The raucous battle over Americans’ online privacy is landing on states
But industry critics are playing catch-up to a campaign that's made significant headway in several states, including Virginia and Utah, where weaker laws were enacted in recent years.
Tech privacy advocates frustrated by failures on Capitol Hill are looking to mine state capitals for legislative victories.
A broad bipartisan federal privacy bill that died in Congress last year has quickly become the template for a statehouse-by-statehouse campaign to enact tough new restrictions on how Ameicans’ personal data can be mined and shared.
Lawmakers in Massachusetts and Illinois are already proposing privacy measures modeled on the federal bill, and Democrats in Indiana are using it as inspiration to strengthen legislation that’s already been proposed. Four other states have already passed their own data-privacy laws in the past two years — raising anxiety levels among tech companies about a national "patchwork" of hard-to-navigate data rules — but encouraging advocates who see an appetite for broader consumer protections.
“We were wondering if there would be something passed federally. It would definitely guide what we would be doing for the state,” Democratic Indiana state Sen. Shelli Yoder said in an interview. “Because that failed, it put us in a position of needing to do something.”
The new statehouse focus by privacy advocates isn’t necessarily designed to sweep across all 50 states but rather tighten regulations just enough in just enough places to force the industry into a de facto national standard.
They’re hoping to enact state-level privacy proposals that align closely with what Congress attempted to pass with the American Data and Privacy Protection Act: regulations that would limit what data companies can collect and share, create a data broker registry and establish new rights for Americans to delete data about themselves.
But they’re playing catch-up to an industry-led campaign that's made significant headway in several states, including Virginia and Utah, where weaker laws were enacted over the past two years.
The Electronic Privacy Information Center, a D.C.-based nonprofit, is at the center of the multi-statehouse push among privacy advocates. The group has also been pressing lawmakers in Maryland and Michigan to introduce state versions of the measure, and hopes to make inroads in as many states as possible.
They’re leaning on the bipartisan origins of their new bill — which span Rep. Frank Pallone (D-N.J.) on the left and Rep. Cathy McMorris Rodgers (R-Wash.) on the right — to give them an advantage against the large tech industry groups like TechNet and the Internet Association.
And their success may only need a handful of victories.
Like other industries, such as carmakers, chemicals producers and appliance manufacturers, tech companies are loath to establish multiple compliance systems to satisfy different states, and are more likely to set up their systems to accommodate whatever the toughest standard is.
“That’s why when you pick up a bottle of shampoo in New York state, you can read the words, ‘the state of California has forced us to say this product causes cancer,’” said Kade Crockford, director of the Technology for Liberty program at the ACLU of Massachusetts. “It’s the same general idea — the shampoo company isn’t going to make different shampoo bottles for consumers in California and New York.”
TechNet, which represents companies such as Apple, Google, Meta and Amazon, argues that a series of individual state privacy laws, including any that follow the federal regulation, would create confusion for companies and citizens. The group is pushing for a single privacy law instead.
“This is a prime example of why we need a federal privacy law. Inaction by Congress is allowing a patchwork of state laws to grow,” said David Edmonson, TechNet’s vice president of state policy and government relations in a statement.
Caitriona Fitzgerald, EPIC’s deputy director, hopes that a state version of ADPPA creates an alternative to the industry’s push for weaker state privacy laws. The modified bill has a significant advantage over industry proposals because of Congress’ push last year, she said.
“It’s been negotiated by both sides in Congress, industry was looking at it, advocates were looking at it, so much of the work is done for them,” Fitzgerald said. “There’s probably some comfort in that for state legislators, that all those negotiations have already happened.”
So far this year, 16 states have proposed their own data privacy laws with varying degrees of protections. Bills in Indiana, Tennessee and Texas align with the industry-backed model, while regulations proposed in Kentucky and New York provide stronger protections, but are not based on the federal legislation.
During the latest push on Capitol Hill, the American Data Privacy and Protection Act had bipartisan support, passing out of House Energy and Commerce Committee on a 53-2 vote. It had likewise won backing from both the tech industry and privacy advocates, a rare combination that could have opened up a lane to passage, something that 56 percent of Americans supported.
Despite what seemed like a clear path for the bill in Congress, it never came to the House floor as California Democrats, led by then-Speaker Nancy Pelosi, were concerned that the bill would remove the strong protections the state has had since 2018.
So advocates are shifting their strategy, and drawing some inspiration from the tech industry’s own state-focused campaigns: Since 2019, tech industry groups have backed a privacy law framework that came from an Amazon lobbyist in Washington state.
While it failed to pass in its home state, a version of the bill made its way into law in Virginia in 2021, and then in Utah in 2022.
Fourteen different states proposed a privacy law in 2021 built off of Virginia’s framework, and tech industry groups like TechNet and the State Privacy and Security Coalition have gone to states urging them to follow the Virginia model, according to analyses from The Markup, a nonprofit tech-focused publication.
The strategy to counter industry-backed efforts is getting tested in Indiana.
In January, lawmakers there introduced data privacy legislation that mirrors Virginia’s law.
Yoder, the Indiana lawmaker, raised concerns that the bill would require people to opt out of data collections rather than including language to make companies responsible for privacy protections, in addition to key protections against data being used for discrimination.
So she started looking at the state version of ADPPA that EPIC has been recommending. While Yoder isn’t introducing it as a bill, she is using elements of it, like its data minimization requirements, and private right of action. It’s still too early to tell how successful this effort will be, but the federal bill’s track record in Congress gives Yoder confidence.
“I thought the protections were good, I think what was so exciting and encouraging was that it did have bipartisan support,” Yoder said.
In Massachusetts, lawmakers introduced the Massachusetts Data Privacy Protection Act in the House and Senate after several failed attempts to pass privacy regulations in past years. Each time, tech lobbyists argued that strong privacy protections could cost jobs in the tech industry. For Massachusetts, the state with the highest concentration of tech employees in its workforce, those concerns mean a lot to lawmakers.
The state bill’s introduction comes with modifications from the American Civil Liberties Union of Massachusetts, which advised on the legislation. Some changes include adding workplace surveillance protections, and removing data security requirements because Massachusetts already has laws that require them.
“We hope that legislation that has been so carefully hashed out by so many of the actors involved, and frankly endorsed by many of the most prominent tech companies in D.C., will have a better chance of success in Massachusetts,” the ACLU of Massachusetts’ Crockford said.
But these small changes will attract criticisms from both tech industry groups as well as the lawmakers behind ADPPA on Capitol Hill.
Rodgers, the chair of the House Energy and Commerce Committee, said that Congress needs to take action, and wants to avoid states moving ahead with their own proposals.
“We appreciate these states recognize that ADPPA is the strongest data privacy and security bill out there,” Rodgers spokesperson Sean Kelly said, “but the best way to accomplish this is with comprehensive privacy protections and one national standard — not by doing it piece by piece or state by state — to ensure people's protections remain the same regardless of where you are."