State lawmakers find bipartisan support for stronger privacy protections
State efforts to pass privacy legislation are heating up in the absence of federal progress on the issue.
On May 19, Montana Governor Greg Gianforte signed the state’s own privacy law — SB 384 — which advocates say is one of the strongest privacy bills passed in a red state.
Montana State Senator Daniel Zolnikov, who introduced the legislation, told Recorded Future News that he has been working to get a data privacy bill passed in the state since 2013 and was most proud of the fact that Montana is the first Republican-controlled legislature to pass a data privacy bill with a universal opt-out provision – what he called the “button that allows you to not be tracked online.”
Several states have had difficulty getting such provisions into their data privacy bills because of fierce pushback from companies that have successfully fought for a specific verification – effectively an additional step many businesses hope consumers won't take – to avoid the opt-out.
But Zolnikov modeled the bill off of one passed in Connecticut last May that says browsers can be set to ‘opt-out’ as a default, making it difficult for companies to get around selling consumer data.
“So if you get that extension in your browser, then you can opt out of being tracked by everybody. And that is only passed in a few states,” he said.
“I know there's been eight or nine states that have done [data privacy laws], but no Republican state has put that into their law and no Republican state has passed a law this strong. This is very exciting that this thing got passed.”
Montana joins California, Colorado and Connecticut as one of the states with the most consumer-friendly data privacy bills passed so far.
Matt Schwartz, policy analyst at Consumer Reports, has been tracking data privacy bills across the country and lauded Montana’s bill for including the right of consumers to access, delete, and stop the sale of their personal information.
He noted that Consumer Reports worked with lawmakers to improve the legislation by adding universal opt-out provisions and removing certain exemptions.
The bill bans the use of so-called "dark patterns" in obtaining consent, something the Federal Trade Commission has repeatedly raised concerns about. The term refers to tactics like disguising ads to look like independent content, making it difficult for consumers to cancel subscriptions or charges, burying key terms or junk fees, and tricking consumers into sharing their data.
It also places a sunset on the “right to cure” in administrative enforcement – so that after April 2026, companies will no longer have a “get out of jail free” card for failing to protect consumer privacy, Schwartz said.
The law is scheduled to go into effect on October 1, 2024.
The bill in Montana becomes the third data privacy bill passed this year following efforts from Iowa and Indiana. Overall, Montana is the ninth state to pass any kind of overarching data privacy bill.
California was the first to pass a bill and was followed by Virginia, Colorado, Connecticut, Utah, Iowa and Indiana. The CPRA in California and VCDPA in Virginia went into effect at the beginning of 2023 while the CTDPA in Connecticut and CPA in Colorado will go into effect on July 1, 2023. The UCPA in Utah will go into effect on December 31, 2023.
Tennessee’s governor signed a comprehensive data privacy bill into law last week that has been heavily criticized by experts for including numerous loopholes. Schwartz called it a “very weak bill” that said consumer rights did not apply to pseudonymous information like most online cookies.
This provision “rendered the right to opt-out of targeted advertising largely meaningless,” he said.
Texas has versions of data privacy bills that have passed in the House and Senate but are currently in committee to hash out differences.
Schwartz noted that with Texas, one of the biggest issues is that the Senate version included a universal opt-out provision while the House version did not – leaving experts in limbo about whether the bill will be effective or not.
Privacy law expert Dan Clarke, who has worked with legislators in multiple states on their own data privacy bills, said there is significant momentum in several statehouses to get data privacy bills over the finish line.
Clarke said a bill in Florida is likely to get passed this year but others in New Hampshire and New Jersey are either being tabled or narrowed in scope.
Many of the bills getting passed are inspired by those in Virginia and Colorado — generally considered to be more business-friendly compared to consumer-focused bills in Connecticut and California.
Clarke noted that the bill in Texas is emulating both Virginia and Colorado with certain provisions but also has unusual exemptions for what it considers “small businesses” – those with revenues between $1 million and $40 million or under 1,500 employees.
But he said Texas is on the stronger side of the copycat laws and “joins the list of states aiming to put their stamp on privacy by deviating from what’s already out there.”
“All that to say, there is no end in sight to the rapidly growing list of states attempting to close the federal privacy gap,” he said. “We’re still a long way from a simplified privacy in the United States, despite the parallels in proposed bills to existing and prospective laws tending to the uniform side.”
Jeff Sizemore, a former information security officer in the U.S. Air Force who specialized in cryptography and now works for cloud software firm Egnyte, said it is remarkable that in a single legislative session, the United States went from 10% of its states having comprehensive data privacy acts to 20%.
That, he said, demonstrates the impact of consumers’ desire for stronger data privacy legislation and the visibility of major data breaches that have affected consumers all across the country.
Sizemore explained that most states are modeling their bills after others that have already been passed because it is easier to secure business community buy-in for legislation that they have complied with previously.
“Both the VCDPA in Virginia and the CPA in Colorado are frequently modeled, because they strike a fair balance between the interest of consumers and businesses,” he said.
“As we look forward, it’s surprising that certain states don’t yet have comprehensive legislation: Massachusetts, New York, New Jersey and Oregon. Also, large swaths of the Great Plains and Southeastern states have not had comprehensive bills introduced, or bills that have gone inactive, which is not surprising.”
‘No longer a partisan issue’
Despite the statehouse push, federal privacy legislation has repeatedly failed to gain any momentum.
Zolnikov said one of the most exciting aspects of his bill in Montana was the overarching fact that the bill dispelled the notion that data privacy was an issue only backed by Democrats or that Republicans were only supporting bills that favored companies.
Several Republican-led states, he said, were passing “watered-down” data privacy laws and he wanted a precedent to be set that “both sides of the aisle” want strong consumer protections.
“The lobbyists are going to say, ‘Hey, look at these Republican states. Republicans, they don't go that far.’ So we need to set precedents at the state level of wanting true protections in place,” he said.
“So now, at the federal stage, they can't divide the states by party, because we in Montana just broke the whole model. Now this is no longer a partisan issue.”
Tech companies, he said, will eventually have to stop fighting federal legislation or else they will be dealing with a patchwork of privacy bills with wide-ranging requirements depending on the state.
“50 different states with 50 different laws is regulatory hell. I am begging other Republican states to step up and actually implement real consumer privacy legislation and strengthen their laws.” he said.
“And that's the whole point. We are passing laws at the state level to incentivize good positive action at the federal level.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.