States Back Off on New Data Privacy Laws

State Sen. Bob Hertzberg, D-Van Nuys, displays his smart phone as he urges lawmakers to approve a data privacy bill during the Senate floor session on June 28, 2018, in Sacramento, Calif.

State Sen. Bob Hertzberg, D-Van Nuys, displays his smart phone as he urges lawmakers to approve a data privacy bill during the Senate floor session on June 28, 2018, in Sacramento, Calif. AP Photo

 

Connecting state and local government leaders

A lot of state legislators sought to follow California in imposing new regulations on consumer data privacy. In most states, they didn't make it that far.

This article originally appeared on Stateline, an initiative of the Pew Charitable Trusts.

Discomfort over the collection and sale of personal data led to a flurry of consumer data privacy bills in 2019, as state legislatures vied to follow California’s lead in giving users more control of personal information.

But the legislative year ended with more of a whimper than a bang as well-funded tech giants and other business concerns rushed to oppose the bills, and even California is scrambling to fix details of its data privacy law before it takes effect in January.

Of the 24 states that considered data privacy legislation this year, only Illinois, Maine and Nevada enacted new laws.

There will be even more pressure for legislatures to act next year: Since sessions ended in most states, a $5 billion fine against Facebook and a $700 million settlement with Equifax over data breaches have brought even more public attention to the issue, as have continued revelations about election manipulations by Cambridge Analytica, which used personal data to profile voters.

Despite enthusiasm for more privacy rules by legislators and their constituents, many states found themselves bogged down this year in both the details of high tech operations and industry complaints, said Pam Greenberg, a senior fellow for the National Conference of State Legislatures who collected information on state consumer data privacy legislation.

“The issue is complex,” Greenberg said. “And legislators are concerned about the impact of privacy legislation on both consumers and business.”

The Internet Association, representing tech giants such as Google, Amazon and Facebook, has lobbied for a national approach, arguing that one federal standard like Europe’s 2018 General Data Protection Regulation would be fairer and stronger.

States should “allow for a national privacy law to take shape that applies to the entire country,” said Robert Callahan, the association’s vice president of state government affairs.

“If a person is video chatting with a grandmother in Florida, while they’re in New York, they both should benefit from the same privacy protections,” Callahan said.

Many states are waiting for last-minute wrangling over details in the California law before setting their own policies, said Mary Stone Ross, a former CIA analyst who as president of the Californians for Consumer Privacy helped draft that state’s legislation as a ballot initiative. The group agreed last year to drop its push for a ballot question in return for a similar state law passed by the legislature.

California passed a bill under time pressure in June 2018, giving consumers the right to see any of their data collected by a company or website, and the ability to opt out of having it sold to third parties. Then-Gov. Jerry Brown, a Democrat, signed it into law. But many amendments fine-tuning the law are still pending with a deadline of September for the legislature to pass them.

Although last-minute changes threaten “death by a thousand paper cuts,” the California law will clearly establish a consumer’s right to know what personal data has been collected, and a further right to opt out of any sale of that data, Stone Ross said.

“There are new rights and it’s clearly a big win,” she said. “You’ll have a big red button on a web page to opt out. A lot of companies will choose to comply.”

Bills are still pending that would amend California’s law, including measures that would exclude some advertisements from the definition of “selling” data and exclude people like job applicants from the definition of a “consumer.”

In Illinois, a law signed last week bans insurers from using genetic testing information to set health or accident insurance rates. Maine’s new law bans internet providers from selling personal information without consent, and Nevada’s law requires websites and other businesses to provide a way for consumers to opt out of sales of personal information.

The issue is more important than ever, as shown not only by the Equifax and Facebook fines, but also by the implications for voter manipulation using profiling with personal data in 2020, said Lee Tien, a staff attorney at the Electronic Frontier Foundation. The organization supported both California’s law and a New York proposal to allow consumers to sue over privacy.

Privacy rights advocates were caught off guard by the intense state-by-state battle, Tien said.

“The big tech players have a lot of funding and they can be everywhere at once, popping up in all these states, and we’re a little more stretched thin,” Tien said.

New York state’s pending legislation would go even further than California’s law — establishing a consumer’s right to sue over privacy or security breaches, and a “fiduciary duty” for companies to act in the customer’s best interests, even if it means forgoing profits from selling personal information.

“They have to put customer privacy above the company’s profit-making,” said state Sen. Kevin Thomas, the Long Island Democrat who chairs the Senate Committee on Consumer Protection and sponsored the New York bill.

Possible abuses might include insurance companies using genetic information from testing to raise rates, Thomas said, or employment agencies using financial data to offer lower pay.

Thomas’ bill didn’t make it out of committee this year, but he said he plans public hearings before the 2020 legislative session to gather more information from constituents.

“Companies don’t need all this information that can be used against you and there’s no oversight,” Thomas said. “States have to stand up because there’s no regulation, and it’s not going to come from the federal government, as divided as this country is right now.”

The Internet Association opposed the New York bill. The law is “unworkable for businesses that want to comply,” said John Olsen, a regional state government affairs director for the association, citing the law’s mandate to get consumer consent before selling data.

While Vermont established a data broker registry, requiring businesses that buy data to register with the state, many other states saw proposed laws wither under business opposition.

In Connecticut, state Rep. David Michel, a freshman Stamford Democrat, said his constituents wanted more data privacy, so he sponsored a bill that would have made genetic testing data confidential.

“Generally speaking, companies are making money on people’s private data without them knowing. I don’t agree with that,” Michel said. The state did establish a task force to study future laws.

Connecticut’s business community was opposed to that bill and other Connecticut privacy measures that failed, said Louise DiCocco, an attorney for the Connecticut Business & Industry Association.

“The businesses we represent around the state think this is not the way to go. The bills that were drafted are too vague,” DiCocco said. “Businesses need to know exactly what’s expected of them.”

Opposition from tech, cellphone and general business organizations doomed a number of state laws.

Hawaii was a typical case: A bill banning sales of cellphone location data without consent, blamed in news reports for creating detailed records of personal lives by so-called location aggregators, passed both houses of the Democratic legislature with little dissent and was set to take effect July 1.

But after opposition from the cellphone industry, Democratic Gov. David Ige vetoed the bill and called for a task force, telling legislators a “lack of clarity” about regulation of a “complex national industry” would make the law too hard to enforce.

CTIA, the association that represents the wireless industry, objected to the bill, complaining of “further fragmentation of consumer privacy laws.” And because location data is often anonymous, the group said, obtaining required consent can be impossible.

In Connecticut, Hawaii, Louisiana, North Dakota and Texas, task forces or advisory committees were set up after privacy legislation was defeated.

Privacy legislation was delayed for consideration next year in Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Pennsylvania and Washington. Similar bills failed outright in Arizona, Florida, Kentucky, Maryland, Mississippi, Montana and New Mexico.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.