Scales of justice and judge's gavel on wooden table showing data privacy laws

Crossing the Aisle on Data Privacy Laws: Explaining the Disconnect Between What People Want and What Lawmakers Pass

Data privacy is an issue that draws attention from every corner of American society. There are consumers on the one hand, who are fiercely protective of their digital rights, and the big tech and advertising giants on the other, wielding their massive influence at the expense of ordinary citizens.

The result? A data privacy tug-of-war, which is now routinely used across the U.S. as a political weapon. While some view this conflict as a means to regulate Big Tech, others seek to exploit it to cater to the AdTech industry – frequently sidelining consumer rights in the process.

This weaponization of data privacy has occurred in part as a result of pressure from lobbyists, exerted across state lines. Often following party demarcations, these pressures have led to a patchwork of state privacy laws, resulting in different levels of personal data protection for citizens depending on their state of residence.

California’s recent adoption of the “Delete Act” or S.B. 362, authored by State Senator Josh Becker and signed into law by Gov. Gavin Newsom this month, epitomizes the potent political nature of data privacy. This legislation, which is among the most protective for consumers anywhere in the U.S., was enacted at an unprecedented speed.

Of course, California has long set the pace with its consumer-focused privacy legislation like the CPRA.

The CCPA and CPRA already gave Californians expanded control over their personal information, including the right to delete it. But to do so means having to ask every single data broker to delete their data. This is obviously a difficult and laborious task, and still tips the balance of power and control over the data in favor of brands and companies, not consumers.

Now, with the Delete Act, consumers will be able to delete all personal information held by all data brokers registered in California, under one single request.

One of the common criticisms of data privacy laws is that while robust protections may exist in theory – like the ability to request that personal data is deleted – in reality, it’s difficult for individuals to actually assert their rights. The Delete Act changes this by giving back full power, ownership, and control over data to the individual consumer.

Overcoming lobbyist influence

Although the Delete Act is a significant victory for consumers, lobbyists and lawmakers must tread carefully with data privacy. Weaponizing such a critical issue can backfire, as demonstrated in Montana earlier this year. There, tech lobbyists aimed to weaken proposed privacy laws but were met with unexpected resistance. State Senator Daniel Zolnikov exposed the double play of these lobbyists, who were promoting stringent regulations in other states like Maryland and Connecticut while seeking leniency in Montana.

These lobbyists in Montana had been seeking to eliminate the universal opt-out, a crucial tool allowing users to deny online tracking by default. They also pushed to limit the definition of a “sale” exclusively to data traded for monetary value. Fortunately for Montanans, these efforts were thwarted. Zolnikov, alongside Consumer Reports analysts, reshaped the state’s privacy law into S.B. 384, instating robust regulations.

On May 19, Montana’s Governor Greg Gianforte ratified S.B. 384, enacting one of the strongest privacy laws in a Republican-majority state, inclusive of a universal opt-out clause. As well as being a win for Montana’s residents, this development underscores a vital lesson: data privacy need not be wielded for party-political ends.

So, the lobbyists ultimately didn’t get their way in Montana. But for an idea of the kind of proposed bills that arise under lobbyists’ influence – representing tech giants like Google, Meta, and Amazon – look no further than Virginia. There a data privacy measure drafted by Amazon lobbyists was marketed as a positive move toward protecting citizens’ digital privacy rights. But beneath the surface, the new policy primarily served the interests of tech giants. Take, for example, how the law allows companies to engage in “pay for privacy” schemes. Brands can set different prices, deliver variable quality, or limit choices for goods and services when consumers opt-out of having their data sold or used for targeted advertising.

The future for data privacy

So how do we navigate beyond viewing data privacy as a political tool?

One thing that lobbyists, lawmakers, business leaders and even consumers would do well to remember is that a consumer-first approach to data, above all, actually reflects the growing wishes and expectations of Americans.

While Americans don’t agree on much these days, one thing they’re clear on is that they don’t want businesses taking liberties with their personal data. In fact, a recent Magna/Ketch survey found that three-quarters of consumers highly value their data privacy.

Data privacy, therefore, is an issue that everyone — from Manhattan, NY, to Manhattan, MT — cares deeply about. The reason for that is clear: while some ethical or moral issues feel abstract, privacy is concrete, universal, and deeply personal. Nobody feels personally constrained by data-privacy rules, and nobody wants big businesses poking around in their personal information.

As data privacy initiatives such as Montana’s S.B. 384 and California’s S.B. 362 gain traction and even begin to reflect the wishes of most Americans, we must consider what comes next in the U.S. data privacy landscape. Will these state-specific regulations guide a national standard or even serve as templates for global counterparts?

While some anticipate that more states will emulate California’s stringent measures, it’s worth noting that the trajectory of data privacy in the U.S. is not fixed, and states will likely continue to carve out their own distinct positions. This diversity underscores the reality that, for the time being, data privacy remains susceptible to regional political influences.

What we can expect, however, is that enforcement of data privacy laws across the country will largely be the same. Lawmakers are likely going to go after egregious violations, ensuring businesses uphold their pledged data practices.

So, will there be a federal privacy law to ensure uniformity and continuity across the states? Maybe. But if there isn’t, it largely doesn’t matter – because enforcement will look the same across the states.

In the meantime, it’s up to all of us who care deeply about data privacy to keep pushing for better, consumer-first protections, at all levels of society and business. Transcending political allegiances is a sure-fire way to move the needle on data privacy, securing rights for more and more Americans, no matter their political affiliation or resident state.