The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better

Executive Summary

Today, much of our lives are lived online. How we work, learn, and play is often mediated by screens with companies on the other side gathering data about us. Often, these practices are out of line with what consumers expect, and they put consumer security and privacy at risk. 

The more data companies collect about us, the more our data is at risk. When companies hold your data, the greater the odds it will be exposed in a breach or a hack and end up in the hands of identity thieves, scammers, or shadowy companies known as data brokers that buy and sell a huge amount of data about Americans. The unregulated online advertising and data broker market can result in turbocharged scams, discrimination, and invasive targeted ads. Yet there are very few rules that prevent all this from happening.

Despite data collection and sales being a multi-billion-dollar industry propagated by some of the most powerful companies in the world, the U.S. has no federal privacy law. Therefore, an increasing number of states are passing laws that purportedly aim to protect people’s privacy and security. However, these laws largely fail to adequately protect consumers. In our evaluation of the 14 states that have passed consumer privacy legislation, nearly half received failing grades, and none received an A. 

Weak, industry-friendly laws allow companies to continue collecting data about consumers without meaningful limits. Consumers are granted rights that are difficult to exercise, and they cannot hold companies that violate their rights accountable in court. 

Big Tech has played a big role in the passage of weak state privacy bills. Of the 14 laws states have passed so far, all but California’s closely follow a model that was initially drafted by industry giants such as Amazon. In an analysis of lobbying records in the 31 states that heard privacy bills in 2021 and 2022, the Markup identified 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple, and industry front groups. This number is likely an undercount. 

No laws should be written by the companies they are meant to regulate. Allowing Big Tech to heavily shape our privacy rules allows them to consolidate their already outsized power in the economy and in our lives. Privacy rules should balance the scale in favor of the billions of people who rely on the internet in their day-to-day lives.  

A strong comprehensive consumer privacy law would:

• impose data minimization obligations on companies that collect and use personal information – taking the burden off of individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations;
• strictly regulate all uses of sensitive data, including health data, biometrics, and location data;
• establish strong civil rights safeguards online and rein in harmful profiling of consumers;
• provide strong enforcement and regulatory powers to ensure the rules are followed; and
• enable consumers to hold companies accountable for violations in court.  

A better future is possible. As of this writing, states including Illinois, Maine, Massachusetts, and Maryland are considering strong legislation that would force changes to the abusive data practices driving commercial surveillance and online discrimination, while allowing businesses to continue to innovate. We can have a strong technology sector while also protecting personal privacy. And states can lead the way.