RELEASE: Report: State Laws are Failing to Protect Privacy

February 1, 2024

Thursday, February 1, 2024 6:30 AM ET

Report: State Laws are Failing to Protect Privacy

Big Tech’s Influence on State Privacy Laws is Harming Consumers

WASHINGTON, DC  –  Today, the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund released The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do BetterThe report found that nearly half of the 14 states that have passed so-called comprehensive privacy laws received a failing grade, and none received an A. 

Because Congress has failed to pass a comprehensive privacy law to regulate the technologies that dominate our lives today, state legislatures have tried to fill the void in order to protect their constituents’ privacy. Unfortunately for consumers, in states across the country, legislators introducing consumer privacy bills have faced a torrent of industry lobbying vying to weaken protections. Nearly everywhere, they have succeeded. Of the 14 laws states have passed so far, all but California’s closely follow a model that was initially drafted by industry giants.

“Many of these ‘privacy laws’ protect privacy in name only,” said Caitriona Fitzgerald, deputy director of EPIC. “In effect, they allow companies to continue hoarding our personal data and using it for whatever purposes they want. Big Tech should not be allowed to write the rules.” 

The report details the measures states should be incorporating into legislation to better protect consumers, including:

  • Data minimization obligations on companies that collect and use personal information – taking the burden off individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations. 
  • Strict regulation all uses of sensitive data, including health data, biometrics, and location data. 
  • Strong civil rights safeguards online.
  • Limits on the harmful profiling of consumers. 
  • Strong enforcement and regulatory powers to ensure the rules are followed.

“The best way to keep data secure is to not collect it in the first place,” said R.J. Cross, U.S. PIRG Education Fund’s Don’t Sell My Data campaign director. “A law that really protects consumers would prevent companies from collecting and using people’s data however they want. Unfortunately, there’s not a privacy law in the country that does this as well as it should. The laws that are passing in most places are a bad deal for consumers.” 

Some states such as Illinois, Massachusetts, Maine, and Maryland are considering stronger comprehensive consumer privacy legislation that would limit the data companies are allowed to gather about consumers to what’s necessary to deliver the service consumers are expecting to get. 

“Grading these laws really makes it clear that they’re almost all copy-and-paste versions of a bill industry originally wrote,” said Kara Williams, Law Fellow at EPIC and report co-author. “It’s encouraging to see some states considering a different approach.”



The Electronic Privacy Information Center (EPIC) was established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Our mission is to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. 


U.S. PIRG Education Fund is an independent, non-partisan group that works for consumers and the public interest. Through research, public education and outreach, we serve as the counterweights to the influence of powerful special interests that threaten our health, safety, and wellbeing. 

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.