Tech companies spent the last decade keeping federal privacy regulators at bay, and now they’re turning to the states to do the same.
Rather than wait for state legislatures to act on consumer privacy, tech companies have been busy pushing bills through themselves, a preemptive move to head off tougher laws.
California passed the strongest privacy law in the United States in 2018, jolting the tech industry into action. Rather than waiting for states to copycat California, it backed a series of bills, each weaker than the last. Virginia, Colorado and most recently Utah have passed privacy legislation, and there are now bills under consideration in at least 22 states.
The existing laws are “so basic, it’s like 5 percent of what we need to do on privacy,” said Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald of the laws. “Because we really are at a crisis point. The problem with the state bills getting passed is now state legislators will feel like they did something for privacy when really, they have not.”
Privacy advocates say this rising wave of legislation will have minimal impact on the biggest tech companies — and in many cases lacks sufficient teeth when it comes to enforcement.
More broadly, those who argue for stronger privacy rules worry that the tech industry — including Amazon, Google, Meta (formerly Facebook) and AT&T to name a few — will head off any chance the United States will ever enact a strong national privacy law. When considering what any federal law might look like, the government is likely to see what laws are already on the books in states.
The State Privacy and Security Coalition (SPSC), which represents major technology companies, said the push for legislation is in the public’s interest. Its members include companies working in social media, search engines and telecommunications; among them are Meta (formerly Facebook), AT&T, Amazon and Walgreens. Another member, Technet, is a bipartisan national network of technology CEOs and executives dedicated to growing the “innovation economy.”
“The State Privacy & Security Coalition supports efforts to give consumers greater transparency and control over their data,” the coalition said in a statement. “Our multi-industry coalition provides substantive expertise to state policymakers, including context on the operational implications of policy proposals and how to help align state privacy laws given the absence of federal law, which we believe is the best solution.”
There is little public information about the group. It has no website, but Grid asked more than 25 companies listed as involved in the SPSC in a 2020 public letter to the Pennsylvania legislature for comment on privacy advocates’ contention that the group is working to pass weak privacy laws. Walgreens and Lumen declined to comment, and Meta provided a statement.
“We continue urging Congress to pass comprehensive federal privacy legislation and will keep working with state legislatures as they take the lead in updating their privacy rules,” said a Meta spokesperson. “Because data flows don’t stop at a state’s borders, a federal privacy law is the optimal solution versus an inconsistent state-by-state patchwork that creates confusion for consumers and uncertainty for businesses.”
The other companies listed in the 2020 letter did not respond to Grid’s inquiries.
So even while Americans favor stronger privacy protections — a recent Morning Consult poll found that 83 percent of voters support Congress passing national data privacy legislation — the reality is that the laws they get might not be as strong as advertised.
“What we’re seeing is the industry push weak laws now so that they can pat themselves on the back and say that ‘the privacy bill got passed’ while it’s just the minimal rights for users and consumers,” said Fitzgerald.
The privacy state of play
The U.S. places few limits on what companies can do with personal data, in sharp contrast to the EU’s landmark 2018 privacy law, the General Data Protection Regulation (GDPR). China also recently adopted a national privacy law. The EU and Chinese laws both set national data protections, including requirements to notify users of data breaches, and include similar approaches to data processing. Both also are designed with extraterritorial reach, meaning they apply to how data of people within the EU or China is processed outside their borders.
Instead, the U.S. has relied on an overlapping set of laws, mostly known by their confusing acronyms, to regulate people’s privacy. They do so in a variety of ways that aren’t always well understood by the public. Take the Health Insurance Portability and Accountability Act (HIPAA) for example. This law applies to people’s communications with a “covered entity” such as a doctor. But it is not a catchall for health data privacy; it does not protect the health data on your FitBit.
Another example is the Video Privacy Protection Act (VPPA), which protects VHS rental records (and was much more relevant to daily life when it was enacted in 1988). A third law, the Children’s Online Privacy Protection Act (COPPA), limits what kind of data companies can collect on children younger than 13.
The Federal Trade Commission is empowered to go after apps or websites that violate their own privacy policies, which happens more than you may think.
This leaves the sharing of most personal data among third parties and advertisers largely unregulated. Even the FTC mostly investigates companies that are “unfair or deceptive.” And if companies lay out what they’re doing in their terms of service, which people rarely read, that can negate much of the risk.
Even the federal government, which cannot access personal information without a warrant, can just buy it instead. Cellphone companies sell location data for individual numbers to the public for as little as $300.
This has left data protection laws largely to the states. California was the first state to enact a data privacy law in 2018, the California Consumer Privacy Act (CCPA), followed two years later by the California Privacy Rights Act (CPRA). These laws are modeled in part on the EU’s GDPR. The CPRA allows members of the public to sue a company if personal information is exposed and also prohibits businesses from making decisions about a consumer based solely on an automated process.
Tech stops the bleeding
The California laws got the attention of Big Tech, which jumped into action in other states. After a privacy legislation in Washington state that was driven by Microsoft and Amazon failed to pass in April 2021, Virginia pushed through a similar law in mere weeks, alarming privacy activists. Colorado quickly followed, incorporating elements of the Virginia law. Utah followed suit last month, with legislation that passed in weeks and incorporates elements from Virginia and Utah.
Tech lobbying firms, and one in particular, the SPSC, have registered in all three states and Iowa, where a law like Utah’s is in the works. Sponsors of the Virginia and Utah laws have also taken political donations from companies behind these industry groups, in some cases to the tune of over $10,000.
A blitz of bills
The tech industry’s most recent successes share key provisions.
Opt-out: All of the existing privacy laws only require companies to allow users to “opt out” of sharing their data rather than setting a higher standard of opting in. This puts the onus on the individual to take any action, rather than the companies.
“There’s no opt-in consent, which is the gold standard for consent,” said Nate Wessler, deputy director of American Civil Liberties Union’s Speech, Privacy, and Technology Project. “And companies have every incentive to make opt-out hard and to make opt-in easy.”
It can be challenging for people who are less technologically savvy to click through reams of notifications or dive deep into an app’s data settings to finally find a way to opt out of certain data-collection practices.
Wessler also said the types of data collection Utah residents are able to opt out of are incredibly narrow — information processing for targeted advertising and sale of data, but not the internal use of data for other purposes.
The Utah bill is also the only privacy bill that sets out requirements that a company meet a certain revenue threshold and a data volume threshold, meaning how much data it controls and processes. The result is it will apply to far fewer companies than the other laws in the country.
Wessler pointed out that companies will be able to discriminate against individuals who choose to opt out of targeted advertising, potentially in the form of having them pay more or supplying them with an inferior product. The Utah law says that when it comes to people who opt out of targeted advertising, companies are not prohibited from “offering a different price, rate, level, quality, or selection of a good or service.”
“Another important thing to keep in mind about opting out of the sale of your data, is that’s going to have zero effect on the behemoths in the market, Facebook and Google, because they don’t sell data,” he said. “While they ingest data about users, they do not sell data. Rather, they’re offering tools, queries and all kinds of fancy things that other companies pay for. ”
The Utah law could allow large companies to serve hyper-targeted advertisements based on the profiles they have already built about people, said Jake Snow, senior staff attorney at the ACLU’s Technology and Civil Liberties Program.
“That’s because ‘targeted advertising’ under the law is limited to tracking ‘across nonaffiliated websites,’ which could allow Google, Facebook and Amazon to use internally built profiles to target ads, even if someone has gone to the trouble of opting out,” said Snow. “This is a common problem with a lot of the privacy laws coming out of the states.”
Legal action: The last three bills passed — in Utah, Virginia and Colorado — bar users from taking a company to court for exposing their personal data, according to Jesse Lehrich, a co-founder of Accountable Tech, a civil society organization working to bring about long-term structural reform regarding surveillance and social media companies.
“With a lack of a right of private action, there’s just no teeth to any of this,” he said. Enforcement of the law and punishment for violations will instead be left up to the attorney general of Utah. That right is included only in the California law.
“A private right of action is industry’s No. 1 target,” said Fitzgerald. “They do not want a private right of action.”
Fees: The Utah bill also borrowed from the Colorado and Virginia bills when it comes to charging consumers fees when responding to requests for their personal data. The Colorado bill includes provisions that allow a business to charge a consumer if they issue a second request regarding their data in a 12-month period. Virginia allows businesses to make consumers pay if their requests are excessive and repetitive, among other stipulations. Utah’s bill allows companies to do both.
Corrections: Utah goes further in favor of tech companies in at least one way: It does not require tech companies to update a user’s data if it’s incorrect, which is known as a right of rectification, unlike California, Virginia and Colorado.
There are other local laws out there currently under consideration that might serve as alternative models. Bills in New York and Massachusetts do offer rights of private action, and in New York, two bills being looked at also include the elusive opt-in option, as opposed to the opt-out model in current laws.
Big Tech follows an old industry playbook
The technology industry is following an age-old playbook when it comes to getting some of these bills across the line — band together in a benignly named organization and put people on the ground while wielding clout and influence.
In the case of Utah, two organizations testified in favor of the bill and offered suggestions in writing it — the SPSC and Technet.
“I really want to be upfront about this and my hope that a Utah model could be copied in other states,” said Anton van Seventer, counsel to the SPSC and an attorney with DLA Piper, during a hearing on the Utah bill, according to Axios. “It could serve as the most updated and streamlined model for state privacy legislation in the U.S. today.”
The emphasis on a streamlined model leads critics to think these groups are developing a playbook to carry out in other states. In Virginia, Colorado, Utah and Iowa, the SPSC has registered as a lobbying group around periods when privacy bills were passed or under consideration.
“These laws are getting passed very quickly with Big Tech and others using industry groups to do their bidding,” said Fitzgerald.
She points to Virginia as the first state where advocates were caught off guard when a privacy bill went from introduction to final passage in a matter of weeks. Fitzgerald also said that some industry groups are easily able to weigh in on legislation, if not present initial drafts of it.
David Marsden, a Democratic Virginia state senator who helped guide the Virginia law through the state’s legislature, told Protocol that critics who called Virginia’s privacy law “industry-approved” weren’t totally wrong. It was an Amazon lobbyist who presented him with a first draft of that privacy legislation.
The SPSC also sits on the Data Protection Act Working Group in Virginia, which is chaired by Cliff Hayes, the Democratic representative who introduced the Virginia privacy bill.
“In Virginia, there was really little to no involvement or even interest in involving consumer privacy groups,” said Fitzgerald. “And we saw the same play out in Utah over the last few weeks.”
The Utah bill had been introduced several years in a row but passed this year after legislators removed more onerous sections, according to Caden Rosenbaum, a tech and innovation policy analyst at the Libertas Institute, a nonprofit think tank. Rosenbaum, who testified against the bill, also flew out to Utah multiple times while it was moving through the legislature to speak with lawmakers.
“Another thing I think was happening is that a lot of these trade associations that have been traditionally fighting against state privacy laws realized there’s a point where we’re going to have a privacy bill in each state, and we can either go with whatever happens, or we can support one that’s going to be at least reasonable,” said Rosenbaum, when asked about the process of passing the bill.
He said he testified against the bill not because of being against data privacy, but because the Utah bill was another piece of poor public policy at the state level when the federal government really needed to step in and set a standard for states to follow.
“There is a feeling, not mine, that if another state law is passed to add to the patchwork, that it will help force federal action,” Rosenbaum said. “I think that is one of the driving factors of why it passed unanimously. I don’t think it’s great. I don’t think it’s good public policy to add to problems. But that was definitely part of the reasoning.”
Republican Utah State Sen. Kirk Cullimore, who sponsored the Utah Senate version of the bill, did not respond to requests for an interview. Republican State Rep. Brady Brammer, who sponsored the House version, declined an interview request.
Both Cullimore and Brammer received political donations from companies in the SPSC in January 2022. Cullimore received political donations from AT&T, while Brammer received political donations from Comcast.
“I can generally say that there’s certainly the potential for influence from industry giving money to legislators,” said Yosef Getachew, director of the Media and Democracy Program at Common Cause.
Apple, originally a member of the SPSC, announced March 7 that it was withdrawing from the group. Politico reported that Apple made the decision over concerns that the SPSC is pushing privacy legislation that doesn’t adequately protect user data.
Apple and the SPSC did not return requests for comment on Apple’s withdrawal and the reasoning behind it. Microsoft, which quietly left the SPSC in July of 2020 because the company “disagreed with their advocacy for weak privacy laws,” told Grid that it supported stronger privacy laws, taking direct aim at the Utah law.
”For consumers to trust the technology they use, they need to trust that their data is private and under their control,” a company spokesperson said in a statement. “In the absence of a federal law, we’ve engaged with states in support of laws that provide strong privacy protections for consumers. While some states have advanced meaningful laws, we’ve witnessed the emergence of industry-driven legislation in states like Iowa, Ohio, and Utah that offer only limited protections. We will continue to advocate for more robust laws that offer the privacy protections consumers deserve.”
Getachew noted that the implications of privacy laws extend well past traditional technology companies.
“A lot of the telecom companies have engaged in certain data practices that implicate them and privacy bills, and a lot of telecom companies are working businesses outside of the traditional telecom model,” said Getachew. “So for example, take Comcast — they provide a cable service, broadband service and mobile service. They are potentially using all those data points interchangeably to build profiles and learn more about the customer base.”
The Markup identified 14 state privacy bills that rely on parts of the Virginia model, mainly in lacking an opt-in mechanism versus an opt-out and a right of private action.
Lehrich, of Accountable Tech, said it is clear that industry groups have ascertained that there’s not federal privacy legislation passing any time soon. They have turned their attention to the states trying to change the status quo or erect a weak status quo.
“They have more sway at the state level,“ he said. “At the state level, it’s so much easier for them to swoop in with little scrutiny and have a really massive impact on the shape of legislation there.”
Thanks to Lillian Barkley for copy editing this article.