Certified Information Privacy Professional (CIPP): US - State Attorneys General and Privacy Enforcement

CIPP/US – State Attorneys General and Privacy Enforcement

What This Is

State Attorneys General (AGs) are the chief legal officers for each U.S. state and, in many states, they are the primary enforcers of state?level privacy statutes such as the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Utah Consumer Privacy Act (UCPA). When a state AG believes a company has violated a privacy law, they can issue investigations, civil penalties, and settlement orders. Real?world example: A national e?commerce retailer sells customers’ email addresses to third?party marketers without providing the required opt?out notice. The California AG files a complaint, levies a $5?million civil penalty, and forces the company to implement a compliance program.

Key Terms & Provisions

• Attorney General (AG): The elected chief legal officer of a U.S. state (or the District of Columbia). AGs can bring civil actions, issue subpoenas, and negotiate settlements under state privacy statutes.
• State?Level Privacy Statute: A law enacted by a state legislature that creates consumer rights (e.g., right to access, delete, opt?out) and imposes duties on “controllers” and “processors.” Examples: CCPA/CPRA (California), VCDPA (Virginia).
• Consumer (or Resident) Right to Access: The right of a state resident to obtain a copy of the personal information a business holds about them, typically within 45?days (CCPA) or 30?days (VCDPA).
• Consumer Right to Delete (Right to Erasure): The right to request that a business permanently erase personal data, subject to statutory exceptions (e.g., for fraud detection).
• Opt?Out Sale/Sharing Requirement: A statutory mandate that businesses must provide a clear “Do Not Sell My Personal Information” mechanism before selling or sharing data for cross?context advertising. Failure triggers AG enforcement.
• Reasonable Security Standard: The duty to implement “reasonable” technical and organizational safeguards. In many statutes, “reasonable” is defined by reference to industry standards (e.g., NIST, ISO?27001).
• Civil Penalty Schedule: The per?violation fine range set by each statute (e.g., CCPA: $2,500–$7,500 per intentional violation; VCDPA: up to $7,500 per violation).
• Attorney General Enforcement Action: A formal complaint filed by an AG that may include a “pre?complaint” notice, investigation, and potential civil penalties or injunctive relief.
• Joint AG Litigation: When two or more state AGs coordinate a single lawsuit (common in large?scale data?breach cases). The “lead” AG may be from the state where the breach originated.
• Data Breach Notification Obligation: Many state statutes require businesses to notify the AG (and sometimes affected residents) within a set timeframe after discovering a breach (e.g., 30?days under the California Data Breach Notification Law).
• Exemptions & Thresholds: Statutes often carve out exemptions (e.g., HIPAA?covered entities, small businesses under $25?million annual revenue, or data processing limited to <100,000 consumers).
• Good?Faith Defense: Some statutes allow a business to avoid penalties if it can prove it acted in good faith and remedied the violation promptly.

Step?by?Step Process Flow (When an AG Investigation Starts)

1. Receive the AG Notice – Log the receipt of the complaint, subpoena, or pre?complaint notice in your incident?response system.
2. Assemble the Cross?Functional Team – Include privacy counsel, compliance, IT, security, and senior leadership; assign a “AG liaison” to handle all communications.
3. Preserve Evidence – Issue a legal hold on all relevant data, logs, and communications; freeze any ongoing data transfers that may be at issue.
4. Conduct a Rapid Gap Assessment – Map the alleged violation to the specific statutory provision (e.g., failure to provide a “Do Not Sell” link) and identify missing controls.
5. Prepare a Response Package – Draft a written response that (a) acknowledges receipt, (b) outlines remedial steps taken, (c) provides the requested data (e.g., consumer access logs), and (d) includes a compliance roadmap.
6. Negotiate Settlement or Remedy – Work with the AG’s office to negotiate any civil penalties, consent orders, or required audits; document the final agreement and update internal policies accordingly.

Common Mistakes

• Mistake: Assuming only the “home” state AG can enforce a privacy law.
  Correction: Most statutes give any state AG jurisdiction over violations that affect their residents, regardless of where the company is headquartered.

• Mistake: Treating “opt?out” as a one?time checkbox.
  Correction: The opt?out mechanism must be continuously available, prominently displayed, and honored for the entire data?sale lifecycle.

• Mistake: Believing that HIPAA exemption automatically shields a health?tech startup from state privacy laws.
  Correction: HIPAA pre?empts only the federal privacy rule; many state statutes still apply unless they are expressly pre?empted.

• Mistake: Ignoring the “good?faith” defense because it sounds vague.
  Correction: Document every remedial action (e.g., policy updates, employee training) and retain evidence; a well?documented good?faith effort can halve or eliminate penalties.

• Mistake: Waiting for the AG to issue a formal subpoena before beginning internal investigations.
  Correction: Proactively start a forensic review once you receive any AG notice; early cooperation often reduces enforcement severity.

CIPP Exam Insights

1. “Who can bring a claim?” – The exam loves to ask whether a state AG, the Attorney General of the United States (federal), or a private consumer can enforce a particular provision. Remember: most state statutes empower the state AG, not private individuals, to seek civil penalties.

2. Statutory Thresholds vs. Federal Pre?emption – Expect a question contrasting the $25?million revenue threshold (CCPA) with the HIPAA pre?emption carve?out. The key is: HIPAA does not automatically pre?empt state privacy statutes unless the state law is “inconsistent” with HIPAA.

3. Penalty Calculation – You may be asked to compute the maximum civil penalty for a given number of violations (e.g., 10 intentional violations under CCPA). Memorize the per?violation ranges and the “per consumer” vs. “per incident” distinction.

4. Joint AG Litigation – The exam may present a scenario where multiple AGs sue a data?broker. The correct answer will note that the lead AG files the complaint, but all participating AGs share enforcement authority.

Quick Check Questions

1. Question: A Virginia resident discovers that a retailer sold their browsing data to a third?party advertiser without providing a “Do Not Sell” link. The Virginia AG issues a notice of violation. Can the retailer claim the “reasonable security” exemption to avoid the penalty?
   Answer: No. The “reasonable security” exemption applies only to security failures, not to the failure to provide an opt?out mechanism required by the VCDPA.

2. Question: A California?based SaaS company processes less than 100,000 consumer records and has annual revenues of $22?million. The California AG alleges a violation of the CCPA’s right?to?delete provision. Is the company exempt?
   Answer: No. The revenue exemption is $25?million; the company is still subject to CCPA obligations.

3. Question: After a data breach, a Colorado company notifies affected residents within 45?days but fails to notify the Colorado AG until 60?days. What is the likely enforcement outcome?
   Answer: The AG can impose a civil penalty for late notification because Colorado law requires AG notice within 30?days of breach discovery.

Last?Minute Cram Sheet (10 One?Liners)

1. CCPA “Do Not Sell” – Must be a clear link on the homepage; a buried privacy policy does not satisfy the requirement.
2. VCDPA Penalty – Up to $7,500 per intentional violation; $2,500 per negligent violation.
3. Colorado CPA – Applies to any business that processes personal data of >100,000 Colorado residents or >25,000 residents and derives >$25?million in revenue.
4. Utah CPA – “Reasonable security” is measured against NIST SP?800?53 Rev.?5 standards (unless a higher standard is industry?accepted).
5. Joint AG Litigation – The “lead” AG files the complaint; other AGs may join without filing separate suits.
6. HIPAA Pre?emption – Only pre?empts federal privacy rules; state statutes that are more protective generally survive.
7. Consumer Right to Delete – Exemptions include (a) compliance with a legal obligation, (b) detection of fraud, (c) public health research.
8. AG Enforcement Timeline – Most statutes require AG notice within 30?days of breach discovery; failure triggers additional penalties.
9. Good?Faith Defense – Must be documented; ad?hoc verbal assurances are insufficient.
10. Exempt Small Business – Many state laws exempt entities with <$25?million annual revenue and <100,000 consumers; both thresholds must be met to qualify.

Use this guide to focus your study sessions, practice the scenario?based questions, and keep the key statutory numbers at your fingertips before exam day.