is Aaron Frey, who is in his third term and has served since January 2019. It will be up to the legislature to determine whether Attorney General Frey will be elected for a fourth term or if another will be chosen to begin serving in January 2025. In New Hampshire, the AG is appointed by the governor and approved by the Executive Council. John Formella (R) was nominated by Governor Chris Sununu (R) and is the current attorney general, having served since April of 2021. Kelly Ayotte (R and former attorney general) won the open seat for governor and can ask General Formella to continue to serve or nominate a new attorney general. Finally, in American Samoa and Puerto Rico, the attorney general is appointed by the governor. As there were gubernatorial elections this cycle in both jurisdictions, it could impact whether American Samoa Attorney General Fainu’ulelei Falefatu Ala’ilima-Utu and Puerto Rico Attorney General Domingo Emanuelli Hernández continue in their roles.

AG Alums Elected to Other Office

The National Association of Attorneys General (NAAG), a nonpartisan organization of attorneys general, has teasingly been referred to as the “National Association of Aspiring Governors.” This election cycle gives credence to that tease as three current attorneys general have won gubernatorial elections, in addition to former New Hampshire Attorney General Kelly Ayotte, as mentioned above. These include Josh Stein of North Carolina, Bob Ferguson of Washington, and Patrick Morrisey of West Virginia. In addition, former Kansas Attorney General Derek Schmidt has won election to the U.S. Congress. And while this election was not a success for Vice President Kamala Harris, we would be remiss to not remind readers that prior to serving in her current role, she was the California Attorney General. All of this is to say that it is good for businesses to get to know the AGs -- due to their role in enforcing consumer protection laws and because they may move on to other political careers after serving as a state’s top law enforcement official.

The Texas AG’s settlement, which is in the form of an Assurance of Voluntary Compliance, requires Pieces to make clear and conspicuous disclosures regarding the meaning of its metrics or, in the alternative, third party substantiation by an auditor. Pieces may not misrepresent or make unsubstantiated claims regarding its accuracy, testing, monitoring, metrics, or data training set, otherwise mislead customers regarding its functionality or purpose, and must disclose any financial arrangements with endorsers. Pieces also must provide customers with documentation that clearly and conspicuously discloses:

• “any known or reasonably knowable harmful or potentially harmful uses or misuse of its products or services” including data or models used to train,

• a detailed explanation of the intended purpose of its products or services and any training or documentation needed to facilitate proper use,

• known or reasonably knowable risks or limitations of its products or services such as physical or financial injury as a result of inaccurate outputs,

• any known or reasonably knowable misuses of its products or services that can increase the risk of inaccurate outputs or harm to individuals, and

• all other documentation “reasonably necessary for a user to understand the nature and purpose of an output generated by a product or service, monitor for patterns of inaccuracy, and reasonably avoid misuse...”

The settlement automatically terminates after 5 years. This list of settlement prohibitions provides helpful insight into what state enforcers may believe is required under their UDAP laws for any generative AI company. As a practical note, these settlement prohibitions may also serve as helpful diligence vetting or risk assessment questions for businesses as they evaluate third party provided generative AI tools.

As an overall take-away, it’s worth underscoring Attorney General Paxton’s press statement, which emphasizes the importance of transparency, particularly when “used in high-risk settings” and asks “[h]ospitals and healthcare entities” to “consider whether AI products are appropriate and train their employees accordingly.” We anticipate this will not be the last enforcement on this topic to make headlines over the near term. State AGs (and other government enforcers) are taking to heart a risk-based approach to AI enforcement, even without a specific enforcement regime. On a closing note, we also point out Colorado AG Weiser’s recent remarks on how the state enforcement community might find a balanced approach to regulating and enforcing in the AI space. More to come. Stay tuned.

Although Shkreli’s prison sentence began in 2017, the court said he continued to exert his influence over the company, which in December agreed to pay $40 million for its part. The former CEO is now banned from the pharmaceutical industry for life. While a lifetime ban may seem like an extreme remedy, be mindful that State AGs don’t reserve this punishment for those in prison, and have imposed industry bans in other actions and industries. Shkreli has also been ordered to pay disgorgement to the states in $64.6 million. As part of his criminal judgment, he had already lost several assets including his prized Wu-Tang Clan album, a source inspiration for General James’ words of condemnation in her victory press release. Another executive Kevin Mulleady also settled, paying $10 million.

State AGs have been extremely active in the pharmaceutical antitrust space in recent years, including when it comes to generic drug pricing. Specifically, State AGs have alleged that generic drug manufacturers of topical products conspired to inflate prices and reduce competition. Most of the State AGs have been investigating the practice since 2016, with defendants now numbering in the dozens in their 3^rd Amended Complaint. The states are caught up in an MDL, but their bellwether trial on dermatology treatments will be the first up.

Shkreli’s lifetime ban may not even be the biggest antitrust news out of federal court for the State AGs the past week, as 48 states appealed the dismissal in their Facebook case the same day. Like the FTC, state AGs have challenged Facebook’s acquisition of companies such as WhatsApp and Instagram as anticompetitive and creating a monopoly. Unlike the FTC however, the state AG claims were dismissed with prejudice as time-barred, which led to last week’s appeal. And in other major state antitrust news, the Texas-led multistate coalition suing Google for ad tech manipulation and deception had its complaint largely unredacted, making public new details of the States’ allegations. Expect States to continue to use their antitrust tools in the pharma and big tech space as these remain top priorities for 2022, and join the Kelley Drye State Attorneys General team on January 27 at 1:00 ET to learn more about what to expect from State AGs in the coming year.

State Attorney General Consumer Protection Priorities for 2022 Thursday January 27 at 1:00pm ET

Consumer protection enforcement efforts are expected to increase dramatically this year. Recent pronouncements from State Attorneys General around the country bring privacy, big tech and the misuse of algorithms, and basic advertising related frauds into particular scrutiny.

Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Advertising and Marketing Partner Gonzalo Mon, Privacy Partner Laura VanDruff, and Senior Associate Beth Chun for discussion and practical information on these and other state consumer protection, advertising, and privacy enforcement trends.

Register Here

Note: Our team will discuss these issues, along with practical suggestions for how companies can tackle privacy challenges, in a January 26 webinar at 4 pm ET. Please tune in! You can register here.

• State privacy developments will continue to drive much of the U.S. privacy debate.
  • California and Colorado will launch rulemakings to implement their laws, setting an example for other jurisdictions and prompting industry changes even beyond their borders. Meanwhile, companies will be gearing up for the effective dates of all three state laws (January 1, 2023 for California and Virginia, and July 1, 2023 for Colorado).
  • With multiple bills already pending in other states, we may see additional state laws by year’s end. Draft bills introduced thus far suggest a range of approaches that vary from existing laws, suggesting compliance may become even more complex in the coming year.
  • Even states without comprehensive privacy laws will seek to use their “unfair and deceptive” trade practice authority in increasingly creative ways to address privacy. A recent example is Arizona’s effort to challenge Google’s collection and use of location data.
• The FTC will pursue an aggressive privacy agenda, pushing the boundaries of its legal authority and seeking to move the goalposts governing data collection, use, and sharing.
  • It will launch a broad “surveillance” rulemaking under its Magnuson-Moss procedures, seeking strict limits on personalized advertising, lax security practices, and algorithmic discrimination. (As we discuss here, though, the rule will likely take years to complete.)
  • It will increase enforcement of sectoral privacy laws and rules (e.g., FCRA, COPPA, GLB Privacy, Red Flags), so it can get monetary relief, post AMG. It also will try to obtain settlements for alleged violations of the Health Breach Notification Rule – which it “clarified” in a 2021 policy statement covers virtually all health apps.
  • It will focus on tech platforms and other large companies, through both aggressive enforcement and high-profile studies, such as its upcoming report on social media companies.
  • In all of its privacy cases, the FTC will seek stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. (See our scorecard on the FTC’s use of such theories here.)
• Other federal agencies will flex their muscles on privacy and data security, scrutinizing and regulating companies within their areas of jurisdiction.
  • For example, the CFPB recently ordered the tech giants to turn over information regarding the data practices of payments systems they operate. The FCC just moved to update breach reporting requirements under the CPNI rules. And the SEC just fined eight broker-dealers and investment companies for their “deficient cybersecurity procedures.”
  • Expect these types of actions to accelerate in the coming year, as privacy continues its ascent as a top regulatory, consumer protection, and risk management issue.

• Developments in and around the tech platforms will continue to have ripple effects across the entire marketplace.
  • The tech platforms (yeah, them again) will continue to tighten their rules governing data sharing, third-party cookies, use of identifiers, and access to their platforms, forcing other companies to develop new ways to market their brands.
  • “Big tech” antitrust challenges will advance through legislatures and the courts, requiring policymakers and enforcers to finally confront the tension between competition interests (which seek to expand access to data) and privacy interests (which seek to limit access).
• Cross border data transfers will become ever more difficult, as Privacy Shield remains unresolved and the EU accelerates GDPR enforcement.
  • For example, Austria’s DPA recently held that Google Analytics violated the GDPR when it transferred to the U.S. EU citizens’ IP address and identifiers in cookie data, notwithstanding Google’s claim that it had protective measures in place.
  • Further, the record fines being obtained for GDPR violations (a reported seven-fold spike in 2021) will increase the peril for multinational companies that transfer data as part of their operations.
• The plaintiff’s bar will continue to test the limits of addressing privacy in private litigation, despite some setbacks in 2021.
  • The setbacks include the high bar set by the Supreme Court regarding the proof of harm necessary to confer standing in privacy cases. In addition, neither Virginia nor Colorado included a private right of action in their comprehensive privacy laws.
  • However, the California law includes a private right of action for data breaches, and pending legislative proposals in other states include private rights of action for privacy, security, or both. Plaintiffs also are employing other statutory frameworks to address privacy, such as the contract laws cited in the recent class action against Zoom, and the call recording laws cited in session-replay lawsuits.

• Congress will continue to debate whether to pass a federal privacy law.
  • Yes, it’s safe to assume that the never-ending debate will continue! The harder question is whether Congress will finally pass anything.
  • It’s possible. Businesses have never wanted a federal privacy law more – to deal with the specter of more state privacy laws, “overreach” by the FTC, the EU’s heightened enforcement efforts, and the overall confusion created by fragmented privacy regimes (i.e., all of the issues discussed above).
  • The more likely scenario, however, is that Congress will pass something narrower, like a bill to amend COPPA or provide new privacy protections for teens, which could be an area of consensus among Democrats and Republicans. (Another possibility, just proposed by some Democrats, is legislation to ban “surveillance advertising,” similar to the rule that the FTC is planning. However, that would likely be a much more divisive issue in Congress.)