Risk and compliance teams are familiar with potential enforcement from federal regulators. But action from state attorneys general (acting alone or in coalition) can take the unsuspecting business completely by surprise. And in recent years, those actions have grown more frequent, and the penalties more severe.
State attorneys general (state AGs) have broad authority to influence a company’s operations as they operate under an undefined statutory mandate to stop “unfair or deceptive practices.” In recent years, state AGs have utilized the breadth of this authority to address perceived consumer harms on the national level against a variety of industries—many of which were focused on federal regulation, but unconcerned about regulators at the state level. Now, companies in highly regulated industries with frequent or high-impact consumer interactions must evaluate the role that state AGs play and their potential business impact.
Predicting areas of enforcement ripe for state AGs remains difficult because each of the 56 state and territory attorneys general has different policy priorities. Companies should be wary, as handling even a single AG investigation is costly and requires substantial time, energy and legal resources. Multistate investigations only make matters more complex and challenging.
Any such strategy must include implementing a comprehensive and robust compliance program. As explained below, that strategy starts with knowing how each AG views the relevant laws, continues with conforming compliance strategies and business changes to those interpretations—including as they change—and ends with actively addressing and thoughtfully resolving consumer complaints before they snowball into an enforcement action.
Industries Scrutinized by State AGs
Over the past decade, state AGs have increasingly exercised their power as regulators (at the state and national level), leading the charge in regulating consumer harms. They have, individually and collectively, established industry-wide initiatives, filed lawsuits and obtained settlements to exert significant pressure on businesses and industries. Through these efforts, state AGs have consistently scrutinized the financial services, automobile, data privacy and tobacco industries.
In the absence of comprehensive federal regulations, state AGs are also likely to continue to regulate social media, environmental justice, cannabis and virtual currency-related products. Once state AGs commit resources to regulate an industry, they are determined to continue enforcement despite federal regulators increasing their focus. Sometimes even when a federal regulator acts, state AGs often take independent action because federal enforcement is viewed as seemingly insufficient, i.e., issuing penalties that are too low and offering little consumer redress. This results in companies often facing simultaneous investigations from both the state and federal government.
However, predicting areas of enforcement ripe for state AGs remains difficult because each of the 56 state and territory attorneys general has different policy priorities. Companies should be wary, as handling even a single AG investigation is costly and requires substantial time, energy and legal resources. Multistate investigations only make matters more complex and challenging.
State AGs and UDAPs
Although many federal and state statutes give state AGs the power to regulate companies, state AGs are most known for enforcing their states’ unfair or deceptive acts or practices laws (UDAPs). These laws often carry significant penalties, including restitution and injunctive relief, even though they do not precisely define what constitutes an unfair or deceptive act or practice.
This presents challenges for companies because state AGs have used this ambiguity to push a broad view of what constitutes an unfair or deceptive trade practice, often attempting to patch what they perceive as holes in state and federal law. For instance, the North Carolina Attorney General has consistently taken the position that marketing and selling e-cigarette products designed to appeal to youth violates North Carolina’s consumer protection law. Similarly, the Massachusetts Attorney General asserted that lending to consumers without conducting an ability-to-pay analysis is an unfair and deceptive practice under Massachusetts law.
Today’s settlement with Juul is a major win in the fight against teen vaping and nicotine addiction. pic.twitter.com/gCcCNJaaGL
— Josh Stein (@JoshStein_) June 28, 2021
Proactive Efforts to Mitigate an AG Enforcement Action
Companies in the spotlight must remain hyper-vigilant about their compliance strategies to stave off AG scrutiny and ensure their products and services are not perceived as potentially unfair, deceptive, misleading or even confusing. Companies can do that by:
- Knowing the law and its application: Companies should evaluate each state’s approach to consumer protection and how its state AG reads the statute, based upon prior enforcement actions (cease and desist letters, lawsuits and settlements) and public statements (press releases, etc.).
- Establishing compliance strategies based on the state AG’s approach: After considering the enforcement actions and public statements mentioned above, companies should evaluate their current practices to ensure compliance with applicable laws.
- Anticipating possible changes: Companies should evaluate potential business changes according to how state AGs will view them—through their impact on consumers—and hypothesize future scenarios to anticipate risks and opportunities.
- Maintaining comprehensive yet adaptable compliance measures: To keep pace with the changes in the legal environment, companies should actively monitor the legal landscape, review their compliance measures and respond to changes in real-time to ensure continual compliance with all laws.
- Addressing and resolving consumer complaints: Companies should track, review and thoughtfully respond to complaints submitted to state AGs and the Better Business Bureau (BBB). State AGs often create hotlines to crowdsource consumer complaints and discover potential UDAP violations. For example, when the California Consumer Privacy Act (CCPA) was enacted, the California Attorney General advised consumers to “exercise [their] rights under the CCPA” by launching a new online Consumer Privacy Tool that allows consumers to directly notify businesses about CCPA violations, which the California AG’s office used to assist “in investigating and enforcing” the CCPA.
Although a proactive compliance strategy is helpful to identify potential enforcement actions, no company can predict all potential state AG enforcement actions. State AG priorities and policies can shift at any time, sometimes resulting in a “first-of-its-kind” enforcement action. Historically, such actions involving novel readings of state consumer laws are usually taken against companies operating in industries that state AGs believe are particularly harmful to consumers.
While no regulatory strategy is foolproof, a proactive one helps demonstrate to regulators that a company has made a good faith effort to conclude that its actions comply with state law. This also allows companies to negate any assertions that they willfully violated any laws. This is crucial for two reasons. First, many statutes only allow AGs to seek civil penalties if they can demonstrate a company’s conduct reached the willful standard. Second, even if the law does not expressly require a willful violation, both AGs and courts are likely to temper their demands if they believe a company made a good faith effort to comply with the statutory law.
State AG investigations are burdensome for companies, as they require significant time, energy, and resources that could be spent elsewhere. By having proper safeguards already in place, companies can avoid being caught off guard by such regulatory scrutiny.
The authors would like to thank additional members of Troutman Pepper’s State Attorneys General Practice Group for contributing to this article: Ketan Bhirud, Barry Boise, Siran Faulders, Bonnie Gill, Namrata Kang, Tim McHugh, Harold Melton, Rachel Miklaszewski, Charles Peeler, Stephen Piepgrass, Avi Schick, Ryan Strasser, Abbey Thornhill, Daniel Waltz, and John West.