Chapter 5: Federal and State Regulators and Enforcement of Privacy Law

State Attorneys General and UDAP Statutes

State AGs are the primary privacy enforcers in most states and may join federal actions under HIPAA, GLBA, and CAN-SPAM. All 50 states have UDAP statutes similar to Section 5; the FTC Act does not preempt them unless they conflict.

In all 50 states, state attorneys general are constitutional officers, popularly elected in nearly all states, and among the most powerful state officials. They have traditionally enforced state privacy protections - sometimes with sole authority, sometimes sharing it or alongside a private right of action. Certain federal statutes let state AGs bring actions with the federal agency: HIPAA, GLBA, and CAN-SPAM.

UDAP and preemption

All 50 states have UDAP statutes roughly similar to Section 5 of the FTC Act. The FTC Act does NOT preempt state unfair/deceptive trade-practice laws so long as they do not conflict. Some statutes also reach unconscionable practices, and several allow private rights of action. UDAP laws are enforced by state AGs.

Key terms - quick answers

What is “State attorneys general”?

Elected constitutional officers who are the primary enforcers of state-level privacy protections and may join certain federal enforcement actions.

What is “Unconscionable practices”?

A contract-law concept for harsh seller practices that some state UDAP statutes also reach.

← The Future of FTC Enforcement State Comprehensive Laws and Federal Sectoral Exemptions →