The Privacy Policymaking of State Attorneys General

71 Pages Posted: 17 Feb 2016 Last revised: 1 Mar 2017

Date Written: February 16, 2016


Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been ignored: the state attorneys general. This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources — first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.

Much as Justice Louis Brandeis imagined states as laboratories of the law, offices of state attorneys general have been laboratories of privacy enforcement. State attorneys general have been nimble privacy enforcement pioneers where federal agencies have been more conservative or constrained by politics. Their local knowledge, specialization, multi-state coordination, and broad legal authority have allowed them to experiment in ways that federal agencies cannot. These characteristics have enabled them to establish baseline fair information protections; expand the frontiers of privacy law to cover sexual intimacy and youth; and pursue enforcement actions that have harmonized privacy policy.

Although certain systemic practices enhance AG privacy policy making, others blunt its impact, including an over reliance on informal agreements that lack law’s influence and a reluctance to issue closing letters identifying data practices that comply with the law. This article offers ways state attorneys general can function more effectively through informal and formal proceedings. It addresses concerns about the potential pile-up of enforcement activity, federal preemption, and the dormant Commerce Clause. It urges state enforcers to act more boldly in the face of certain shadowy data practices.

Keywords: privacy, bankruptcy, transparency, data breach, consumer protection, financial privacy, data security, UDAP

Suggested Citation

Citron, Danielle Keats, The Privacy Policymaking of State Attorneys General (February 16, 2016). 92 Notre Dame Law Review 747 (2016), U of Maryland Legal Studies Research Paper No. 2016-08, Available at SSRN:

Danielle Keats Citron (Contact Author)

University of Virginia School of Law ( email )

580 Massie Road
Charlottesville, VA 22903
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics