A Post-Mortem on State Privacy Legislation

After nearly a decade working on privacy and other technology legislation, Joseph Jerome offers a valediction and lessons learned after departing his advocacy role.

Last week Governor Jared Polis signed the Colorado Privacy Act into law, putting an exclamation point on an active year in state houses on privacy and tech regulation. Contrary to expectations, across the country 2021 state legislative sessions saw the introduction of hundreds of privacy bills, as well as efforts to rein in social media platforms and digital platforms. Virginia and Colorado successfully enacted baseline privacy bills. Some view this flurry of state action as an important catalyst to force Congress to enact a national privacy law, but my experience makes me skeptical that we are on a path to actually addressing citizens’ concerns about the outsized power of big tech companies and their capacity to surveil us.

Once you move past talking points, there is very little consensus about what makes for a good privacy law. Privacy rules should be designed to balance the vast asymmetries of information and power that exist between corporations and individuals; burdens to protect privacy must be shifted off of individuals and onto entities using data. Advocates and academics have ideas on how to do this, but local lawmakers are stuck on the idea that businesses just need to provide more information to individuals and better “control” over their data. The data minimization restrictions that have snuck into state bills are often undercut by big exceptions. Lawmakers are also looking for ready-made bill language that won’t upset businesses too much.

I do not mean to suggest there have been no privacy victories in states. Privacy advocates succeeded in enacting a moratorium on the processing of student biometrics in New York, and there is some consensus emerging around narrow issues like protections for consumer genetic testing products. Lawmakers at all levels are sincerely interested in the implications of automated tools and algorithmic bias. But when it comes to enacting bold proposals that go beyond enshrining the status quo, I am far less optimistic.

It is difficult to find a coherent narrative to explain the trends that emerged this year. Republicans, Democrats, advocates, and industry are not monolithic entities in state politics, and the relevant power players have vastly different incentives and motivations that may have little to do with “protecting privacy.” Shadowy groups pushed privacy interests in deep-red Florida (using legislative language from deep-blue California) while a bipartisan effort in Oklahoma succumbed to a leadership struggle. Though there is bipartisan interest in regulating “Big Tech,” local lawmakers are far more responsive to the needs of the local business community, and their lobbyists are all over the map on what protecting privacy means. They mostly just want “clear” rules and limited liability. I worry that this set of circumstances, combined with a lack of clear messaging from consumer advocates, has succeeded in confusing lawmakers.

Advancing state privacy legislation has been in my job description for several years now, and I think most salient lessons can be learned from three states: Washington, Virginia, and Colorado.

Washington: Where the Third Time Wasn’t a Charm

Post-pandemic, oddsmakers would have put Washington state as the most likely candidate to enact something in 2021. For three years running, Sen. Reuven Carlyle (D-WA36) has moved an iteration of the Washington Privacy Act (WPA) through the state senate, only for the bill to flounder in the lower house. While many advocates have cheered the repeated failure of the WPA to pass, I worry it has created an almost worst-of-all-worlds situation.

The bill’s divergence from the California privacy effort and its origin as a Microsoft-led campaign to push concepts from the EU General Data Protection Regulation (GDPR) makes for an interesting legislative evolution. WPA’s earlier iterations took concepts like a business’s “legitimate interest” whole cloth from that framework, and by moving away from user consent and towards corporate risk assessments, the WPA has repeatedly been accused of being “corporate-centric.” And the bill received Microsoft’s strong support in 2019- before picking up champions in 2020 like the Future of Privacy Forum and even Consumer Reports- as it was amended and improved. The WPA has become something of a state privacy white whale for me. I was in Olympia to discuss the bill just days before the pandemic lockdown began last year, and worked on some legislative compromises to no avail this spring.

While huge amounts of energy have been spent on this legislation over the past three years, it remains stuck. Sen. Carlyle has already promised to bring the WPA back for a fourth go-around next year, but the current political landscape augurs nothing but a continued stalemate. The dynamics in Olympia are fascinating. The presence of tech giants in the state put privacy on lawmakers’ radars, but an organized advocacy campaign has blunted the ability of companies to get everything they want. The local ACLU affiliate has put together a vocal tech equity coalition that will broker no compromise with Sen. Carlyle, but it cannot, by itself, advance its “People’s Privacy Act” counter-proposal. The coalition has lambasted Sen. Carlyle such that he’s taken to publicly bemoaning the “religious” zeal with which the coalition opposes his efforts.

This has split the Democratic caucus in Olympia. Meanwhile, Republicans will vocalize their support for strong privacy protections without ever detailing what they mean, splintering the Democratic majority and ensuring no clear majority for any privacy proposal exists. Local Republicans -- pointing to Rep. Cathy McMorris Rodgers (R-WA5) -- and Democrats -- pointing to Sen. Maria Cantwell (D-WA) and Rep. Suzan DelBene (D-WA1)-- were also keen to point and defer to their national representatives as leading the way on privacy protections. This hope that Congress would ride to the rescue only served to highlight for me how much of the state privacy debate centers around talking points rather than substance.

The dance between Sen. Carlyle and some advocates looks to me like the endless struggle between the Joker and Batman, destined to fight each other to a frustrating stalemate until the next corporate privacy invasion falls smack dab in the middle of an election cycle. While neither side can win in Olympia, an important lesson for national advocates should be that hardline positions can backfire when motivated companies simply cross state lines.

The Virginia Sneak Attack

Nowhere is this dynamic better illustrated than in the rapid passage of Virginia’s Consumer Data Protection Act (CDPA). While the bill’s patrons insist otherwise, no one expected lawmakers in Richmond to move so quickly to enact a privacy law this year. As far as anyone can tell, lawmakers held an informal privacy briefing in November and then were hand delivered a version of last year’s WPA that was conveniently embraced by both Amazon and Microsoft.

Companies got a better deal out of Virginia than they would have received from Washington’s Sen. Carlyle, and advocates failed to recognize this. One foundational challenge is that advocacy groups are not united in what they want in privacy legislation. This is true nationally, but it creates real confusion in the states. Last fall, for example, privacy advocates splintered in contentious factions over the relative merits of Proposition 24 in California, leading industry observers and everyday voters confused. Local ACLU affiliates are all over the map on what they view as meaningful privacy regulation, and the Virginia ACLU affiliate said supportive things about the CDPA that were in direct opposition to what was being said by ACLU affiliates in Washington and elsewhere. While individual state ACLU affiliates make their own policy decisions, the discrepancy was predictably seized upon by industry lobbyists.

Listening to the primary patrons of the CDPA, it’s difficult to come away convinced that they are truly concerned about data privacy. More problematic, they seem to have limited understanding of what their bill does. They regularly speak about the need to protect against data breaches or that Virginia should be a leader on privacy because so much internet traffic goes through the state -- neither of which are really relevant to a consumer data privacy bill. Sen. Marsden (D-VA37), who led efforts to pass the CDPA in the Virginia senate, insists a broad stakeholder coalition backed his proposal even as he never asked a single privacy group or consumer advocate about his copy-and-paste job from an old version of WPA. He also didn’t clue in the Governor’s office or the Virginia Attorney General, the sole enforcer of the law, leading to a strange last minute compromise that involved the creation of a privacy work group. The privacy work group -- which includes three national industry groups and no “consumer rights advocates” with experience focusing on data privacy -- continues to ignore real concerns with the bill and give outsized representation to industry lobbyists.

I might be more sanguine if the Virginia Attorney General had either an established track record or the requisite resources to police privacy. Some press reports suggest the Attorney General will be given just $400,000 to enforce the CDPA, enough to hire two junior attorneys to undertake two investigations per year. The bigger problem is that no one really knows what the CDPA will do -- or what enforcement will look like. While Jules Polonetsky from the Future of Privacy Forum gushed about the “milestone” law, the chair of Frankfurt Kurnit’s privacy practice suggested CDPA would have little impact on targeted advertising companies.

The larger profession of privacy attorneys and compliance officers seem to admire the Virginia law for being clear and understandable, a better model to build off of than California’s clunkier legislative requirements. That may be fair, but as a privacy advocate, no one has yet to explain to me how the CDPA will curb the worst data practices we’re seeing today by advertisers, data brokers, and app developers flying by the seat of their pants. It’s a privacy law that both defines biometric information as inherently sensitive and then excludes facial recognition from its scope of coverage.

Unfortunately, the CDPA’s existence is a testament to the challenges facing privacy advocates. It is a shining example of how industry lobbyists, and well-meaning privacy professionals, are quick to peddle privacy paperwork as a meaningful protection. Lawmakers, eager to claim they’re doing something, then pay lip service to different opt-in/opt-out choices without ensuring their privacy protections have any teeth.

Colorado: The Best One Can Hope For?

Finally, Colorado enacted a privacy law at the tail end of its legislative session. While Colorado’s law may have seemed to come out of nowhere, the bipartisan pair of Sens. Robert Rodriguez (D-CO32) and Paul Lundeen (D-CO9) had been interested in privacy legislation for a few years, and Colorado had all the conditions on the ground to be amenable to some form of tech regulation: Governor Polis, a Democrat who has been a privacy leader in Congress and the state legislature, while shifting leftward, continues to be industry-friendly. Most importantly, Attorney General Phil Weiser has a strong tech background and was an outspoken supporter of Colorado enacting privacy legislation.

Attorney General Weiser’s involvement was key. When the Colorado Privacy Act was first introduced, the bill included quirky and bespoke definitions. Initial amendments to the bill were generally pro-business, but the Attorney General’s office was active in ensuring the proposal had certain baseline protections as it ping-ponged between the Colorado House and Senate. It withheld support until the proposal provided additional rulemaking authority -- which many attorneys general shy away from -- and permitted city attorneys to enforce the law, as well.

That’s not nothing, but it also may be the most we can expect of any state privacy law. “Would we love to have the [GDPR] with an opt in and everything? Sure, but there’s so much stuff ingrained in the United States already, that would be a humongous lift and it would be transformative across the country. I’m not sure that could get through the Colorado legislature,” Sen. Rodriguez lamented to local media. He may be overstating both the legal requirements and the transformative impact of the GDPR, but his political calculus is not wrong.

The prospects of a strong comprehensive federal privacy law are limited. And that is the problem.

Lessons Learned

1. The current Google and Facebook techlash animates too much of the debate.

One primary purpose of a comprehensive privacy law is to be comprehensive, but much of what underlies state lawmakers’ concerns about privacy boil down to a generalized concern about the dominance of Google and Facebook. This means that many state privacy proposals become a laundry list of exceptions of businesses that aren’t covered. One state proposal completely exempted data brokers, and this year, telecoms successfully inserted a definition in Maine’s broadband privacy law meant to constrain them and instead used it as a wholesale exception in Oklahoma’s comprehensive privacy proposal.

But if shackling Google and Facebook is the goal, privacy proposals thus far have had minimal impact in how the companies do business: narrow definitions of targeted advertising, broad product development exceptions, and unclear data minimization and purpose specification requirements suggest the biggest requirement will be state-specific risk assessments that will get filed in drawers somewhere. Considering Google and Facebook already have two of the largest privacy teams in the world, any state law that’s a pale shadow of the GDPR is unlikely to keep any of their lawyers up at night.

2. State lawmakers have difficulty grasping the dignity aspects of privacy protection.

When privacy advocates and academics discuss privacy legislation, we often invoke the utility of privacy rights to advance basic fairness and equal opportunity and protect individuals’ personal autonomy and dignity. This does not resonate with state lawmakers, many of whom are small business owners themselves, who view our collective privacy problem as a matter of simply providing individuals with more information and more control over information and advertising.

It’s illustrative that one of the few pro-privacy amendments that has received significant support has been efforts to enshrine the browser-based opt-out signals like the Global Privacy Control, which is an existing technical tool that lawmakers can point to as an easy way to take care of anyone’s perceived privacy problems.

3. Discussions about private rights of action and meaningful enforcement go in circles.

At this point, it is clear that industry lobbyists’ primary goal with any privacy law is limiting enforcement. Private rights of action receive most of their ire; numerous industry coalitions repeated misleading and bad faith arguments about the ambitions of plaintiff’s attorneys -- a taste of which can be found by reading every trade associations’ comments to the Uniform Law Commission’s unique model law. Instead, lobbyists insist attorneys general are positioned to “better” enforce state privacy laws, even as their offices remain undermanned and underfunded.

Unfortunately, these arguments are often persuasive to state lawmakers, who view private rights of action as a potential threat to local businesses. Advocates have not helped matters by insisting on unlimited private rights of action, rejecting injunctive relief as a compromise. This standoff is not only counterproductive but, in light of the Supreme Court’s recent decision in TransUnion v. Ramirez curtailing standing for procedural violations of federal privacy statutes, undermines the continuing ability of state law to establish tailored private rights of action. It also is keeping stakeholders from thinking creatively about how to effectively enforce privacy rights outside litigation.

4. States cannot be counted to push the national privacy debate forward.

It’s somewhat of a truism at this point to argue that all of the state privacy action is useful to keep the national privacy “conversation” going, but the reality is these proposals establish weak baselines. Better proposals already exist in Congress, and while some have suggested that industry stakeholders are trying to use divergent albeit weak state laws to force Congress’ hand, it is unclear whether the current situation is enough given Congress’ general dysfunction and tight legislative calendar.

While advertising trade associations bemoan a patchwork of state laws, the basic problem remains that neither Virginia nor Colorado, nor California for that matter, actually conflict with each other. They simply stack on compliance requirements. Absent truly conflicting laws or an aggressive private right of action, the current lineup of state laws is simply not painful enough for any segment of industry to cut a deal with Democrats in Congress.

- - -

Privacy advocates are not happy with the current state of affairs, but the chances to pass a significantly better bill are slim. There simply are not many states that possess the political conditions on the ground to move a path breaking privacy law, and the more likely scenario are minor variations on the California- and Washington-styled copycats that have already emerged.

My big takeaway from several years working on state privacy legislation is that the vision of state lawmakers is limited and the potential for meaningful -- and meaningfully enforced -- privacy legislation emerging out of the states is limited. Privacy advocates have hung their hat on several exceptions to this: Illinois’ Biometric Information Privacy Act, with its private right of action, has been a recurring thorn in industry’s side, but it was enacted before tech companies had the clout and power they do now. Consumer voices also point to the ability of state lawmakers to move quickly to address consumer harms, but this only serves to highlight how lawmakers are often uninterested in responding to more attenuated dignitary harms, such as those that emerge from violations of people’s privacy.

Privacy advocates have been boxed in by insisting that any federal privacy law must set a strong floor and not preempt state laws. This is problematic, and while no one should feel compelled to put their cards on the table, privacy advocates are fighting a losing battle. By demonstrating a limited capacity to enact stronger state laws, they may well be establishing a case for a lower national floor of protection. This is a defensive posture that forces advocates to fight over narrow victories like California’s privacy laws and oppose any bill that any company touches.

The state privacy battle is likely to continue, but the longer it goes on, the more privacy advocates should pursue narrower and more thoughtful approaches to enforcement and consumer redress on specific privacy threats. That has, in some respects, always been the deal. The current status quo suggests it may be a deal worth taking, lest we continue this song and dance as more states add their limited contributions to an already inadequate U.S. privacy landscape. Too often, the nuts and bolts of privacy legislation ignore that privacy rules are about giving individuals the space and dignity they need to become fully autonomous citizens; establishing safeguards that protect the interests of everyday people have been lost in a frenzy of arguments about consent requirements, opt-outs, and a handful of individual rights. We should be able to do better than what is under consideration by state legislatures.