Why Are State Privacy Laws Getting Worse?

COMMENTARY

In an alternate universe, the new crop of privacy laws in Iowa, Indiana and Tennessee could have been cause for celebration, marking a growing number of consumers around the country enjoying strong new protections over their personal data. In reality, instead of cheers and congratulations, there was a collective shrug from the privacy community that betrayed a growing skepticism: Is this really the best we can do? 

The passage of bills in Iowa, Indiana and Tennessee brings us to nine total state comprehensive privacy laws, a figure that would have seemed optimistic just a few years ago. However, too many of these laws do not provide meaningful privacy protections for consumers, which leaves one questioning whether each successive passage should still really be celebrated as progress. As with the Utah Consumer Privacy Act that passed last year, these new laws do little to directly address the vast data collection and processing apparatus, leaving consumers effectively as unprotected as before.  

With the prospect of Congress passing a national privacy law looking dim after the failed attempt to advance the American Data Privacy and Protection Act last year, the future of privacy legislation hinges on state action. Knowing this, many technology companies are increasing their presence and influence in states to push weak bills that won’t impact their business model of profiting from the data they gather from ordinary people. They have even created a dedicated trade association — the State Privacy and Security Coalition — to enact illusory protections such as those contained in the Iowa, Indiana and Tennessee bills. 

When the groundbreaking California Consumer Privacy Act was enacted several years ago, many observers expected other state lawmakers to follow suit. But the law’s complexity, much of it rooted in California-specific politics, has limited its appeal as model legislation.

Unsurprisingly, technology companies deployed their lobbyists and surrogates to push an alternative model, based on the weak Virginia law passed in 2021, leaving consumer advocates on defense. Even in the states that subsequently improved on the Virginia model, including Connecticut and Colorado, their coordinated advocacy prevented even stronger consumer protections from becoming law. 

To some extent, industry’s outsized influence is inherent to legislating on the state level. Companies that disapprove of certain bills, or even specific provisions contained within them, can credibly threaten to pull back funding for key local projects, or leave the state entirely, if they don’t get their way. 

As a result, all of the existing state laws and the vast majority of proposals are based on an opt out model, which places the burden of privacy protections entirely on the consumer.

This arrangement forces consumers to individually track down every single business that collects their data and request to opt out. This is a hopelessly laborious and time-consuming process that subverts consumer preferences by essentially running out the clock. Predictably, industry proposals tend to favor this approach.

One of the concessions advocates won in Connecticut and Colorado was the inclusion of a universal opt out, which allows people to set their opt out preferences once and requires businesses to honor them. All state privacy laws that take the opt out path (as opposed to being based on strong data minimization requirements) should include this provision. 

Weak industry bills like the Iowa, Indiana and Tennessee measures are also riddled with broad exemptions and narrow definitions. Companies can evade the law by “sharing” information instead of “selling” it and they can still target certain types of advertisements to consumers even after they opt out.

Iowa and Tennessee’s bills in particular completely exempt the right to opt out of cookie-based tracking, effectively excluding online advertising altogether. Moreover, industry bills also often allow companies to deny service or charge consumers extra for exercising their “right” to opt out, completely undercutting consumer autonomy. And enforcement of these bills is almost always left to the chronically underfunded offices of attorneys general. The idea that individuals should be able to hold businesses accountable for violating the law through a private right of action is an anathema.  

There is still hope in several states such as Illinois, Massachusetts, New Hampshire, New York, Oklahoma, Oregon and Vermont that are all working to pass stronger laws. 

Thankfully, Montana recently reminded us that there is an alternative, bucking the industry bill trend by passing decent legislation that includes universal opt out provisions. Americans deserve to be protected by default and lawmakers should not let the biggest privacy violators set the terms of what a privacy law should look like.

State legislatures need to take action to advance legislation, like our model bill, that could eventually lead to a strong, national law that will protect the privacy of all Americans. 

Matt Schwartz is a policy analyst at Consumer Reports, where he focuses on privacy. Previously, he worked on technology policy and internet governance issues for ACT | The App Association and New America. He grew up in San Diego, California, and received a B.A. in Political Science & International Affairs from Wake Forest University and an M.P.P. from Georgetown University’s McCourt School of Public Policy. He can be reached on LinkedIn.