Digital map of United States showing state data privacy laws

EPIC: State Data Privacy Laws Failing Due to Too Much Business Influence on Legislation, Inadequate Consumer Redress

A new report from the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund provides scathing criticism of existing state data privacy laws, giving almost half of the 14 states that have laws on the books a failing grade. None received an “A,” and California was alone in receiving a “B.”

The report notes that industry lobbying influence on state data privacy laws has been very strong, and that California is the only state with a model that was not originally drafted by a big tech outfit. The researchers find that these laws tend to require citizens to actively opt out to receive protections, and make investigations and redress for violations too difficult to obtain.

State data privacy laws receive mostly bad grades

Most of the state data privacy laws earned a mediocre “C” or “D” grade from the researchers. Texas, Indiana, Virginia, Utah, Tennessee and Iowa were at the bottom of the pack with failing grades, described as “weak” and “industry friendly.”

Much of this is at the feet of big tech. The researchers analyzed lobbying records from 31 total states that had privacy bills up for consideration in 2021 and 2022, and found that representatives from tech industry front groups and the sector’s biggest names (such as Google and Meta) numbered at least 445 active lobbyists and firms working to involve themselves in the lawmaking process.

The central problem the report identifies is that state data privacy laws make rights too difficult for consumers to exercise, and also greatly limit the ability that data subjects have to hold violators accountable in court. The situation has essentially amounted to the data gathering industry writing laws for itself. The report directly contrasts the first two of these laws as examples of what to do and what not to do. California’s state law, first passed in 2018, fared the best of all those reviews. The second law to become active, in Virginia in 2021, is portrayed as being based on draft terms written by Amazon, Comcast, and Microsoft, and brought to the state legislature by one of Amazon’s lobbyists.

The report notes that Virginia’s bill, which ended up being something of a model for other state data privacy laws, does not require informed consent of data subjects; companies can collect essentially whatever they want so long as they disclose it in a privacy policy somewhere. Consumers are given no individual legal recourse against data violators, instead having to rely on the state attorney general to bring a case. And while they have a right to request deletion of personal data, it must be made individually to each company.

Tech industry giants the most involved parties in formation of state data privacy laws

The report quotes former state legislator Collin Walker in noting (from personal experience) that when a strong bill is introduced in state legislatures, it is immediately beset by industry lobbyists clamoring for it to be changed to reflect Virginia’s terms. Since the Connecticut state data privacy laws went active in July 2023, lobbyists have also begun pointing to them as a desired model; the terms are essentially the same as those in Virginia, but with the provision that some sort of browser tool must be provided to allow consumers to opt out of data collection. That tool can be designed by the data gathering company to fit only very loose specifications.

The tech industry is said to have “at least” 445 lobbyists active as there are no relevant transparency laws that require accurate record-keeping, meaning that number is most likely higher in reality. Big tech is clearly spending a great deal of money to influence these laws, and the results are notable: only two states have requirements on deleting data promptly, California is the only one that prohibits secondary use or transfer and incorporates data minimization principles, and none at all offer special restrictions on the collection and transfer of sensitive data categories.

The one area that all states provide protection in is right to access, and only two (Utah and Indiana) do not have some sort of right to correct and delete. But, surprisingly, most have limited to no special protections for the data of minors. None of the state data privacy laws include any kind of civil rights protections, and just four (Colorado, Oregon, Texas and Utah) address biometric data.

The six state data privacy laws that received failing grades all used the Virginia model (including Virginia itself), but some watered it down even further. For example, Utah only applies its terms to businesses that make $25 million annually.

While states have clearly been deferring to big tech lobbyists too much thus far, some of this also falls at the feet of the continued failure of federal government to get a serious data privacy bill effort underway. The report does highlight some hope going forward, however, as at least four states presently considering privacy laws of their own (Illinois, Maine, Massachusetts, and Maryland) seem to have noted the present failures and are currently putting forward much stronger legislation.