The fact that many states are considering or have passed comprehensive privacy laws in recent years is no longer novel. What may not be as readily apparent is that regulators are finding new ways to enforce state "privacy" rights even in states that do NOT have a privacy law on the books. In this way, they are taking a page from the Federal Trade Commission, which has for years used consumer protection rules to go after data breach issues -- despite the absence of a federal privacy law.
In other words, even in states that do not explicitly protect personal data under a privacy law, the regulators are using consumer protection and fair trade rules as a proxy mechanism. Google is forging this path currently in a high profile way. It is fighting regulators in Washington state and elsewhere for continuing to collect location data after consumers turn off "location history." Regulators say Google knew the consumers did not want their location tracked and that Google's continuing collection of location data is a consumer protection/fair trade violation. Indiana and Texas, plus the District of Columbia, have similar actions pending against Google. Texas has added a cause to its case, as well, based on the fact that "Incognito Mode" does not turn off all tracking/data collection.
Why It Matters
It is extremely common for websites, apps, and tools to use location data for various purposes -- not all are nefarious or even directly related to revenue. However, consumers may not understand which settings in a particular app or site will effectively cancel out such tracking. It is becoming clear that state attorneys general think this is an unfair and deceptive trade practice and that they do not need to wait for their state legislators to pass a privacy law in order to do something about it.
This also signals a broader understanding of and appreciation for privacy at the state level that suggests that the country might not even wait for legislatures to catch up to the issue. If the FTC can punish companies that suffer a data breach, and state AGs can punish companies whose settings and privacy disclosures may be confusing, privacy law may move in a much broader direction than it has so far under the country's few privacy statutes. This may make compliance even more confusing. We strongly suggest that privacy policies be clear and accurate, and that they be updated regularly to reflect new business practices.