States Back Off on New Data Privacy Laws
Connecting state and local government leaders
A lot of state legislators sought to follow California in imposing new regulations on consumer data privacy. In most states, they didn't make it that far.
This article originally appeared on Stateline, an initiative of the Pew Charitable Trusts.
Discomfort over the collection and sale of personal data led to a flurry of consumer data privacy bills in 2019, as state legislatures vied to follow California’s lead in giving users more control of personal information.
But the legislative year ended with more of a whimper than a bang as well-funded tech giants and other business concerns rushed to oppose the bills, and even California is scrambling to fix details of its data privacy law before it takes effect in January.
Of the 24 states that considered data privacy legislation this year, only Illinois, Maine and Nevada enacted new laws.
There will be even more pressure for legislatures to act next year: Since sessions ended in most states, a $5 billion fine against Facebook and a $700 million settlement with Equifax over data breaches have brought even more public attention to the issue, as have continued revelations about election manipulations by Cambridge Analytica, which used personal data to profile voters.
Despite enthusiasm for more privacy rules by legislators and their constituents, many states found themselves bogged down this year in both the details of high tech operations and industry complaints, said Pam Greenberg, a senior fellow for the National Conference of State Legislatures who collected information on state consumer data privacy legislation.
“The issue is complex,” Greenberg said. “And legislators are concerned about the impact of privacy legislation on both consumers and business.”
The Internet Association, representing tech giants such as Google, Amazon and Facebook, has lobbied for a national approach, arguing that one federal standard like Europe’s 2018 General Data Protection Regulation would be fairer and stronger.
States should “allow for a national privacy law to take shape that applies to the entire country,” said Robert Callahan, the association’s vice president of state government affairs.
“If a person is video chatting with a grandmother in Florida, while they’re in New York, they both should benefit from the same privacy protections,” Callahan said.
Many states are waiting for last-minute wrangling over details in the California law before setting their own policies, said Mary Stone Ross, a former CIA analyst who as president of the Californians for Consumer Privacy helped draft that state’s legislation as a ballot initiative. The group agreed last year to drop its push for a ballot question in return for a similar state law passed by the legislature.
California passed a bill under time pressure in June 2018, giving consumers the right to see any of their data collected by a company or website, and the ability to opt out of having it sold to third parties. Then-Gov. Jerry Brown, a Democrat, signed it into law. But many amendments fine-tuning the law are still pending with a deadline of September for the legislature to pass them.
Although last-minute changes threaten “death by a thousand paper cuts,” the California law will clearly establish a consumer’s right to know what personal data has been collected, and a further right to opt out of any sale of that data, Stone Ross said.
“There are new rights and it’s clearly a big win,” she said. “You’ll have a big red button on a web page to opt out. A lot of companies will choose to comply.”
Bills are still pending that would amend California’s law, including measures that would exclude some advertisements from the definition of “selling” data and exclude people like job applicants from the definition of a “consumer.”
In Illinois, a law signed last week bans insurers from using genetic testing information to set health or accident insurance rates. Maine’s new law bans internet providers from selling personal information without consent, and Nevada’s law requires websites and other businesses to provide a way for consumers to opt out of sales of personal information.
The issue is more important than ever, as shown not only by the Equifax and Facebook fines, but also by the implications for voter manipulation using profiling with personal data in 2020, said Lee Tien, a staff attorney at the Electronic Frontier Foundation. The organization supported both California’s law and a New York proposal to allow consumers to sue over privacy.
Privacy rights advocates were caught off guard by the intense state-by-state battle, Tien said.
“The big tech players have a lot of funding and they can be everywhere at once, popping up in all these states, and we’re a little more stretched thin,” Tien said.
New York state’s pending legislation would go even further than California’s law — establishing a consumer’s right to sue over privacy or security breaches, and a “fiduciary duty” for companies to act in the customer’s best interests, even if it means forgoing profits from selling personal information.
“They have to put customer privacy above the company’s profit-making,” said state Sen. Kevin Thomas, the Long Island Democrat who chairs the Senate Committee on Consumer Protection and sponsored the New York bill.
Possible abuses might include insurance companies using genetic information from testing to raise rates, Thomas said, or employment agencies using financial data to offer lower pay.
Thomas’ bill didn’t make it out of committee this year, but he said he plans public hearings before the 2020 legislative session to gather more information from constituents.
“Companies don’t need all this information that can be used against you and there’s no oversight,” Thomas said. “States have to stand up because there’s no regulation, and it’s not going to come from the federal government, as divided as this country is right now.”
The Internet Association opposed the New York bill. The law is “unworkable for businesses that want to comply,” said John Olsen, a regional state government affairs director for the association, citing the law’s mandate to get consumer consent before selling data.
While Vermont established a data broker registry, requiring businesses that buy data to register with the state, many other states saw proposed laws wither under business opposition.
In Connecticut, state Rep. David Michel, a freshman Stamford Democrat, said his constituents wanted more data privacy, so he sponsored a bill that would have made genetic testing data confidential.
“Generally speaking, companies are making money on people’s private data without them knowing. I don’t agree with that,” Michel said. The state did establish a task force to study future laws.
Connecticut’s business community was opposed to that bill and other Connecticut privacy measures that failed, said Louise DiCocco, an attorney for the Connecticut Business & Industry Association.
“The businesses we represent around the state think this is not the way to go. The bills that were drafted are too vague,” DiCocco said. “Businesses need to know exactly what’s expected of them.”
Opposition from tech, cellphone and general business organizations doomed a number of state laws.
Hawaii was a typical case: A bill banning sales of cellphone location data without consent, blamed in news reports for creating detailed records of personal lives by so-called location aggregators, passed both houses of the Democratic legislature with little dissent and was set to take effect July 1.
But after opposition from the cellphone industry, Democratic Gov. David Ige vetoed the bill and called for a task force, telling legislators a “lack of clarity” about regulation of a “complex national industry” would make the law too hard to enforce.
CTIA, the association that represents the wireless industry, objected to the bill, complaining of “further fragmentation of consumer privacy laws.” And because location data is often anonymous, the group said, obtaining required consent can be impossible.
In Connecticut, Hawaii, Louisiana, North Dakota and Texas, task forces or advisory committees were set up after privacy legislation was defeated.
Privacy legislation was delayed for consideration next year in Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Pennsylvania and Washington. Similar bills failed outright in Arizona, Florida, Kentucky, Maryland, Mississippi, Montana and New Mexico.
Tim Henderson is a Staff Writer at Stateline.
NEXT STORY: Three Steps Governments Can Take to Guard Against Ransomware Attacks