I was struck by two things in a recent law.com story on a settlement between Marriott International and its subsidiary, Starwood Hotels & Resorts Worldwide. The companies settled with the FTC and 49 state attorneys general regarding three data breaches involving the hotels between 2014 and 2018. These breaches involved millions of records in the U.S. and hundreds of millions worldwide.

States increasing data privacy aggression

The first item of note from the story is that, according to Kelley Kronenberg partner Timothy Shields, “[i]ndividual states are becoming much more aggressive in addressing data privacy concerns absent a federal consumer data privacy law.” This is true not just in data breach enforcement but in all kinds of legislative, regulatory, and enforcement activity across all business sectors.

In what states perceive to be a vacuum created by Congress (federal agencies depending on the Administration) and states are rushing to legislate, regulate, and enforce. This was true during the Trump administration when Democratic state legislatures and attorneys general worked to pass and enforce laws that it felt Washington was ignoring. That’s how California birthed the Department of Financial Protection and Innovation (DFPI), it’s answer to a Trump CFPB that some in the state called asleep at the wheel.

The rush for state action is not always partisan. The Marriott litigation, for example, was joined by 49 states. In 2015, Ohio Attorney General Mike DeWine, a Republican who late become governor, joined with a bipartisan group of 30 other state attorneys general announcing a major settlement with the three nationwide credit reporting agencies — Equifax, Experian, and TransUnion.

States have been working at a fast clip to pass comprehensive privacy legislation, health care privacy legislation, data broker controls, and more.

“Treat your data as you would treat your money”

Another thing that struck me from the story is the lesson Shield takes away from the settlement is good advice for consumers. He said that “[i]ndividual [consumers] need to be much more cautious in how they share their information…It will get leaked. Treat your data like you would treat your money. Your personal data is just like currency—take the same precautions.” Those precautions mean making informed decisions in deciding who you should share your data with but also when you decide you want to un-share that information. Many businesses offer helpful services to consumers through data sharing, but consumers should take care.