With the announcement last week of its new lawsuit against several tech companies for violating Children’s Online Privacy Protection Act (“COPPA”), the FTC Act, and New Mexico’s Unfair Practices Act (“UPA”), the State of New Mexico Office of the Attorney General appears to be the latest in an expanding list of state attorneys general who are focusing more on the enforcement of federal and state data privacy and cyber security laws.
In its complaint, the New Mexico Attorney General alleges that tech companies designed, developed, and marketed mobile apps for children with embedded coding that allowed them to exfiltrate the children’s personal information as they played with the apps. The embedded coding, known as software development kits (“SDKs”), allegedly allowed the apps to transmit personal data about the children to advertisers. The complaint states that the advertisers then used that data to create detailed profiles about the children, in violation of COPPA and the FTC Act, which prohibit the collection of data from children under the age of 13 without parental consent. The New Mexico Attorney General also argues that the tech companies’ “surreptitious acquisition of their personal information for the purposes of profiling and targeting them for commercial exploitation” also violated the UPA because New Mexico consumers were deceived by the representation made that the apps were complied with the Designed for Families guidelines, when they did not, according to the complaint. The New Mexico Attorney General is asking the court to enter a permanent injunction to prevent future violations of COPPA, the FTC Act, and the UPA, civil monetary penalties, investigation costs, and attorney fees.
While New Mexico only enacted its own breach notification law last year, this new lawsuit indicates that the New Mexico Attorney General may start investigating data privacy and security incidents more aggressively. Companies should familiarize themselves with the notification requirements under New Mexico’s breach notification law and be prepared for inquiries and civil investigative demands related to data security incidents from the New Mexico Attorney General’s Office.