A New Model for State Privacy Legislation

The fight for strong state privacy laws has proven challenging for public interest advocates. Following the scare provided by the California Consumer Privacy Act, Big Tech quickly worked to consolidate and flex its power to avoid even more aggressive proposals that could have forced fundamental changes to its commercial surveillance practices. Over the past three years, there has been a steady drumbeat of states introducing privacy bills heavily influenced by industry. While consumer advocates have been able to negotiate meaningful improvements into many of these laws, too many do not do enough to protect consumers from the harms of online tracking and data abuse.

But, in the last legislative session, the tide started turning. After years of considering privacy legislation, Maryland enacted the Maryland Online Data Privacy Act with several consumer-friendly amendments. Senator (then-Delegate) Sara Love championed a bill that limits the collection of personal data by default, bans the sale of sensitive data outright, and prohibits targeted advertising to kids and teens. Similarly, the Vermont Legislature overwhelmingly passed a privacy bill with meaningful data minimization requirements, strong civil rights protections, and a private right of action before Governor Phil Scott vetoed the bill. Maine came within a few votes of passing a robust privacy bill on its last day of session. The Massachusetts Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity favorably reported a very strong bill modeled on the American Data Privacy and Protection Act or APRA.

This progress should encourage privacy and consumer advocates. In addition to furthering legislation, public-interest-oriented state lawmakers, journalists, and advocates have shined a light on Big Tech’s disingenuous tactics and the industry’s lobbying resources that push states to pass privacy laws that include privacy in name only. Now is a critical moment to build on this momentum.

During our work with state lawmakers last session, we heard that they would prefer to strengthen existing state laws rather than enact an entirely new legislative framework. With this feedback in mind, EPIC and Consumer Reports crafted a model privacy bill, the State Data Privacy Act, that builds upon several existing state laws. The model bill takes the base text of the Connecticut Data Privacy Act (CTDPA), often cited by industry as a model for other states to adopt, and incorporates additional privacy protections. While the CTDPA contains far too many loopholes to prevent it from providing effective privacy protections, it is an established law familiar to many state lawmakers. Strengthening the CTDPA provides consistency for businesses while giving consumers meaningful privacy protections.

The goals of the State Data Privacy Act are to:

• Limit ubiquitous online tracking;
• Encourage more privacy-protective methods of online advertising;
• Protect the most sensitive data, including data about kids and teens;
• Use language from existing state laws; and
• Allow for meaningful enforcement of the law to ensure compliance.

The State Data Privacy Act borrows existing language from strong state laws and federal bills wherever possible. Borrowing existing language reduces the chances of conflicts of law and, in many cases, also captures years of deliberation and stakeholder discussions. While this draft does not represent the ideal privacy bill for any of the signatory organizations, it is a compromise that would meaningfully protect consumers and small businesses while forcing changes to some of Big Tech’s most harmful business practices.

The most significant amendment we propose is a strict data minimization rule that limits the collection and use of personal data to align with what consumers expect based on the context of their interaction with the business. In contrast, the framework found in many state laws allows businesses to continue collecting whatever personal data they want and using it for any reason they want as long as they disclose that practice in their privacy policies — which simply reflects the status quo.

Rather than continue with an approach that harms consumers, the State Data Privacy Act establishes a rule requiring businesses to collect and use data only when it is “reasonably necessary” to provide the services requested by the consumer. Personal data collected by businesses under these rules may be used for most forms of advertising, but our bill would ban invasive cross-website tracking by default. This compromise allows businesses to advertise using their own data while protecting individuals’ rights to avoid persistent surveillance and the harmful effects stemming from the overcollection of personal data.

Our proposal also includes strong elements of state privacy laws already on the books in many places. This includes the ability for consumers to manage their privacy preferences through authorized agents or opt out of certain forms of targeted advertising through universal opt-out signals like the Global Privacy Control. Together, these provisions should reduce the need for consumers to manage privacy choices at individual businesses through tedious privacy settings or misleading consent pop-ups. And like the Maryland law, our bill includes a total ban on the sale of sensitive data — such as information about one’s health, religion, genetics, sexual orientation, precise geolocation, immigration status, and children’s data — which will mitigate some of the most serious harms we see from bad actors like unscrupulous data brokers.

Enforcement is also a critical piece of any privacy law. Existing bills mainly rely on state Attorneys General (AG) to enforce privacy protections, but AG offices often have limited resources to conduct investigations and enforce the law. Notably, there have only been a handful of public enforcement actions against companies under state privacy laws despite clear evidence of widespread non-compliance. Leaving enforcement solely in the hands of under-resourced state AGs emboldens businesses to ignore the law because they know that state AGs are unlikely to have the time, money, or staff to investigate violations.

Instead, consumers harmed by violations of the law should have the ability to take action to protect themselves, which is why the State Data Privacy Act includes a private right of action. The bill proposes a compromise that exempts small businesses from this provision, recognizing that small businesses often collect less personal data and have fewer resources to implement new legal compliance programs. This more limited private right of action strikes a balance, protecting consumers’ privacy while preserving state resources and supporting small businesses.

EPIC and Consumer Reports hope to use the model bill to build on last session’s momentum and support lawmakers seeking strong privacy protections for their constituents. However, we know that we can’t do it alone. We are actively seeking new partners to join our coalition — both organizations and constituents fed up with the status quo. If this effort resonates with you, we encourage you to reach out and join us.

This post is part of a series examining US state tech policy issues in the year ahead.