Tech lobbyists are running the table on state privacy laws

The tech industry has largely co-opted the once-dreaded “patchwork” of state rules — and its success is sapping momentum for federal legislation.

Tech lobbyists are running the table on state privacy laws

As Oregon lawmakers got ready to pass tough new digital privacy protections for their citizens this spring, they considered a major new approach to enforcement: giving citizens the right to sue companies for violations.

Consumer advocates, who had worked for three years to help draft the bill, saw it as a model for other blue states to follow, pushing back against an industry built on scraping and monetizing people’s data.

Their excitement didn’t last.

When debate on the bill finally kicked off this spring, the legislation was immediately set upon by the tech lobby. Representatives from TechNet, the Computer and Communications Industry Association and the State Privacy and Security Coalition successfully urged Oregon’s legislators to kill that key provision, known as a private right of action.

“It is frustrating for me as a legislator, learning that lobbyists in many cases win the day based on the information that they’ve provided to members and members not necessarily taking a step back and looking at the bigger picture,” the lead sponsor, Democratic Sen. Floyd Prozanski, said in an interview.

It’s not just Oregon. A POLITICO analysis of every state privacy law passed in 2023 shows that the tech industry has notched a steady series of wins. In Oregon and the six other states that passed legislation between January and July, lawmakers enacted bills that bore clear hallmarks of lobbying influence. If any legislation emerged that would impose stronger privacy protections, industry successfully watered it down.

“The tech lobbyists are kind of winning,” said Matt Schwartz, a policy analyst for Consumer Reports. “They’ve pretty much gotten their way.”

The tech lobby’s rash of state-level successes marks a turning point in America’s long-running fight over digital privacy protections. When California passed the nation’s first comprehensive data privacy law in 2018, lobbyists worried its strict protections would quickly spread to other states. But the tech lobby has instead run the table, pushing through industry-friendly laws in 11 states. The victories have come in both red and blue states, highlighting the tech industry’s sway. And to date, no state has followed California’s model.

“One thing that I think everyone assumed was going to happen when just California had passed a privacy law was that basically every other liberal state would pass a pretty similar law very quickly after,” said Ashley Johnson, a senior policy analyst at the Information Technology and Innovation Foundation think tank. “That hasn't really happened.”

The tech lobby is proud of its achievement. TechNet CEO Linda Moore said her group “worked hard to make sure” that the industry-friendly bill passed in 2021 by Virginia became the template nationwide. At an event held on Capitol Hill last month, Jordan Crenshaw, head of the U.S. Chamber of Commerce's Technology Engagement Center, said that “with the exception of California, we've actually seen ... states pass privacy legislation that all tend to go around the Virginia model.”



The tech industry’s success in the states has also changed its calculus in Washington, D.C. After years spent bombarding Capitol Hill with warnings that a state-by-state privacy “patchwork” is untenable, lobbyists are now spending less time and money on Congress.

In lobbying disclosures for the first three quarters of 2022, NetChoice — a powerful tech group that counts Amazon, Google, TikTok and Meta among its members – listed “a national standard on privacy legislation” as one of its priorities. But that language disappeared from those forms in the last quarter of 2022 and has not reappeared.

Carl Szabo, general counsel at NetChoice, said his organization needed to channel its limited lobbying resources into statehouses. “That's where a lot of the time and energy ends up getting spent,” Szabo said. And it’s not just NetChoice. Graham Dufault, general counsel at ACT — The App Association, said his group is “spread thin” addressing the recent spate of state privacy bills.

Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation, a digital-rights nonprofit, said the tech lobby may even be hoping to pass more industry-friendly state privacy laws before turning its full attention back to Washington. If the tech industry can reach critical mass in enough statehouses, it could “influence what a federal law may look like,” she said.

“They say they want a federal privacy bill, but I can’t imagine that they would make trouble for themselves where they don’t need to,” Tsukayama said.

Tech takes over the patchwork

The tech industry’s drive for a federal privacy law began immediately after the 2018 passage of the California Consumer Privacy Act, which tech lobbyists called unworkable and unduly burdensome. Industry launched a two-pronged approach to ensuring it didn’t catch on as a national model.

The first move was to urge Congress to pass a national data privacy law — one that would preempt all state laws to avoid a complex patchwork of rules that they warned could cost businesses as much as $1 trillion. That number was based on a study released by ITIF, which often promotes policies that conform with industry interests.



The second strategy was quieter, but just as dedicated. It started after it became clear a quick fix from Capitol Hill wasn’t coming, with the two parties stuck in a debate over whether to preempt state privacy laws and allow people to sue companies for violations.

As Congress dithered, the tech industry was forced to play defense in the states.

An opportunity to counter California’s privacy rules arrived with Virginia in 2021, where the state’s Consumer Data Protection Act had the tech industry’s fingerprints all over it. The first draft of the bill was written by an Amazon lobbyist, and input on how to implement the law came from industry groups like CCIA and SPSC.

Virginia’s rules soon became the model for state privacy regulations, finding their way into nearly every law that later passed. States would have different variations — but ultimately, the tech industry was setting its own bar for privacy rules across the country.

“Industry has an inordinate amount of influence on what happens in these bills,” said Schwartz. “The reality is, we’re working off a model in many of these states that was introduced by Amazon.”

Additional successes in places like Colorado, Utah and Connecticut gave the tech lobby an even greater edge. It could now point to a growing body of industry-friendly laws and warn state legislators that deviating from those templates would cause chaos for businesses operating across state lines.

“Even minor statutory divergences between frameworks can create onerous costs,” said Khara Boender, CCIA’s state policy director, in her June testimony on Delaware’s privacy law.

Connecticut’s approach became the favored one for the tech lobby following its passage of a privacy law in 2022. While slightly stronger than Virginia’s law –—it gives people the ability to “opt out” of their data being processed for things like targeted advertising with a single click, for example — it was still mostly based on the Amazon-inspired legislation. And because it was somewhat stricter, lobbyists could successfully sell it to Democratic states like Oregon.

“Connecticut, being the strongest of the weaker bills, does appeal to some of the legislatures, where it’s like, ‘Well, this was clearly a good compromise,’” said Tsukayama.

Washington on the back burner

In a drab conference room tucked into a corner of the Rayburn House Office Building, Rep. Suzan DelBene (D-Wash.) was begging a group of tech lobbyists to dial up pressure for a federal privacy bill.

“We need to make sure folks have a huge sense of urgency around this,” said DelBene, the chair emeritus of the moderate New Democrat Coalition, speaking at July’s relaunch of United for Privacy — a coalition of over two dozen tech groups that had reconvened to pressure Congress on a privacy bill.



From the sidelines of the meeting, some industry reps said it should not have taken them more than six months after the start of the new Congress to start beating the privacy drum.

Dufault admitted lobbyists should have pushed Congress on a privacy law “earlier and more often” in 2023. He said The App Association, which is funded in significant part by Apple, spent much of this year recovering from the “hangover” of last year's antitrust fight in Congress, where it devoted the bulk of its resources working to defeat bills that would have weakened Apple and Google’s power over the mobile app marketplace.

Early optimism that leaders on the House Energy and Commerce Committee would replicate a bipartisan deal negotiated last year on the American Data Privacy and Protection Act gave way to cynicism, after lawmakers failed to reintroduce the bill before the August recess.

The delay is in part a function of efforts by House Republicans, including Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.), to renegotiate portions of last year’s privacy deal now that the GOP holds the majority. And although tech lobbyists continue to say that a federal privacy bill is urgently needed to preempt a patchwork of state laws, some are willing to wait on a better bill. While Moore broadly backed last year’s privacy deal in the House, the TechNet CEO now says she “generally" supports McMorris Rodgers’ effort to tweak the bill in a pro-industry direction.

Although tech lobbyists have largely dominated the privacy debate in state capitals, they’re not declaring victory — or giving up their quest for a federal standard.


“It definitely could’ve been worse,” said Dufault. “But we are definitely gearing up for major costs and major compliance issues that will nonetheless be high enough that we are highly motivated to get something done [in Congress].”

While admitting that some of his members aren’t particularly engaged in the push for a federal privacy law, Dufault said that could change if more state laws are enacted and companies start being pulled in conflicting directions.

Industry is also keeping a close eye on California, which has since passed another round of privacy rules that gives a state agency new rulemaking powers. After touting the tech lobby’s many statehouse wins at last month’s meeting, Crenshaw cautioned the assembled lobbyists about “what could go wrong,” including the emergence of an even stricter set of rules out of California or new rights for people to sue companies over privacy breaches.

But while lobbyists fret that their luck could still turn, privacy activists see few paths forward in the states — and are increasingly pessimistic about their ability to beat the tech industry.

“It’s bleak out here for consumer advocates,” Schwartz said.