State privacy laws have been crippled by big tech, new report says
The tech industry has shaped a series of weak privacy laws nationwide, according to a new report, with half of the 14 states to have passed such laws receiving failing grades and none receiving an “A” on the report’s scorecard.
The Electronic Privacy Information Center and U.S. PIRG Education Fund assessed the 14 bills across several metrics, including whether they have provisions for strong enforcement; how much transparency they offer into data risk assessments; whether they include strong individual data rights such as opt-out signals; if they bar manipulative design; and whether they strongly define what constitutes personal data and covered entities.
The report argues that the lack of a federal privacy law to govern a multibillion-dollar industry’s data practices has opened the door to states enacting lax privacy laws nearly across the board.
“Weak, industry-friendly laws allow companies to continue collecting data about consumers without meaningful limits,” the report states. “Consumers are granted rights that are difficult to exercise, and they cannot hold companies that violate their rights accountable in court.”
According to the report, all of the states with comprehensive data privacy laws on the books — with the exception of California — closely adhere to the so-called Virginia model, a law that was partially written by Amazon. Recorded Future News reported on Tuesday about the intense role a sprawling tech lobby has played in pushing through weak state bills.
The state with the report’s highest grade, California, received a B+. The six states the report gives a failing grade are Texas, Indiana, Virginia, Utah, Tennessee and Iowa.
The report cited a 2022 Markup investigation showing that in the 31 states considering privacy bills in 2021 and 2022, 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple and industry “front groups” fought to shape the legislation.
The report argues that among the many attributes a strong comprehensive consumer privacy law would include are:
-
Requirements that companies minimize the data they can gather and use
-
Strong regulations on all uses of health data, biometrics and location data
-
Strict online civil rights protections which stop consumer profiling and allow individuals to sue companies for violations
There is a glimmer of hope, the report says, citing relatively strong bills now under discussion in Illinois, Maine, Massachusetts and Maryland. Those states are considering laws that would compel changes to data practices and thereby hobble commercial surveillance and online discrimination, the report says.
The privacy legislative activity at the state level is widespread. While the federal American Data Privacy and Protection Act continues to languish in Congress, 44 states have considered privacy legislation since 2018.
The report cites real world examples like reporting which shows that the average American’s personal data is revealed 747 times a day in targeted advertising online markets and that car companies can and often do collect vehicle owners biometric, geolocation and other data.
“Advertisers can use characteristics like race, gender, or income (or ZIP code as a proxy for income) to filter their audience and target individuals most likely to buy their product or Service,” the report says. “If a company is hiring a CEO, advertisers can choose to show that job opening to only men. If a home is for sale, advertisers can choose to show that listing to only white individuals.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.