‘Death by a thousand cuts’: A look at Big Tech’s efforts to influence data privacy
Connecting state and local government leaders
Maine’s struggles to pass such a law have familiar ring for Maryland lawmakers.
This story is republished from the Maine Morning Star. Read the original article.
Significant time and energy went into crafting two competing proposals for a landmark data privacy law during the last legislative session. And while, procedurally, the bills died because neither passed both chambers of the Maine Legislature, the likelihood — or unlikelihood — of their passage was shaped well before they got to the floor.
Both proposals were among the top lobbied bills this year in terms of spending, but the outsized lobbying presence is better captured by the number and frequency of outside interests weighing in.
Of all bills considered this year, these two bills received by far the most lobbying reports, which lobbyists and their employers file each month to document action. Totaling around 250 reports each, these bills saw more lobbying action than even the highly debated supplemental budget bill, which received just shy of 200 reports.
Interest groups, among them many focused on business, began making their positions on the bills clear before the official start of the second regular session of the Legislature in 2024. Feedback submitted in December showed apparent opposition to data minimization, a baseline protection that only allows companies to collect information directly relevant and necessary for their operations — and a key part of the version of the law put forth by Rep. Maggie O’Neil (D-Saco).
O’Neil’s bill, LD 1977, would’ve made Maine’s regulations for companies that collect consumer information online among the strictest in the country. It ultimately failed passage, as did the competing proposal from Sen. Lisa Keim (R-Oxford), which was favored by business and tech interests.
Discussions of these two bills have long been intertwined, with the Judiciary Committee doing line by line comparisons throughout numerous full-day work sessions, and the companies that lobbied on both proposals also overlapped substantially.
Less apparent in these discussions at the time was the underlying membership of these groups, including Big Tech companies, such as Meta, Google and Charter Communications, otherwise known as Spectrum. Further, these groups had previously employed similar lobbying tactics in other states before they were tried, and successful, in Maine.
A Look Across State Lines
The story of data privacy in the Maine Legislature is far from unique.
This year, the Maryland General Assembly passed a data privacy bill similar to O’Neil’s, which the governor signed into law this month, though the progress came after several years of failed attempts that mirrored much of what was seen in Augusta.
Maryland Delegate Sara Love said she felt like a lone target when groups tried to strip down the privacy standard she fought for her state to adopt. Now, she knows she was not.
Both Love and O’Neil’s plans faced pushback during public meetings from representatives of tech interest groups, such as TechNet and the State Privacy and Security Coalition.
“All of these groups had Amazon, Google, Meta, as their major players,” Love explained, “and it wasn’t until much later that Amazon and Google actually came forward themselves. They had the groups come and do the work for them.”
Both Love and O’Neil said they hadn’t seen as hard a lobbying job before in their tenures. One group would ask for a handful of amendments, another group would ask for a different set, and so on. “It was death by a thousand cuts,” Love said, adding that eventually she and other elected officials in Maryland said enough. “We’re going to pass something that matters.”
This pattern extended beyond Maine and Maryland. Collin Walke, formerly a member of the Oklahoma House of Representatives, described a similar process of what he called “a lot of procedural chicanery” to strip back the data privacy plan in his state, as did Kentucky Sen. Whitney Westerfield and Montana Sen. Daniel Zolnikov.
These lawmakers from across the country shared their experiences with the Vermont House Committee on Commerce and Economic Affairs in April, ahead of the Vermont Legislature passing one of the strictest data privacy bills in the country.
Vermont bucked the trend of watered down bills by learning from challenges in other states, though the bill still awaits approval from Vermont Gov. Phil Scott. Tech interests remain opposed. NetChoice, a trade association that represents platforms including Meta, sent a letter to Scott asking him to veto the bill. Meanwhile, state and national advocacy groups are pushing for Scott’s signature.
“It seems like there are enough coincidences state to state from talking to people that I don’t know how we fight this unless we’re doing it together,” said Vermont Rep. Monique Priestley, one of the chief architects of her state’s bill.
There is a patchwork of state laws and parts of federal legislation governing the current digital privacy landscape, as there remains no one federal law to regulate it, despite several proposals.
California was the first state to enact a comprehensive data privacy law, considered the toughest in the country, though now rivaled by Maryland and possibly Vermont upon the governor’s signature. Most other states with data privacy legislation have followed what has been dubbed the Connecticut model, often described as a diluted approach with regulations falling between California’s and those passed in red states.
Inside the Effort in Maine
Early in the year, outside interest in the two data privacy bills in Maine was already apparent. Before April lobbying reports were due, both bills had exceeded 200 reports each.
By the end of session, LD 1977, the stricter plan from O’Neil, had the highest number of lobbying reports, 256, though Keim’s bill, LD 1973, was a close second at 242, according to data submitted to the Maine Ethics Commission.
In terms of spending, the proposals also ended up being the third and fourth most lobbied bills after a flurry of last minute attention.
The reports do not specify whether a lobbyist or firm worked for or against a bill, but many made their stances clear.
For example, TechNet and the State Privacy and Security Coalition wrote to the Judiciary Committee throughout the session largely in opposition to O’Neil’s bill and in support of Keim’s. Data minimization, interoperability and providing the ability for people to sue companies for privacy violations were among key concerns.
TechNet’s membership includes many companies that also individually lobbied the legislation, including Google, Verizon, Cisco, and DoorDash, among others. The State Privacy and Security Coalition boasts many of the same members — including Google and Verizon — as well as other companies that similarly lobbied the bills under their own names, too: Meta, Charter, TechNet, Comcast, RELX and T-Mobile, to name a few.
While O’Neil’s bill maintained its data minimization standard, lawmakers stripped the bill of a private right of action and added exemptions to the law for several nonprofits — changes that O’Neil told Maine Morning Star she wished had not been made.
Representatives of Meta and Charter consulted with Keim in the initial drafting of her bill. In an email shared with Maine Morning Star, the lobbyist listed as working for Meta, Andrew Hackman, wrote O’Neil in January 2023 to inform her that he was working with Keim on a data privacy bill based on the Connecticut law.
Hackman wrote that there was a broad group of industry players working on the legislation, including Kate Gore, the lobbyist for Charter.
In response to a request for comment about Meta’s involvement with LD 1973, which companies were a part of the group, and whether the group had been a part of similar efforts in other states, a Meta spokesperson provided Maine Morning Star with a statement about the company’s privacy work beyond Maine.
“Since 2019, we’ve spent more than $5.5 billion in a rigorous privacy program that includes teams and technology designed not only to identify and address privacy risks early but to embed privacy into our products from the start,” the spokesperson wrote, also pointing to previous comments made by Meta’s head of state and local policy Dan Sachs outlining his view that uniform interstate privacy protections are needed.
On the other side, the research nonprofit Electronic Privacy Information Center (EPIC) worked with O’Neil to fine tune her version. EPIC has also been involved with data privacy bills in other states, including Maryland and Vermont.
“Democrats chose to believe an out-of-state nonprofit organization and their analysis on language rather than believing our own people, the businesses that are right here in Maine and that have to comply,” Keim told Maine Morning Star.
Ahead of a Senate floor vote on the bills, Keim critiqued the nonprofit exemptions in light of EPIC’s involvement in shaping LD 1977. However, comments submitted to the Judiciary Committee earlier in session show that EPIC had recommended against such exemptions.
“We do believe that nonprofits should be covered by privacy laws,” Caitriona Fitzgerald, deputy director of EPIC, told Maine Morning Star.
While some of the changes made to O’Neil’s bill were welcomed by outside interests, data minimization remained a key concern for businesses, including L.L. Bean, whose representative argued it would have prevented targeted advertising. Lawmakers in other states saw similar opposition from prominent local businesses in their areas as well, the Vermont Country Store and King Arthur Baking being other examples.
O’Neil said these concerns were unfounded. Rather, she argued the bill would have prevented companies from tracking consumers in invasive ways.
“I was disappointed that L.L. Bean led the charge to kill this bill because we really worked hard to make sure that we protected Maine businesses in their ability to advertise,” O’Neil said.
Jason Sulham, L.L.Bean’s manager of public affairs, said L.L. Bean “advocated for Maine consumers to be afforded the same protections provided to our customers and to consumers in other states regardless of the ultimate legislative vehicle,” but declined to say whether the company lobbied for or against either bill.
The Judiciary Committee initially incorporated a suggestion from L.L. Bean to include “targeted advertising” in the list of exemptions under the bill. However, O’Neil said this change would have gutted the main component of her bill — data minimization — because of the way targeted advertising is defined as tracking people across websites. The committee ended up reversing the change.
Sulham said L.L. Bean ultimately opposed the bill because it would have “limited consumer choice, led to more spam, unnecessarily complicated compliance, and put Mainers in an overly restrictive class compared to consumers in other states.”
While a group of industry players helped initiate Keim’s version of a data privacy plan, Sulham said L.L. Bean was not among them, “nor did we ever speak for other businesses or coordinate with out-of-state interests in any way.”
Following the Vermont hearing in April, where lawmakers from other states shared their work on data privacy, L.L. Bean also sent a letter to the committee pushing back on claims from O’Neil that the Maine retailer was a spokesperson for the tech industry interests.
“In Maine, if L.L. Bean says something, people are going to respect that,” O’Neil said during the meeting.
Matt Schwartz, a policy analyst at Consumer Reports, another group supportive of O’Neil’s version said, in the end, the rejection of both bills came down to a lack of time.
“I’m not going to speculate on whether this was intentional or truly a misunderstanding, but you had businesses saying that the bill was going to do things that it wasn’t going to do,” Schwartz said. “I wish we had more time to push back and clarify what the bill actually did.”
As seen in other states, it is common for data privacy legislation to take a few sessions to pass, so lawmakers and interest groups say this is only the start for data privacy reform efforts in Maine.
With the tech industry groups and tactics now also more widely known across states, lawmakers are forming their own interstate alliances to push back on their “playbook,” as Priestley, the representative from Vermont, called it.
“I feel like a big part of this was just getting more states talking to each other,” Priestley said.
Maine Morning Star is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Maine Morning Star maintains editorial independence. Contact Editor Lauren McCauley for questions: info@mainemorningstar.com. Follow Maine Morning Star on Facebook and Twitter.
NEXT STORY: Identifying and mitigating third-party IT risks