Although Shkreli’s prison sentence began in 2017, the court said he continued to exert his influence over the company, which in December agreed to pay $40 million for its part. The former CEO is now banned from the pharmaceutical industry for life. While a lifetime ban may seem like an extreme remedy, be mindful that State AGs don’t reserve this punishment for those in prison, and have imposed industry bans in other actions and industries. Shkreli has also been ordered to pay disgorgement to the states in $64.6 million. As part of his criminal judgment, he had already lost several assets including his prized Wu-Tang Clan album, a source inspiration for General James’ words of condemnation in her victory press release. Another executive Kevin Mulleady also settled, paying $10 million.

State AGs have been extremely active in the pharmaceutical antitrust space in recent years, including when it comes to generic drug pricing. Specifically, State AGs have alleged that generic drug manufacturers of topical products conspired to inflate prices and reduce competition. Most of the State AGs have been investigating the practice since 2016, with defendants now numbering in the dozens in their 3^rd Amended Complaint. The states are caught up in an MDL, but their bellwether trial on dermatology treatments will be the first up.

Shkreli’s lifetime ban may not even be the biggest antitrust news out of federal court for the State AGs the past week, as 48 states appealed the dismissal in their Facebook case the same day. Like the FTC, state AGs have challenged Facebook’s acquisition of companies such as WhatsApp and Instagram as anticompetitive and creating a monopoly. Unlike the FTC however, the state AG claims were dismissed with prejudice as time-barred, which led to last week’s appeal. And in other major state antitrust news, the Texas-led multistate coalition suing Google for ad tech manipulation and deception had its complaint largely unredacted, making public new details of the States’ allegations. Expect States to continue to use their antitrust tools in the pharma and big tech space as these remain top priorities for 2022, and join the Kelley Drye State Attorneys General team on January 27 at 1:00 ET to learn more about what to expect from State AGs in the coming year.

State Attorney General Consumer Protection Priorities for 2022 Thursday January 27 at 1:00pm ET

Consumer protection enforcement efforts are expected to increase dramatically this year. Recent pronouncements from State Attorneys General around the country bring privacy, big tech and the misuse of algorithms, and basic advertising related frauds into particular scrutiny.

Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Advertising and Marketing Partner Gonzalo Mon, Privacy Partner Laura VanDruff, and Senior Associate Beth Chun for discussion and practical information on these and other state consumer protection, advertising, and privacy enforcement trends.

Register Here

Note: Our team will discuss these issues, along with practical suggestions for how companies can tackle privacy challenges, in a January 26 webinar at 4 pm ET. Please tune in! You can register here.

• State privacy developments will continue to drive much of the U.S. privacy debate.
  • California and Colorado will launch rulemakings to implement their laws, setting an example for other jurisdictions and prompting industry changes even beyond their borders. Meanwhile, companies will be gearing up for the effective dates of all three state laws (January 1, 2023 for California and Virginia, and July 1, 2023 for Colorado).
  • With multiple bills already pending in other states, we may see additional state laws by year’s end. Draft bills introduced thus far suggest a range of approaches that vary from existing laws, suggesting compliance may become even more complex in the coming year.
  • Even states without comprehensive privacy laws will seek to use their “unfair and deceptive” trade practice authority in increasingly creative ways to address privacy. A recent example is Arizona’s effort to challenge Google’s collection and use of location data.
• The FTC will pursue an aggressive privacy agenda, pushing the boundaries of its legal authority and seeking to move the goalposts governing data collection, use, and sharing.
  • It will launch a broad “surveillance” rulemaking under its Magnuson-Moss procedures, seeking strict limits on personalized advertising, lax security practices, and algorithmic discrimination. (As we discuss here, though, the rule will likely take years to complete.)
  • It will increase enforcement of sectoral privacy laws and rules (e.g., FCRA, COPPA, GLB Privacy, Red Flags), so it can get monetary relief, post AMG. It also will try to obtain settlements for alleged violations of the Health Breach Notification Rule – which it “clarified” in a 2021 policy statement covers virtually all health apps.
  • It will focus on tech platforms and other large companies, through both aggressive enforcement and high-profile studies, such as its upcoming report on social media companies.
  • In all of its privacy cases, the FTC will seek stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. (See our scorecard on the FTC’s use of such theories here.)
• Other federal agencies will flex their muscles on privacy and data security, scrutinizing and regulating companies within their areas of jurisdiction.
  • For example, the CFPB recently ordered the tech giants to turn over information regarding the data practices of payments systems they operate. The FCC just moved to update breach reporting requirements under the CPNI rules. And the SEC just fined eight broker-dealers and investment companies for their “deficient cybersecurity procedures.”
  • Expect these types of actions to accelerate in the coming year, as privacy continues its ascent as a top regulatory, consumer protection, and risk management issue.

• Developments in and around the tech platforms will continue to have ripple effects across the entire marketplace.
  • The tech platforms (yeah, them again) will continue to tighten their rules governing data sharing, third-party cookies, use of identifiers, and access to their platforms, forcing other companies to develop new ways to market their brands.
  • “Big tech” antitrust challenges will advance through legislatures and the courts, requiring policymakers and enforcers to finally confront the tension between competition interests (which seek to expand access to data) and privacy interests (which seek to limit access).
• Cross border data transfers will become ever more difficult, as Privacy Shield remains unresolved and the EU accelerates GDPR enforcement.
  • For example, Austria’s DPA recently held that Google Analytics violated the GDPR when it transferred to the U.S. EU citizens’ IP address and identifiers in cookie data, notwithstanding Google’s claim that it had protective measures in place.
  • Further, the record fines being obtained for GDPR violations (a reported seven-fold spike in 2021) will increase the peril for multinational companies that transfer data as part of their operations.
• The plaintiff’s bar will continue to test the limits of addressing privacy in private litigation, despite some setbacks in 2021.
  • The setbacks include the high bar set by the Supreme Court regarding the proof of harm necessary to confer standing in privacy cases. In addition, neither Virginia nor Colorado included a private right of action in their comprehensive privacy laws.
  • However, the California law includes a private right of action for data breaches, and pending legislative proposals in other states include private rights of action for privacy, security, or both. Plaintiffs also are employing other statutory frameworks to address privacy, such as the contract laws cited in the recent class action against Zoom, and the call recording laws cited in session-replay lawsuits.

• Congress will continue to debate whether to pass a federal privacy law.
  • Yes, it’s safe to assume that the never-ending debate will continue! The harder question is whether Congress will finally pass anything.
  • It’s possible. Businesses have never wanted a federal privacy law more – to deal with the specter of more state privacy laws, “overreach” by the FTC, the EU’s heightened enforcement efforts, and the overall confusion created by fragmented privacy regimes (i.e., all of the issues discussed above).
  • The more likely scenario, however, is that Congress will pass something narrower, like a bill to amend COPPA or provide new privacy protections for teens, which could be an area of consensus among Democrats and Republicans. (Another possibility, just proposed by some Democrats, is legislation to ban “surveillance advertising,” similar to the rule that the FTC is planning. However, that would likely be a much more divisive issue in Congress.)