‘Death by a thousand cuts’: A look at Big Tech’s efforts to influence data privacy

Leon Neal via Getty Images

 

Connecting state and local government leaders

Maine’s struggles to pass such a law have familiar ring for Maryland lawmakers.

This story is republished from the Maine Morning Star. Read the original article.

Significant time and energy went into crafting two competing proposals for a landmark data privacy law during the last legislative session. And while, procedurally, the bills died because neither passed both chambers of the Maine Legislature, the likelihood — or unlikelihood — of their passage was shaped well before they got to the floor.

Both proposals were among the top lobbied bills this year in terms of spending, but the outsized lobbying presence is better captured by the number and frequency of outside interests weighing in.

Of all bills considered this year, these two bills received by far the most lobbying reports, which lobbyists and their employers file each month to document action. Totaling around 250 reports each, these bills saw more lobbying action than even the highly debated supplemental budget bill, which received just shy of 200 reports.

Interest groups, among them many focused on business, began making their positions on the bills clear before the official start of the second regular session of the Legislature in 2024. Feedback submitted in December showed apparent opposition to data minimization, a baseline protection that only allows companies to collect information directly relevant and necessary for their operations — and a key part of the version of the law put forth by Rep. Maggie O’Neil (D-Saco).

O’Neil’s bill, LD 1977, would’ve made Maine’s regulations for companies that collect consumer information online among the strictest in the country. It ultimately failed passage, as did the competing proposal from Sen. Lisa Keim (R-Oxford), which was favored by business and tech interests.

Discussions of these two bills have long been intertwined, with the Judiciary Committee doing line by line comparisons throughout numerous full-day work sessions, and the companies that lobbied on both proposals also overlapped substantially.

Less apparent in these discussions at the time was the underlying membership of these groups, including Big Tech companies, such as Meta, Google and Charter Communications, otherwise known as Spectrum. Further, these groups had previously employed similar lobbying tactics in other states before they were tried, and successful, in Maine.

A Look Across State Lines

The story of data privacy in the Maine Legislature is far from unique.

This year, the Maryland General Assembly passed a data privacy bill similar to O’Neil’s, which the governor signed into law this month, though the progress came after several years of failed attempts that mirrored much of what was seen in Augusta.

Maryland Delegate Sara Love said she felt like a lone target when groups tried to strip down the privacy standard she fought for her state to adopt. Now, she knows she was not.

Both Love and O’Neil’s plans faced pushback during public meetings from representatives of tech interest groups, such as TechNet and the State Privacy and Security Coalition.

“All of these groups had Amazon, Google, Meta, as their major players,” Love explained, “and it wasn’t until much later that Amazon and Google actually came forward themselves. They had the groups come and do the work for them.”

Both Love and O’Neil said they hadn’t seen as hard a lobbying job before in their tenures. One group would ask for a handful of amendments, another group would ask for a different set, and so on. “It was death by a thousand cuts,” Love said, adding that eventually she and other elected officials in Maryland said enough. “We’re going to pass something that matters.”

This pattern extended beyond Maine and Maryland. Collin Walke, formerly a member of the Oklahoma House of Representatives, described a similar process of what he called “a lot of procedural chicanery” to strip back the data privacy plan in his state, as did Kentucky Sen. Whitney Westerfield and Montana Sen. Daniel Zolnikov.

These lawmakers from across the country shared their experiences with the Vermont House Committee on Commerce and Economic Affairs in April, ahead of the Vermont Legislature passing one of the strictest data privacy bills in the country.

Vermont bucked the trend of watered down bills by learning from challenges in other states, though the bill still awaits approval from Vermont Gov. Phil Scott. Tech interests remain opposed. NetChoice, a trade association that represents platforms including Meta, sent a letter to Scott asking him to veto the bill. Meanwhile, state and national advocacy groups are pushing for Scott’s signature.

“It seems like there are enough coincidences state to state from talking to people that I don’t know how we fight this unless we’re doing it together,” said Vermont Rep. Monique Priestley,  one of the chief architects of her state’s bill.

There is a patchwork of state laws and parts of federal legislation governing the current digital privacy landscape, as there remains no one federal law to regulate it, despite several proposals.

California was the first state to enact a comprehensive data privacy law, considered the toughest in the country, though now rivaled by Maryland and possibly Vermont upon the governor’s signature. Most other states with data privacy legislation have followed what has been dubbed the Connecticut model, often described as a diluted approach with regulations falling between California’s and those passed in red states.

Inside the Effort in Maine

Early in the year, outside interest in the two data privacy bills in Maine was already apparent. Before April lobbying reports were due, both bills had exceeded 200 reports each.

By the end of session, LD 1977, the stricter plan from O’Neil, had the highest number of lobbying reports, 256, though Keim’s bill, LD 1973, was a close second at 242, according to data submitted to the Maine Ethics Commission.

In terms of spending, the proposals also ended up being the third and fourth most lobbied bills after a flurry of last minute attention.

The reports do not specify whether a lobbyist or firm worked for or against a bill, but many made their stances clear.

For example, TechNet and the State Privacy and Security Coalition wrote to the Judiciary Committee throughout the session largely in opposition to O’Neil’s bill and in support of Keim’s. Data minimization, interoperability and providing the ability for people to sue companies for privacy violations were among key concerns.

TechNet’s membership includes many companies that also individually lobbied the legislation, including Google, Verizon, Cisco, and DoorDash, among others. The State Privacy and Security Coalition boasts many of the same members — including Google and Verizon — as well as other companies that similarly lobbied the bills under their own names, too: Meta, Charter, TechNet, Comcast, RELX and T-Mobile, to name a few.

While O’Neil’s bill maintained its data minimization standard, lawmakers stripped the bill of a private right of action and added exemptions to the law for several nonprofits — changes that O’Neil told Maine Morning Star she wished had not been made.

Representatives of Meta and Charter consulted with Keim in the initial drafting of her bill. In an email shared with Maine Morning Star, the lobbyist listed as working for Meta, Andrew Hackman, wrote O’Neil in January 2023 to inform her that he was working with Keim on a data privacy bill based on the Connecticut law.

Hackman wrote that there was a broad group of industry players working on the legislation, including Kate Gore, the lobbyist for Charter.

In response to a request for comment about Meta’s involvement with LD 1973, which companies were a part of the group, and whether the group had been a part of similar efforts in other states, a Meta spokesperson provided Maine Morning Star with a statement about the company’s privacy work beyond Maine.

“Since 2019, we’ve spent more than $5.5 billion in a rigorous privacy program that includes teams and technology designed not only to identify and address privacy risks early but to embed privacy into our products from the start,” the spokesperson wrote, also pointing to previous comments made by Meta’s head of state and local policy Dan Sachs outlining his view that uniform interstate privacy protections are needed.

On the other side, the research nonprofit Electronic Privacy Information Center (EPIC) worked with O’Neil to fine tune her version. EPIC has also been involved with data privacy bills in other states, including Maryland and Vermont.

“Democrats chose to believe an out-of-state nonprofit organization and their analysis on language rather than believing our own people, the businesses that are right here in Maine and that have to comply,” Keim told Maine Morning Star.

Ahead of a Senate floor vote on the bills, Keim critiqued the nonprofit exemptions in light of EPIC’s involvement in shaping LD 1977. However, comments submitted to the Judiciary Committee earlier in session show that EPIC had recommended against such exemptions.

“We do believe that nonprofits should be covered by privacy laws,” Caitriona Fitzgerald, deputy director of EPIC, told Maine Morning Star.

While some of the changes made to O’Neil’s bill were welcomed by outside interests, data minimization remained a key concern for businesses, including L.L. Bean, whose representative argued it would have prevented targeted advertising. Lawmakers in other states saw similar opposition from prominent local businesses in their areas as well, the Vermont Country Store and King Arthur Baking being other examples.

O’Neil said these concerns were unfounded. Rather, she argued the bill would have prevented companies from tracking consumers in invasive ways.

“I was disappointed that L.L. Bean led the charge to kill this bill because we really worked hard to make sure that we protected Maine businesses in their ability to advertise,” O’Neil said.

Jason Sulham, L.L.Bean’s manager of public affairs, said L.L. Bean “advocated for Maine consumers to be afforded the same protections provided to our customers and to consumers in other states regardless of the ultimate legislative vehicle,” but declined to say whether the company lobbied for or against either bill.

The Judiciary Committee initially incorporated a suggestion from L.L. Bean to include “targeted advertising” in the list of exemptions under the bill. However, O’Neil said this change would have gutted the main component of her bill — data minimization — because of the way targeted advertising is defined as tracking people across websites. The committee ended up reversing the change.

Sulham said L.L. Bean ultimately opposed the bill because it would have “limited consumer choice, led to more spam, unnecessarily complicated compliance, and put Mainers in an overly restrictive class compared to consumers in other states.”

While a group of industry players helped initiate Keim’s version of a data privacy plan, Sulham said L.L. Bean was not among them, “nor did we ever speak for other businesses or coordinate with out-of-state interests in any way.”

Following the Vermont hearing in April, where lawmakers from other states shared their work on data privacy, L.L. Bean also sent a letter to the committee pushing back on claims from O’Neil that the Maine retailer was a spokesperson for the tech industry interests.

“In Maine, if L.L. Bean says something, people are going to respect that,” O’Neil said during the meeting.

Matt Schwartz, a policy analyst at Consumer Reports, another group supportive of O’Neil’s version said, in the end, the rejection of both bills came down to a lack of time.

“I’m not going to speculate on whether this was intentional or truly a misunderstanding, but you had businesses saying that the bill was going to do things that it wasn’t going to do,” Schwartz said. “I wish we had more time to push back and clarify what the bill actually did.”

As seen in other states, it is common for data privacy legislation to take a few sessions to pass, so lawmakers and interest groups say this is only the start for data privacy reform efforts in Maine.

With the tech industry groups and tactics now also more widely known across states, lawmakers are forming their own interstate alliances to push back on their “playbook,” as Priestley, the representative from Vermont, called it.

“I feel like a big part of this was just getting more states talking to each other,” Priestley said.

Maine Morning Star is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Maine Morning Star maintains editorial independence. Contact Editor Lauren McCauley for questions: info@mainemorningstar.com. Follow Maine Morning Star on Facebook and Twitter.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.