Publications
The State Data Privacy Act
Summary
Why is a state compromise bill needed? State legislatures have an opportunity to lead on privacy.
In the absence of a federal privacy law in the United States, state legislators have the opportunity to be the champions of protecting privacy for everyday people. As of September 2024, 19 states have signed state privacy laws, but unfortunately most of those laws—heavily influenced by Big Tech—fail to protect consumers from the harms of online tracking and data abuse as well as they could. In our State Data Privacy Act, we set forth a compromise bill built on existing state laws that meaningfully protects privacy while encouraging innovation.
Why redline the Connecticut Data Privacy Act? States need a more protective and practical bill.
Every American deserves privacy protections, so we set out to craft a proposed privacy bill that works for businesses and consumers alike. The base text of the State Data Privacy Act is the Connecticut Data Privacy Act (CTDPA), a bill that industry often cites as a model for other states to adopt. In our view, CTDPA contains far too many loopholes that prevent it from offering strong privacy protections, but it is an established bill that many state lawmakers are already familiar with. Strengthening the CTDPA provides consistency for businesses while giving consumers meaningful privacy protections.
The goals of the State Data Privacy Act are to:
• Limit ubiquitous online tracking;
• Encourage more privacy-protective methods of online advertising;
• Protect the most sensitive data, including data about kids and teens;
• Use language from existing state laws; and
• Allow for meaningful enforcement of the law to ensure compliance.
The State Data Privacy Act borrows existing language from strong state laws and federal bills wherever possible. Borrowing existing language reduces the chances of conflicts of law and, in many cases, also represents years of deliberation and stakeholder discussions. Because our organizations have been involved in privacy advocacy at the state level for many years, we are familiar with recurring patterns of contention and compromise between businesses and consumer privacy advocates. While this draft does not represent the ideal privacy bill for any of the signatory organizations, it is a compromise that would meaningfully protect consumers.
What changed? Key amendments were necessary to provide meaningful privacy protections.
Data Minimization. A strong privacy law should limit the data companies can collect and use to match what consumers expect based on the context of their interaction with the business. In contrast, the core of the framework found in many state laws is notice-and-choice focused on disclosures in privacy policies. These laws allow businesses to continue collecting whatever personal data they want and using it for any reason they want as long as they disclose that practice in their privacy policies—policies that very few consumers read or could even decipher if they did—meaning the status quo of massive data collection and sale continues uninterrupted. Rather than continue with this approach that harms consumers, the State Data Privacy Act sets out a rule that businesses can only collect and use data when it is “reasonably necessary” to provide the services the consumer asks for. Personal data collected in compliance with these rules may be used for most forms of advertising, providing businesses with data they desire to target ads while avoiding harmful effects stemming from the overcollection of personal data. Adding data minimization requirements is arguably the most important improvement over CTDPA and other similar state laws. (Section 6)
Sensitive Data Protections. We added critical protections for the most sensitive personal data. Sensitive data (including precise geolocation, health data, data about minors, and more) cannot be sold or used for targeted advertising. While the State Data Privacy Act largely moves away from a consent-based system, we kept requirements for affirmative consent when sensitive data changes hands. (Section 1, Section 6)
Clarity on Advertising Rules. Much of the debate around privacy laws comes down to the types of data that are available to use for targeted advertising. The State Data Privacy Act sets forth clear definitions of the different forms of online advertising, aiming to give businesses flexibility to advertise while protecting privacy. Read more below in “Can businesses still advertise?” (Section 1, Section 4, Section 6)
Enforcement. Existing bills mainly rely on state Attorneys General (AG) to enforce privacy protections. AG offices often have limited resources to conduct investigations and enforce the law. Leaving enforcement solely in the hands of under-resourced state AGs makes it much more likely that state privacy laws will be under-enforced—and businesses may be willing to take the risk of not complying with the law because they know that their state AG is unlikely to have the time, money, or staff to investigate violations. Instead, consumers who have been harmed by violations of the law should have the ability to take action to protect themselves, so the State Data Privacy Act includes a private right of action. The bill proposes a compromise that exempts small businesses from the private right of action in recognition of the fact that small businesses often collect less personal data and have fewer resources to implement new legal compliance programs. This narrower private right of action is the best way to protect consumers’ privacy while preserving state resources and protecting small businesses. (Section 12)
Enhanced Protections for Children and Teens. The State Data Privacy Act includes enhanced privacy protections for minors under 18 years of age. Targeted advertising to minors is prohibited, as is already law in Maryland. The sale of minors’ personal data is also banned. Any personal data about a minor is considered sensitive data and therefore can only be collected and used if strictly necessary for the product or service the minor is requesting. If transferring such data is strictly necessary, the company must still request consent before the transfer – from the parent for a child under 13, or from the teen themselves for minors ages 13 to 18. (Section 1, Section 6)
Removed Loopholes that Exempt Big Institutions. CTDPA and most state privacy laws provide entity-level exemptions to any business that already comply with federal privacy laws involving health, finance, or education. In an ideal world, many advocates would like to see all of these exemptions removed (particularly because most existing federal privacy laws are decades old and do not provide the level of protection in the State Data Privacy Act). Still, we recognize that some compromises on narrowly tailored exemptions for already-regulated data may be necessary to ease compliance burdens for businesses. To that end, we included narrow, data-level exemptions for the data covered by existing federal law rather than exempting an entire entity simply because some personal data they handle falls under existing law. The personal data collected from a consumer who visits a hospital’s website shouldn’t be without protection simply because the hospital has to comply with federal privacy laws for its health data. (Section 3)
Definitions. Definitions are the core of any comprehensive bill. After discussions in many states, we’ve solidified important definitions like “targeted advertising” and “sensitive data.” We added a few useful definitions for clarity, including “small business” and “third party.” (Section 1)
Note: In June 2023, Connecticut passed amendments to the CTDPA, primarily focused on consumer health data and protections for minors. The State Data Privacy Act integrates some, but not all, of these amendments.
Where are the compromises? Businesses can still thrive while also protecting privacy.
The debate over privacy legislation is often seen as a conflict between consumer privacy advocates on one side and Big Tech on the other. Small businesses are often caught in the middle, wanting to protect their customers but reliant on the digital advertising models offered to them by ad giants. The State Data Privacy Act aims to resolve these conflicts by proposing compromises on what are often the most contentious issues. These compromises balance the needs of businesses, consumers, and legislators alike.
The Problem | Our Compromise |
Compliance with varying state laws. Many existing state privacy laws need to be stronger, but companies are concerned with keeping up with many differing state laws. | The Connecticut Data Privacy Act is the base text of the State Data Privacy Act, and strong language from existing state privacy laws was used for amendments wherever possible. |
Targeted advertising systems are invasive, commodifying and sharing every bit of our personal data, but are often perceived to be critical for businesses to advertise effectively. | Cross-context behavioral advertising is banned by default, but businesses can use the data they collect directly from their customers to target them with ads. Re-targeting is also allowed by default, pursuant to an opt-out. |
Marketing measurement. Businesses need to collect data to track the efficacy of their ads and prevent click-farm fraud, but they often use marketing measurement as an excuse to collect personal data. | Legitimate marketing measurement is allowed by default, but consumers can opt out of marketing measurement associated with targeted ads. |
Communications with customers. Businesses often wish to communicate with customers, including through sending surveys, to improve their products. Some businesses have expressed concern that privacy laws may prohibit this practice. | Most first-party communications, such as direct mail, email, or text message communications are allowed by default. |
Innovation. Businesses want to use personal data to develop new products, but doing so sometimes involves retaining personal data indefinitely. | Companies can de-identify personal data to develop new products. |
Consent Fatigue. Informed consent is an important part of consumer protection, but excessive consent pop-ups burden businesses and create consent fatigue among consumers. | The data minimization rules limit the collection and use of personal data by default, reducing reliance on consent mechanisms. The universal opt-out provides consumers with a one-click method to express their privacy preferences more easily. The consent requirements that remain are reserved only for particularly high-risk actions, such as transferring sensitive data. |
Loyalty programs are helpful marketing tools that many consumers want to participate in, but businesses often use such programs to monetize and share consumers’ personal data. | Legitimate loyalty programs are unaffected, with only narrow restrictions on sharing and selling data for unrelated purposes. |
Liability of businesses. Companies rely on processors to help operate their business. They don’t have perfect oversight over processors, but consumers also need protection from negligent processors who are receiving their personal data. | Businesses and processors must agree on data protection measures and operate under a contract. Processors may not combine data they receive from different businesses. Businesses aren’t liable for the mistakes of processors if they provide reasonable oversight. |
Data minimization. Data minimization centers the expectations of consumers. However, there are many legitimate behind-the-scenes uses for data that consumers might not expect. | For clarity, the bill includes a list of important behind-the-scenes activities businesses may need to operate, such as legal defense, fraud prevention, or public safety. |
Can businesses still advertise? Simplifying digital advertising into three types provides clear rules for businesses.
The digital marketing industry is complex and constantly evolving as businesses develop new advertising tools and strategies. A strong privacy bill should protect consumers from the most invasive forms of digital marketing while allowing businesses to reach potential customers.
The State Data Privacy Act aims to set clear rules for online advertising by breaking it down into three core forms of advertising. The bill provides different rules for each type of advertising based on the privacy risks associated with each type.
1. Contextual advertising. Businesses engage in contextual advertising when they select advertisements to show consumers based on the topic or content of the media surrounding the advertisement. For example, if the NFL pays to place an advertisement for football tickets on the ESPN app, that is contextual advertising. Contextual advertising relies on generalizable inferences that people might be interested in products or services related to the content on the website, app, publication, or search result they are viewing. Contextual advertising may also include using a consumer’s general location to show ads for local businesses, events, and services. For example, if a local restaurant opens a new location on the other side of town, that restaurant can advertise to consumers within a 10-mile radius of the new location. Contextual advertising is the most privacy-protective of the three advertising types because the ads consumers see do not vary based on their identities. Contextual advertising is one form of advertising permitted under the State Data Privacy Act.
2. First-party advertising. Businesses engage in first-party advertising when they advertise in their own store, on their own website or app, or communicate directly with consumers through mail, email, or text messaging using data they collect. For example, suppose a retailer collects order information or website views as permitted under the data minimization rules. As long as that data does not include sensitive data, the first party may use that data to advertise. This type of advertising aligns with what consumers expect. Most consumers understand that when they browse a company’s website and make a purchase, that company is collecting data about what consumers did on the site. First-party advertising is permitted in the State Data Privacy Act.
3. Targeted advertising. There are varying forms of targeted advertising, all with different levels of risk to privacy and data security. In the interest of drafting a strong bill that prevents the worst data abuses, the State Data Privacy Act distinguishes between the primary methods of targeted advertising and sets different levels of data protection for each.
Cross-contextual behavioral advertising requires tracking consumers everywhere they go online (often without their knowledge) and building invasive profiles based on that data to target them with ads. An example is the Meta Pixel, which is embedded on many websites and automatically sends consumers’ browsing history to Meta. By including data collected over time and across websites as a category of sensitive data, the State Data Privacy and Protection Act bans this invasive practice.
Retargeting is what most people think of when they think of targeted ads. Retargeting involves targeting consumers who visited a website with ads elsewhere online. If a consumer views sneakers on a retailer’s website and that retailer then targets that consumer with ads for those same sneakers on third-party websites, that type of advertising is retargeting. Retargeting is permitted under the State Data Privacy Act, though consumers can opt out of this type of targeted advertising, including (for those with a generalized preference not to receive retargeted ads) through universal opt-out signals.
Targeted advertising relies on both:
• Profiling of an individual or group
• Targeting based on third-party data
Targeted advertising does not include:
• Contextual advertising
• First-party advertising
While many privacy advocates like us ultimately want to see stricter limits placed on first-party and targeted advertising, this tiered structure is a realistic starting point. It ensures businesses have plenty of methods of marketing themselves to potential consumers while protecting consumers from the use of their personal data in the most unexpected and harmful ways.
The State Data Privacy Act provides state lawmakers with the opportunity to protect their constituents.
The State Data Privacy Act is not the model bill that we as consumer privacy advocates would write if we were setting out to write our ideal privacy bill. But it represents a reasonable compromise that gives businesses the consistency they seek across state laws while making the changes that are necessary to ensure that the law actually offers meaningful privacy protections. EPIC and Consumer Reports look forward to working with state lawmakers interested in the State Data Privacy Act.
For a more in-depth dive on the bill, please refer to our section-by-section summary. A redline version from the Connecticut Data Privacy Act is also available.
News
EPIC Publishes Model Privacy Bill as Practical Solution for States
September 24, 2024
EPIC’s Davisson testifies before House Energy & Commerce Committee
September 19, 2024
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate