State data privacy laws meant to govern the management of consumer information are largely failing to regulate how private companies use the data they amass, according a report published Thursday.
The report, authored by the nonprofit Electronic Privacy Information Center and the research organization U.S. PIRG Education Fund, evaluated the 14 “comprehensive” — a term commonly ascribed to such legislation — laws states have passed to protect consumer privacy, and assigned each a letter grade based on its efficacy. None received an “A” grade and half received a failing grade. The weakness of the laws, researchers claim, results from the lack of a federal privacy law and lobbying by big tech companies like Amazon and Meta.
Researchers note in the report that the few federal privacy laws governing private industry — including the Electronic Communications Privacy Act and the Health Insurance Portability and Accountability Act — were enacted several decades ago and don’t account for social media, mobile apps and online data brokers that collect massive amounts of consumer data.
The report states the need to address these changes has become even more pressing considering that more than 80% of Americans are concerned about how companies collect and use their data, according to a recent Pew Research Center poll. While this concern has apparently pushed 44 states to consider privacy legislation since 2018, the researchers predicted that a future federal privacy law could be weakened if it takes cues from weak state privacy laws.
Of the 14 state privacy laws, all but California’s Consumer Privacy Act — which received the highest score, a “B+” — follow a model that was initially drafted by industry giants such as Amazon, the report said. And the influence of Big Tech is sprawling at the state level: According to one analysis that looked at the 31 states that heard privacy bills in 2021 and 2022, 445 active lobbyists and firms were identified as representing Amazon, Meta, Microsoft, Google, Apple and industry front groups.
“The accelerating passage of industry-preferred bills not only poses a threat for the residents of the states passing ineffectual laws,” the report reads. “The more states that coalesce around regulations heavily influenced by the very industries that need to be regulated, the greater the risk of lowering the bar for the effectiveness of a future federal law, which is exactly what industry is hoping for.”
Another point of weakness, researchers found, is the laws’ frequent lack of a “private right of action,” a legal mechanism that allows consumers to bring civil action for individual complaints when companies don’t obey the privacy laws. Instead, enforcement of the laws is often left to state attorneys general, and although some of the laws create “data privacy rights” for individuals, they still are unable to hold companies that violate those rights accountable in court.
Along with adding a private right of action, researchers said states can make their laws more efficient by imposing on companies “data minimization” obligations — requirements to collect as little data as possible — thus shifting the burden of privacy management away from individuals. Researchers also suggest states add stricter regulations on sensitive data such as biometric, health and location data and to provide stronger enforcement powers.
The report also notes that there are states — Illinois, Maine, Maryland and Massachusetts — that are considering stronger privacy legislation.
“States that have passed inadequate laws can always amend them,” the report reads. “All states still have the ability to better protect their residents’ privacy.”