With Congress stalled on federal legislation to regulate how personal data is tracked and sold online, the fight over the future of data privacy has moved to state capitals.
Only two states, California and Virginia, have passed laws to give people more control over how technology companies mine personal details and online behavior, each bringing vastly different protections for users.
California’s law gives people the right to tell companies to stop tracking them and to delete data that has already been gathered and even, in certain cases, sue companies over data breaches. Privacy advocates consider it a strong consumer shield.
The law in Virginia gives people some new control over how their personal information is collected online, but privacy advocates say it contains many exceptions and carve-outs that will give tech companies a free pass and does not give consumers a right to sue. It passed with Silicon Valley’s backing.
Now those interests are competing to decide which vision will predominate in the rest of the country.
A review by The Markup, a technology publication, found the vast majority of state proposals — 14 — were based on the Virginia framework that has been pushed by Big Tech.
The industry is hoping that by winning battles on the state level, it can set a friendly precedent for a federal privacy bill, which could override any state law.
“Industry gets 50 attempts to get what they want. And they have the resources and knowledge and access to try to promote weaker bills in each of these states,” said Ashkan Soltani, the former chief technologist for the Federal Trade Commission who helped write the California law. “The ultimate aim is to try to weaken a national standard.”
Democratic Virginia Delegate Cliff Hayes, who sponsored the state’s data privacy law, dismissed the criticism that the measure provides lackluster protection to consumers.
“Absent any federal legislation on the matter, we believe Virginians should have a right to know what’s being collected about them, have a right to delete that data, correct that data and choose whether or not they want their personal identifiable information sold,” Hayes said.
Some members of Congress have said privacy legislation is a priority this year. But until Washington acts, a hodgepodge of proposals for regulating data tracking are emerging from state to state.
“Companies are free to collect and sell personal information about all of us,” Soltani said. “We have protections in almost every other aspect of our lives, whether it’s health information, or banking information. For online activity, there’s this huge gap.”
Connecticut tries to address ‘data privacy crisis’
The fight over data privacy in Connecticut provides a window into how the debate is playing across the country.
Connecticut Senate Majority Leader Bob Duff, a Democrat, was frustrated that Congress was dragging its feet on the issue.
Without any data protections, Duff said the country was in the grip of a “data privacy crisis.”
“And that is known to any American who has a phone, laptop, or tablet, or any type of device, where all of a sudden they mention something, next thing you know there’s an ad for it,” Duff said.
He introduced a bill last year that would allow people in Connecticut to opt out of data collection and to sue tech companies if the tracking continued.
Duff recalls a packed hearing for the bill. But he did not see concerned citizens. Instead, he glimpsed seat after seat filled with lobbyists paid by Facebook, Google and other tech companies.
“Lobbyists put the fear of God into people even by saying something like, ‘this bill would harm data collection in a public health emergency,’ which is far from the true, and it’s actually inaccurate,” Duff said.
His bill ultimately failed.
The industry’s leading trade group, the Internet Association, told Duff in a letter that the bill was “of significant concern.”
Having the right to sue, the group wrote, would be a payday for trial lawyers and not help consumers safeguard their data.
Now, Duff has re-introduced the bill — without the right to sue tech companies — with some similarities to Virginia’s new law, but he said he plans to strengthen the provisions to favor consumers before its final passage.
Otherwise, he said, “It will only really be lipstick on a pig from the standpoint of it’s an industry-written bill that has data privacy in the headline but other than that it does nothing.”
“I’d rather do no bill than the Virginia bill,” he added.
Records show the Big Five tech companies have at least 14 registered lobbyists in Connecticut alone, having spent hundreds of thousands of dollars on lobbying in the state in recent years.
Several lobbyists and spokespeople for the companies declined to be interviewed for this story.
Regulation on data privacy, and a host of other issues, has become something Silicon Valley now sees as inevitable, with companies like Facebook running advertisements saying the company actually welcomes new laws.
Soltani views this messaging effort with skepticism.
“They’re not doing it out the goodness of their heart,” he said. “Kind of like a Taekwondo move, they want to capture that momentum and then direct it toward something that benefits them.”
But Cathy Gellis, a San Francisco area lawyer who specializes in tech policy, said some of the industry’s concerns are valid: If every state creates its own set of rules to follow, that would be a nightmare for companies.
“You don’t want the Internet to become a ‘you can’t get there from here’ type of place, and with local regulation, that’s what we risk,” Gellis said.
She said regulations aimed at one thing can create unintended consequences someplace else for things like online commerce, speech and innovation.
“It creates a compliance problem for the Internet platforms and affects their ability to host user speech and monetize it and run their businesses and all sorts of things,” she said. “This is a national economy. This is interstate commerce. It’s not going to work out well when all of a sudden individual states are trying to shape markets.”