Privacy Lawls with Donata

Ep.17 | Privacy law enforcement is on the rise (Guest: Paul Singer)

Privacy law enforcement is currently on the rise across the globe — and Texas is no different.

For this episode Donata is joined by Paul Singer, Partner at Kelley Drye in Washington D.C. Before that, he spent two decades in the Texas Attorney General’s office.

Full bio:
https://www.kelleydrye.com/people/paul-l-singer

Links mentioned in the episode:

Newsletter:

Show Transcript

[00:00:00] Hello, and welcome to Episode 17 of Privacy Laws, where I, Donata Stroink-Skillrud, speak with amazing privacy professionals, and we have some laughs along the way as well. Today, I’ll be speaking with Attorney Paul Singer about the increase in privacy law enforcement in Texas. Paul is a partner at Kelly Drye in Washington, D.C., defending clients in state level investigations and enforcement actions, providing comprehensive compliance counsel and advancing their interests through persuasive policy advocacy on consumer protection matters. Prior to his current position, Paul spent over two decades in the Texas Attorney General’s office, spearheading its consumer protection, advertising, and marketing, public health, and data protection efforts.

Paul spent most of his time at the Texas Attorney General’s office in the Consumer Protection Division, including as head of the Internet and Privacy Team, and later as Division Chief. He also served as part of the agency’s executive [00:01:00] leadership team as the associate deputy attorney general for civil litigation.

So, Paul, thank you so much for joining me today. What made you interested in working on consumer protection and privacy matters? Well, thanks, Donata, and thank you for inviting me to participate today. I’m really looking forward to this discussion. Um, and, you know, it’s, it’s a, It’s an interesting question as to sort of how I got here because, um, consumer protection, privacy, that was not really something necessarily on my radar.

I, I kind of stumbled into it when I was in law school, um, because quite candidly, I didn’t realize that the attorney general played such an active role. In sort of the broad consumer protection space and now like increasingly in the privacy space. Um, until a friend of mine who happened to be interning at the AG’s office at the time came and sort of showed me this role in this division and suggested like, Hey, this sounds like something you might want to do.

Um, at the time I knew I wanted to [00:02:00] do something public service oriented and I felt myself kind of drawn to consumer issues largely because We’re all impacted by them, right? I mean, we’re all consumers. We all deal with the kinds of privacy questions and issues that we’re going to talk to today. Um, every one of us.

And so it, it makes sort of your practice and what you’re doing real, because this is something that impacts not only everybody that you meet, but it impacts you directly, um, as well. Um, when I started in consumer, I’m going to date myself a little, right. But when I started in consumer, I mean, we were still pre my space, like technology, the, and, and the use of, of the internet and, and your activities online was fairly limited and still fairly novel.

And I think it was, you know, a few years into my practice that, you know, we. We collectively at the office started to realize, Hey, the amount of data that is [00:03:00] now being able to be collected about you and the use of that data is just like a giant unknown to all of us. And that’s where really, I think you started to see.

Privacy enforcement evolve because as there was this increased technology, increased access to user data, we all suddenly started to realize on the enforcer side, this is going to be a real problem, especially for the most vulnerable. And that’s, you know, for example, like children. And so, That’s really what, what kind of drove me at the time was, um, you know, being on sort of the cutting edge of this sudden huge spike in technological growth and how that impacts, you know, day to day consumers.

It’s really interesting that you mentioned that we’re all consumers, even us as privacy attorneys. So you would think, like, who’s exempt from privacy harms and privacy annoyances? And you would think as a privacy lawyer [00:04:00] that you would be exempt from those things. Um, but I can say that during this recording, I will probably get about 10 spam calls offering me Medicare and life alert and all the other things that I’m not interested in and it’s really interesting because you know, you, you tell them, Hey, just so you know, I’m a privacy lawyer and then they hang up real quick, but you still get all those calls.

No, that’s right. And you think it’s impactful when you say you’re a privacy lawyer. Just think about when you say, Oh, I work for the state and I work for the attorney general. Like you frequently will get the hang then. And, and, and you’re right. Like those things don’t. We’re not immune to any of that, right?

It all goes away, you know, as soon as, it’s not like it all goes away just because you, you practice in this space. We are all just like every other consumer and we’re all, um, getting hit with the same kind of outreach and, and have the same kind of concerns that every consumer has. Absolutely. Um, so you spent a lot of time working at the Texas Attorney General’s office.

Do you have any advice for [00:05:00] lawyers or law students who may want to work in the public sector, but aren’t sure how to get there? So, so I am a, I’m a big advocate and fan of. Of at least spending some of your career in public service and and working at an ag office Especially if you’re interested in this kind of role, um, you know, all of the ag offices take on Um, you know baby lawyers and interns and and really do kind of encourage growth in that community I think that if you have an interest in doing Public sector work, especially in the privacy space.

This is an amazing time to do it, right? Because you think about like how privacy law is evolving and as states are rolling out new comprehensive privacy laws, like what an amazing time to be in an office and, and get to be on the ground floor as these new laws are being enforced. And I think that if, if you have that kind of interest, Um, [00:06:00] Talk to people in your community who have been there, who have done it, reach out to those offices early, like while you’re still in law school.

Like I said, they, they all do take on interns and, and law clerks, um, you know, and, and really sort of get your foot in the door that way. They are welcoming and open to that assistance because there is so much work that, um, that they want to do. To to bring you in now, you know the the one sort of piece of advice I I give perspective You know people from for the future at an office like that is just understand it is a government office, right?

There are layers of of bureaucracy and unique things that come with with doing public service and government work Um that you just need to be prepared for as a lawyer, right? Like it’s very different. You don’t have clients You You represent the public interest. Um, you have to deal with things like public records, which, um, is a challenge at times, right?

You have to know that your communications by [00:07:00] default are generally public information and unless an exception applies. And so things like that really sort of changed the way that you practice law. Um, and it’s very different than being in the private sector, but it is very fulfilling and you’re going to get opportunities that you wouldn’t necessarily get if you go straight into the private sector.

Absolutely. And um, when I was in law school, I was an extern at, um, Homeland Security. Um, and it was a really, really great experience because I got to learn a lot. I got to work with really experienced lawyers, um, who taught me a lot, both from a legal perspective and from just, you know, working in an office as an attorney.

Um, and it can also lead to actual jobs after your internship or externship or, or whatever is completed as well. That’s right. No, and that’s exactly how I started. I, I, I started at the office after my second year of law school. Um, it kind of led itself to a job, you know, there. And, um, you know, something I thought I was going to do [00:08:00] for 2 years turned into 20.

so it’s, you know, it, it is, it’s a, it’s, it is a great opportunity. Absolutely. Um, and later on in your career, you transitioned to a law firm. What was it like to transition from working in the public sector to working at a, at a firm? You know, um, it’s, it’s, I mentioned some of those little sort of nuances you have to deal with.

I think the most exciting thing to me was that I’d no longer have to deal with open records and open records requests. Um, it’s a, it’s a wonderful thing. Um, but, you know, no, seriously, it, it, it was a good transition for me because I very purposefully wanted to go, you know, To this firm and, and where I went at Kelly dry, because I really wanted to find a way to continue to do the same kind of practice and be in the same ag enforcement community.

Um, but on the private side and on the [00:09:00] defense side and, you know, this, this firm really lent itself well to that kind of opportunity because, you know, there’s someone that it’s a firm that I had dealt with quite a bit in my role at the AG’s office. Um, had a great deal of respect for the attorneys in our practice group.

I knew that they were deep in substance on the law, and that’s really what I was looking for was a place that I could go and continue that kind of, you know, deep analysis of emerging laws and, and how changes in technology would, um, would, would impact enforcement of those laws. And so, you know, for me, it hasn’t been that significant a change, right?

Because I’m still in the community, I’m still doing the same kind of work, just kind of doing it from the other side of the table. And, and so it’s been a relatively smooth transition. Um, but I think learning thing. Learning sort of the, the private sort of business aspects of being at a law firm, very [00:10:00] different than, you know, the AG and, and that big one I highlighted earlier, you don’t have clients when you’re at the AG’s office, but you do have clients when you’re in private practice, obviously.

And so, you know, transitioning your mindset from operating in the public interest to doing what’s in your client’s interest, it, it, you know, It’s, it’s a change. It’s a change in mindset. But, you know, surprise, not surprisingly, right? I think I, I found that like most of our clients really are wanting to do what’s in the public interest.

So there’s just a lot of alignment between what people are trying to do. Because I think especially as we talk about how you’re going to enforce a new comprehensive privacy law, like the companies that are out there, they just want to get it right. They just want to do the right thing and they want to figure out what they’re supposed to do to be compliant.

And that’s what the state wants too. And so everybody’s interests ultimately are going to end up aligned. Absolutely. I think it’s really interesting, um, how you just illustrated, you know, working on, on opposite sides. Right. Um, I kind of learned that at, at Homeland [00:11:00] Security as well, which is, you know, when you’re a law student and you’re watching lawyer shows and the opposing sides hate each other and they’re constantly bickering and, you And try to get one up on each other.

But in reality, it’s a professional relationship. Um, and in reality, you end up being, you know, friends with people on the opposing side, because you’re all just, you’re arguing about the law, but you still maintain a professional relationship. Um, which I personally was very surprised by, um, when I was a law student.

Um, but it was a very nice surprise. Yeah. Oh, I, I think that is generally true. I mean, it is not without exception, of course, like you have your adversarial moments and and your challenging counsel on the other side. Um, but I think for the most part, you are exactly right. And and it’s, it’s frankly, why I think that, um, You know, the, the kind of role that I try to play and do for our clients is really to be that bridge and to be that line of communication and helpful resource to help, [00:12:00] um, find those areas where your interests are aligned and really use those to resolve whatever concerns, um, the state might have, as opposed to taking a more aggressive adversarial role.

And we’ll probably get better results because of that. Absolutely. And certainly more efficient results. Yeah. All right. So let’s get into our kind of main topic today, which is the increase in privacy enforcement in Texas. So for many of us, we’re used to hearing about privacy enforcement actions in California.

So it could be surprising to hear about enforcement actions in Texas. Um, but as it turns out, enforcement is nothing new in the state. Um, can you tell us a bit more about the history of privacy enforcement in Texas? Sure. Absolutely. And I, and I started down this path earlier talking about sort of how we as a, as a group started to think about privacy as we saw sort of this, this, uh, change in the use of technology.

[00:13:00] Um, and you know, I, I really compliment a lot of the attorneys at the office who were my mentors, who really did sort of pay attention to this at a different level than I think a lot of states were doing early on. And so texas was, was one of the first states to create a dedicated um, team that was looking at These kinds of issues.

Um, at the time we were, I think initially we were called the internet enforcement unit, um, which, you know, really didn’t even have privacy in the concept, but in the title, but like, that was the basic concept was we were looking at the growth of the use of the internet and technology and how that was impacting users, which really did have a privacy data collection focus to it.

Um, Texas was the. the first state that brought a state led COPPA case. Um, there were two cases we filed on the [00:14:00] same day. Um, and, you know, and I think that really sort of stemmed out of that dedicated unit and our, our particular focus on this. Um, you know, at the time, In the early 2000s, we were looking at things like how personal identifying information was being disposed of in paper form.

So we did a lot of dumpster cases, right? Like, you know, where records were just thrown in publicly accessible dumpsters. Again, that same work then transitioned into, um, we used to talk about the dumpster of the internet, right? I mean, we had some cases where like it, where you could find just easily accessible, personal identifying information online, um, on different company sites, and we started focusing our attention on those kinds of cases.

Um, and this was all in like, Mid 2000, right? When we were really sort of looking at this as you were seeing this sort of [00:15:00] exponential growth and use of the Internet and social media and just technical technology as a whole. As a result of that, I think Texas really has become one of the leaders in Multistate privacy enforcement.

So, you know, actions where states are collectively working together against one target. Texas is frequently at the forefront of those kinds of cases because they’ve had this historical, um, team and dedicated attorneys, uh, looking at these issues. So, you know, I think that. What, what has changed in recent months is the growth of those dedicated personnel, um, obviously new tools for the AG toolbox because there’s new laws we’re going to talk about in a minute.

But, um, you know, I, I think that what all that’s really changed is just sort of the additional resources. I think that that drive and that enforcement perspective. [00:16:00] In this space has always been there and, and has really been, you know, and not just always been there, but has, you know, Texas has really led the way in a lot of respects and in this space.

That’s really, really interesting. I mean, it’s really something that you wouldn’t necessarily think that people were focusing on in the early two thousands, right. That that definitely takes some vision and forethought, um, to kind of blaze Nobody was really thinking about that much back then. But, but it is, it is consistent though with, you know, the, the thing that people I think, um, miss sometimes, right.

Is that like privacy enforcement today is really an evolution of general consumer protection enforcement as it has existed since the seventies, right. And, and some of those basic core concepts that you see. In a lot of privacy actions have their roots and and frankly are brought under state unfair deceptive [00:17:00] acts or practice laws And so, you know, I I think that it it is for people that are just entrenched in the consumer protection world And for people that have spent their whole career doing that When whenever we see new technology emerge, you immediately know there are going to be consumer protection issues surrounding it because consumers need to be educated on what this new technology is, how it fundamentally operates, how they’re They’re interacting with it and what they’re consenting to by using that technology.

It’s the same things we see now as we focus on a I we saw, you know, back in the two thousands when we were talking about the use of the Internet, same basic inherent questions. Do consumers fully understand the nature of this relationship, what they’re giving up and what they’re getting in return? Yeah, I think unless education is present, the answer to that is almost always.

No, [00:18:00] that’s right. 100%. And that that’s why I say, like, as you see new technology emerge, you just know, there’s going to be consumer protection issues associated with it. Yeah, absolutely. So what types of privacy harms does the Texas Attorney General’s office focus on? Yeah, so we were just talking about some of this, right?

I mean, I think a lot of it really is, um, you know, from a privacy standpoint, it’s what, what am I data is getting collected and used? How is it being used? And where does it go? Right? So that sort of broadly captures, you know, things like data breaches, right? So, you know, are you putting adequate protections in place as a business who’s collecting my information to ensure that in the event some rogue actor is out there trying to access it?

They’re, you know, They’re reasonably going to be prohibited from, from getting access to it. Are you putting, you know, is data minimization a thought in your head? Right. And, and it’s an area I talk about, you know, a lot that while we [00:19:00] see new comprehensive privacy laws that are actually. Now, legally requiring it, the concepts of data minimization have always been pushed by state AGs just in general UDAP enforcement, because again, it’s all sort of intertwines with, is it an unfair practice to collect more information than you reasonably need to be using for, to provide a, a good or service to a consumer, um, for states that don’t have unfairness?

Is it? Is it false or misleading? If you are telling people I’m collecting data for this use, and this is why I’m collecting this data when in reality you’re collecting it for something else. So a lot of it really does stem from this disclosure and ensuring that consumers understand, you know, what they’re getting into, but in terms of like the populations that the, um, the AG has historically focused on, um, it really is sort of.

Like those vulnerable groups I was talking about before. That’s always a [00:20:00] priority. So when you think about the elderly children, um, you know, people that may be like sector specific. If you are someone who is, you know, um, In like an emergency situation and being taken advantage of like those kinds of, of areas and groups are always going to be a focus, but I think it’s that coupling of vulnerable population of consumers, along with the underlying emerging technology and confusion around that.

That is where you’re going to find. The focus that’s, that’s historically been how they’ve, they’ve tackled this area. It’s really interesting that you mentioned like transparency and adequate disclosures. Um, I was talking to attorney yesterday who, um, you know, has reviewed a lot of privacy policies and he’s like, well, you know, a lot of privacy policies give you a non exhaustive list of all the data that’s being collected.

Like we may collect name, email, phone number, and then Other [00:21:00] stuff and they never tell you what the other stuff is like, but that’s not the standard set by the law. Like, the standard is you disclose all the information that you’re collecting so that there’s no confusion and there’s full transparency.

And I think the, the fact that a lot of this has not been. You know, the subject of enforcement historically is causing a lot of confusion and there’s a lot of, um, lack of transparency going on. Um, but I think as we have more enforcement, as we have more laws, I think that’s going to be tightened up soon.

I think that’s right. And I absolutely think but but it’s it’s right, but it’s not and it’s not surprising, right? Um, you know, I’m not shocked that, you know, people want to push the boundaries of what is or isn’t permissible under the law and and think through, you know, you know, What how much do I actually have to disclose versus What is sort of the best disclosure in terms of educating the public and [00:22:00] educating consumers?

You know, I I think we typically counsel clients on the latter right because you know The more you want to disclose and the more transparent you can be The more likely you are going to be off the radar of of an enforcer like an ag um, you know, remember like these are um Uh, offices that are still government entities and so they often find themselves with limited resources and more work than they can ever possibly handle.

And so, you know, from a counseling standpoint, you, you want to ensure that companies that you’re advising are not. The low hanging fruit, that’s, that’s really the objective because if you can demonstrate that you are trying to be transparent, even a technical violation of the law might be, um, forgiven if you can show that like your intentions were to give that layer of transparency and education that you were [00:23:00] just describing.

Yeah. Absolutely, um, so let’s talk about the Texas data privacy and security act that went into effect on July 1st of this year. Can you tell us a little bit more about this privacy law? Sure. Not a lot of, like, shocking things in this law for anyone that monitors the space. It is very similar to some of the other, uh, comprehensive privacy laws that are out there and essentially is providing.

A set of basic rights, uh, to consumers about, um, you know, informing them as to how their data is used, giving them the right to access and correct inaccuracies, request deletion, um, and opt out of certain targeted advertising and sales of data, right? It’s same basic concepts that you see in a lot of, of other laws.

Um, it puts responsibilities on both controllers and processors of that data, um, to ensure that. That those choice, the choice and selections of [00:24:00] consumers are actually adhered to, um, and that consumers are given the clear notice in a, a clear and conspicuous privacy policy and elsewhere of their rights and how they can exercise those rights.

It includes the concepts of data minimization. We were just talking about, um. Like some other state laws, Texas’s law does have a right to cure. Um, there is a 30 day notice and right to cure period for potential violations. Um, like most of these state laws, it is uniquely and, and solely enforced by the Attorney General.

Um, it, uh, doesn’t have a private cause of action. Um, it includes a lot of the same kinds of exemptions that you see in other state laws for some of the sector specific behavior and conduct. So areas that are already covered by Gramm Leach Bliley or by HIPAA are, are exempt from it. Um, but you know, from, from just sort of the.

The framework of where it fits in the broader universe. [00:25:00] Like I’d say, it’s, it’s very similar to a lot of the other comprehensive privacy laws that are now in effect. Yeah. I think one of the unique points at the time of passage was the, um, exception for small businesses under the, um, small business administration definition.

Um, I think some more states have adopted that standard since then, but it was unique at that time, um, because I do remember having to look up the definition. Um, so can you. Tell us a bit more about why so many U. S. privacy laws, um, exempt small businesses from these requirements. You know, I, I think that, um, the concept of exempting small businesses from.

Regulations like this is not new, even though the way Texas handled it here was novel. Uh, it, it, it is just the idea that, you know, a recognition of the costs and expense that is [00:26:00] involved in complying with a robust framework like this is going to put a heavy on small businesses is something that the law generally tries to recognize, especially in a state like Texas, that is a very pro business state.

Um, and that tries to encourage growth and opportunity for small business. Um, you know, we’ve talked a lot about how all of these privacy laws are have their roots in basic UDAP concepts and and fundamental consumer protection, um, priorities. Um, in Texas, like many states, small businesses are consumers also.

So they are the class of folks that we are supposed to be protecting under the law. And so I think putting the type of, of burden on a small business that some of these laws focus on doesn’t make a lot of sense when you think about what you’re getting in return. Um, the types of massive data [00:27:00] collection, compilation, use, uh, really stem from larger companies that Can, you know, get a lot more detail about you and individual transactions.

And then really it’s sort of third parties who can compile all of that information and data and build a profile about you that, that has given rise to a lot of the concern. You just don’t see that right. With a small business that really doesn’t have the capability to get as much information about you.

So at the end of the day, you know, I think the concept was like, we shouldn’t be penalizing a mom and pop operation for the data collection practices that we’re more concerned about for some of these bigger players. And we want to make sure that we’re finding a, a reasonable way to distinguish You know, the, the smaller entities from, you know, the, the bigger ones in terms of what our [00:28:00] expectations are for them.

Nobody has a perfect solution to do that. But I think this was definitely sort of the, the desire and intent of the office was preserve that, that recognition that we want to encourage more small business and don’t want to do something that’s going to hinder their growth. Yeah. Um, one really strange thing that I’ve seen in the last year or two, I didn’t see this before, um, But I’ve seen a lot more small businesses opting in to complying with these laws, even though they’re not required to comply by statute.

Um, they have been opting in to comply with these laws because they want to show their customers that they care about their privacy. Um, so for example, let’s say there’s a small business selling t shirts or something like that. Somebody says, Oh, can you please delete my data or opt me out of targeted ads?

They will still do that even though they’re not legally required to do it. That’s right, and I think, I think you just hit exactly why right, which is as the law has evolved [00:29:00] and as people are drawing more attention to. These data collection practices. I think what you’re finding is, is that that’s becoming more and more part of the, the type of offering that companies really can provide.

Um, you know, we’ve seen some of this over the last couple of decades where, uh, particular companies want to promote their sort of, you know, Higher than the law standard of privacy protection that they want to implement. And I think that as you see some of these small businesses react that way, it’s, it’s a similar trend.

They want to be able to market to their customers and promote the idea that listen, we are. We are a partner with you. We want to, we want to protect your information. We will honor your request, despite no legal obligation for us to do so. Because again, it’s just something good that can build that good relationship with the customer and help promote the business.

Yeah, it’s a great trend. I, I enjoy seeing it [00:30:00] as a lawyer and as a consumer as well. Um, so besides the TDPSA, um, some may not realize that the Texas legislature actually passed a number of other privacy related laws, uh, in the last legislative session. So, can you tell us a bit more about that last session, like the data broker law and the scope act?

Yes, and I’m hoping that now people that are following this area are aware of these laws just because in as recent as last week, right? We’re getting, you know, more insight into how the Texas AG is starting to treat these laws and focus on these laws. So, you know, let’s let’s back up for a minute. I talked about sort of, you know, the growth of the privacy team in Texas.

But, you know, a lot of that came from funding attached to the TDPSA, right? So you, you suddenly had like this influx [00:31:00] of, um, bodies and, and, Capabilities for this team to now be able to do and enforce a broader variety of laws. Um, and at the same time that there were all these discussions around the comprehensive privacy law, we started to see, you know, the, the legislature considering some of these other protections like the data broker law and the scope act.

And so, you know, I think that that expansion of the team. And funding for that team was largely driven, not just to enforce this new comprehensive privacy law, but really was like a mandate to the AG of we’re giving you these resources now go enforce the law. And the law means all of these new tools that we’re giving you.

And so I give that backdrop because nobody should be surprised that Texas is coming out of the gate. You know, with aggressive enforcement on all of these fronts and is going to continue to do so because that’s the expectation of the [00:32:00] legislature. And that, that is the mission of, of what this team is going to be doing going forward.

Um, so the, the data broker law, um, as a, is, is, you know, similar to other state laws, but it is basically, you know, It applies to businesses that whose primary business is to collect and process and transfer information that isn’t directly collected by that company. Right? So they are serving as like a third party who basically compiles all of this information and utilizes it for, um, you know, Aggregate purposes and, and is, you know, compiling the kinds of, of information together, um, that, that Has frankly, I think, given rise to some of the need for some of these other laws.

Um, Like some other states that have, have, you know, created laws like this, it, it requires data brokers to register, post a notice on their site that they are a data broker, implement a [00:33:00] comprehensive information security program, You know, the kind of basic privacy standards that I think you’ve seen come out of enforcement actions from the AG in the past, but it really is like fundamentally like a registration and notice kind of statute that it has in it.

The, the office was very quick to. start to notify people about this law. They sent out over 100 notice letters to data brokers, uh, informing them of the new law and asking questions about their compliance and, you know, ensuring that they are actually aware and coming into compliance. I think that kind of, uh, Really like a business education approach like this on a business by business basis is highly effective.

It’s a great way to ensure that there is compliance without having to wait until there’s ongoing violations and harm. Um, and I think the office was, was really good about, you know, [00:34:00] doing that in an aggressive way, but, you know, ensuring that they’re not just coming out of the sort of bringing Um, enforcement actions against companies who may not have realized, like, like this was, you know, in effect and, and now applying to them.

Um, the SCOPE Act, uh, it’s the Securing Children Online Through Parental Empowerment Act, right? Um, this is an act that is designed to protect children who are, anyone under 18, um, from, really the, at, at its core was designed to prevent, um, them from um, being shown harmful content online. Um, the Act, as it originally was drafted, included um, a number of provisions that um, dealt with harm prevention directly, right?

It required companies to develop a harm prevention strategy and think about ways to prevent Children from having access [00:35:00] to harmful content. Um, along with that provision, right? You had a number of provisions about sort of basic obligations that, um, These companies need to provide, they needed to, you know, collect and register a user’s age, limit data collection for children, um, you know, limited targeting advertising to children, uh, clear disclosure about the use of algorithms and how they’re being used, um, and then importantly, giving parents tools to come in and control their minors, um, access to information and ultimate, um, Like data collection practices, um, this law was challenged before it went into effect, uh, in September, um, and the, the harm prevention obligations were found to be unconstitutional, um, and preempted by section 230.

So. There was a little bit of sort of question [00:36:00] right there like, okay, now a chunk of this law has been found unconstitutional like what is the office going to do with this, and I think the office was actually quite vocal that, you know, despite. a piece of it being found unconstitutional that did not take away all those other obligations that we just talked about.

Um, and then, uh, everyone has probably seen that just, uh, last week or week before, Texas filed suit against TikTok, um, alleging a number of violations of the SCOPE Act, and it really was a SCOPE Act focused, uh, case. So, you know, I, I think that This, this really, in my mind, demonstrates the level to which the office is going to continue to press and enforce these laws, um, you know, making sure that, from a business standpoint, that you understand which ones apply to you, which ones don’t, what exemptions you can take advantage of.

What the obligations and requirements are, and really taking the opportunity to do an [00:37:00] internal review and deep dive of your practices to ensure that you’re not doing anything that violates both the letter and the spirit of the law. Um, and I, I emphasize that last point of the spirit of the law, because it goes back to, you know, our discussion we were having about the small business exemption.

There, there are going to be like red flags raised and, and eyes on you as a business, if you are not. You know, doing things in a consumer friendly way and in a way that gives the transparency and controls that are expected out of this, this bucket of laws that have now gone into effect. Those are the kind of things that the office is going to be looking at.

And so whether you can argue an exemption or not. Just know that you may fall under scrutiny and may, may get some, you know, uh, may be under an investigation by the office because of, you know, your practices and so ensuring that you’re on top of those kinds of issues and understand these basic laws is, is critical at this time.

Absolutely. I think looking at [00:38:00] it from a consumer lens as well, you know, some, as somebody who uses the internet and, you know, looks at X or Facebook or whatever, I can’t imagine being a parent and having a child that uses the internet and having to explain to them what this stuff is, how to use it and how to protect yourself online.

When we’re coming against like multi billion dollar companies that want to track literally everything and keep everybody on their platforms for as long as they can. No, I, listen, I think that that’s, that’s sort of the objective here, right? Is that children are in a position where they don’t fully comprehend and frankly don’t want to comprehend sort of the, the privacy elements of what they’re doing online.

They just want to get online to either. Watch these videos or play this game or like, that’s, that’s their objective. But it, it reminds me a lot of when I was a kid and there was this huge criticism of, you know, [00:39:00] television advertising and television, kid oriented television programs that were blurring the lines between an ad.

And content, right. And we’re really like 30 minute shows that were just an ad for, you know, kit to encourage kids to go, um, tell their parents, I’ve got to have these items, like, right, like you’re in the same sort of situation where we’re looking out for the interests of children because they don’t have the ability to really recognize what’s happening and what the ultimate motives are.

And so that’s, that’s really. What these laws are about is trying to protect children from that exact kind of exposure and access. And, and there’s a balance, right? It is not to say that there is anything wrong fundamentally with the concepts of social media or any of these online services. It really is just striking this right balance of, you know, giving parents information and options, limiting the use of [00:40:00] children’s information and how, um, you know, and, and what, Sort of ability companies have to pull that information from children.

And just, again, like we’ve been talking about that idea of transparency and just a complete picture of what you’re doing and why that’s, that’s what these are about. Yeah, I’m gonna date myself a little bit, but when I was a kid, I grew up in Lithuania and I used to watch this show where it was like a cartoon where there was a wolf that was trying to catch this rabbit and the wolf was always smoking and drinking vodka and this was a children’s show.

And I actually have a DVD copy of that show somewhere. I don’t have a DVD player anymore, but I do have a DVD copy and I really want to watch it someday, just to kind of see what they were showing us as kids, because that does not sound appropriate. No, no, it’s amazing that about the things we saw as kids because it, but, but it’s [00:41:00] exactly at the heart of what’s being argued from the enforcer standpoint, right?

We don’t want kids to see that kind of content and think, I mean, it’s, it was, I mean, you think back to the tobacco litigation, that the A. G. Spearheaded. And those cases were marketing cases. That’s what they were about. They were all about the way in which tobacco companies were representing their products is cool and sort of, you know, making it look like this is something that you you as a kid would want to be doing.

And the associated harms that came with that weren’t being disclosed. Those were being withheld. And we’ve seen that same trend continue to emerge from, from issue to issue to issue over the last, you know, 40 years like that, that, and, and I, that’s not going away. And, and I think social media is really the latest area where we’ve now seen this new platform.

We see harms that. That, you know, are potentially occurring [00:42:00] on them and we want to protect our children from them. Yeah, I, I remember the candy cigarettes that used to be sold. It looked like a cigarette, but on the inside it was chocolate. Who thought that was a good idea? We all had candy cigarettes and thought they were like the best thing.

And you know, there’s actually, there’s a store here that sells like vintage candy and you can still buy candy cigarettes. And I actually got some. Just because I was like, these were like so cool when I was a kid. They’re pretty nasty, by the way. That’s just like, it is just like a stick of like tasteless sugar.

And yet like, we all thought this was so cool because everybody, you know, that smoking was a cool thing to do. Yeah. That was quite the time. Um, so going back to, to privacy, um, can you talk about the focus of communicating with customers and transparency requirements that businesses need to meet to comply with these laws?

Yeah. I, I mean, look, I, I think that [00:43:00] this is the point we’ve been emphasizing throughout this conversation. Um, You know, fundamentally, all of these laws and the enforcement actions that you’ve seen to date coming out of Texas, like, if you really go read each of the, the recent lawsuits and complaints that are getting filed, they are fundamentally about, um, a lack of disclosure or misleading information that are, is being represented to customers.

And so I think that really, you know, the, the, the whole concept as a business that you need to think about is the way you framed it just a minute ago, put it through the consumer lens, right? You need to make sure that you are fully informing them and educating them on how new technology is impacting.

their interaction with you as a company, what that means in terms of the benefit of [00:44:00] the bargain for the customer, right? I’m, I’m not just paying X dollars to get this product, right? I’m, I’m potentially giving you access to this information to get X product. And that, that’s sort of a distinction and information that people really need to understand, um, in the same way that, okay.

An ag would be coming after you if you didn’t tell them how much something cost and you just took their money after the fact It’s the same reaction now of if you’re not being transparent and clear with people about Um what data and information is being collected about them? An enforcer is going to look at you and and come after you Um, but that transparency really starts, you know starts with that focus on the consumer, but it continues throughout the way that you are doing business and ensuring that you have a compliance oriented mindset.

So as you’re getting feedback and [00:45:00] complaints from consumers, what do you do with those? How do you respond to those? Are you making changes as a business? Um, You know, to better communicate than with customers and clarify those those practices. Those are questions that enforcers are going to ask. Um, and, you know, one thing that I think is is valuable and and is worthy of consideration is as you are evolving your technology use as a business.

How are you communicating that not just to your customers, but directly to the enforcers? Um, AI usage is a great example. Are you being proactive and are you going and telling AGs, for example, that here’s, here’s a new product or service that we’re rolling out. Here’s what it means in terms of the customer.

And by the way, here’s how we’re disclosing all of this and being transparent and educating consumers about those practices. Um, there’s a lot of resistance sometimes people have to, to thinking about that kind [00:46:00] of proactive outreach because you think that it may be, uh, putting you on the radar unnecessarily or doing something that could be adverse to your interests.

I will tell you, like, the AG community, um, not only welcomes that, but kind of expects that from the good actors in the space. They want to know and want to be a part of that process. While they’re never going to come to you and say that they will endorse a particular way that you are, you know, Going to do that kind of outreach, the more you can do to tell them on the front end that this is why we’re doing this.

This is how we’re rolling it out. And this is, you know, the, these are the kind of benefits that a consumer is going to get. I think it’s the better. This is all going to work out for, for you in the long run. So that if there ever is an issue, they’re going to see you as a good actor in the space and they’ll, they’ll want to work with you to address it.

Absolutely. I’ve done that before, um, for questions about privacy laws and, and some items that weren’t clear and I can see from personal [00:47:00] experience, they just want to help you. You know, they just provide you with the information that you need and talk to you and explain things to you and then you can do things the right way.

Um, it’s never kind of, uh, an ugly or adversarial process when you’re just asking people for information or help. That’s right. Absolutely. No. And it’s Frank. Yeah. Like I said, it’s encouraged. So, Paul, last question for you. Um, if a business wants to retain your service, where can they reach you? So, um, very easy to find.

Uh, you know, you can, my email is psinger at kellydry. com. Um, you can visit our website at kellydry. com. Um, just, you know, Just whatever you do, just don’t Google Paul Singer because you’re going to get a billionaire hedge fund, uh, uh, owner. And that, that sadly is not me. Um, I am not the billionaire, billionaire Paul Singer.

Um, but no, I mean, we, we have a strong, uh, social media presence. You can find me on LinkedIn. Um, you know, always [00:48:00] happy to have these kinds of conversations. And like I said, you know, especially when it comes to taxes and how they’re treating things, um, this is a big focus of what my practice is these days is, is not just, you know, being reactionary and helping companies when they are under investigation, but doing a lot of this sort of.

This whole discussion has been about thinking about compliance on the front end and how we’re going to interact and engage with offices. That’s just something we’re constantly advising folks on and we’re, we’re happy to continue to do. So if you have questions, reach out. Yeah. And then the show notes, we actually will have a link to your website and bio, and we’ll also have a link to your newsletter as well.

Uh, so if, if people want to keep up to date um, with enforcement news, uh, definitely make sure to subscribe to that. Um, so yeah, Paul, thank you so much for, for being here today and talking to us about Texas privacy law enforcement. Um, to our listeners, please make sure to subscribe to our podcast so that you don’t miss [00:49:00] the next episode and we’ll see you next time.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates