- Of the 14 states that have enacted comprehensive data privacy laws, only California gives people robust protections and even its law is weak in key areas, the Electronic Privacy Information Center and U.S. PIRG Education Fund say.
- The most important privacy protections include a private right of action, data minimization requirements and state attorney general rulemaking authority, and only California has all of those in some form.
- “Weak, industry-friendly laws allow companies to continue collecting data about consumers without meaningful limits,” say the groups in The State of Privacy, released February 2. “Consumers are granted rights that are difficult to exercise, and they cannot hold companies that violate their rights accountable in court.”
The genesis of California’s first-in-the nation law, enacted in 2018, was a proposed ballot petition, which the groups say is the reason it contains relatively strong protections. All of the other state laws were initiated by technology companies and largely written by them, the report says.
“While California’s rules became law in response to a proposed ballot question, Virginia’s legislation [which later became a model for other states] had been handed to the bill sponsor by an Amazon lobbyist, and it was based on an earlier bill from Washington state that had been modified at the behest of Amazon, Comcast, and Microsoft,” the report says.
“Virginia is what the lobbyists were asking for,” Collin Walke, a former state legislator who sponsored a bill in Oklahoma, said in the report.
Connecticut’s law has also become a model, but it’s largely the same as Virginia’s, with one important difference: it allows people to use a browser tool to opt out of website data collection, a provision that isn’t fully implemented.
Weak data minimization
The absence of data minimization rules in all but California is the biggest weakness, according to the report.
These are rules that restrict companies’ use of data to just what’s needed to accomplish what the consumer is trying to do. If the consumer is making a purchase, the rules would require the company to collect what’s needed to complete the transaction and then delete the data, with exceptions to meet other laws.
Not only would those rules keep a lot of data out of other companies’ hands for marketing purposes, but they would keep data safer in the event of a breach.
The Virginia and Connecticut model laws address data minimization but they permit companies to collect data beyond what’s needed as long as the collection is disclosed.
“Businesses can list any purpose they choose in their privacy policies, knowing that very few consumers will read them,” the report says.
Although the laws typically require companies to delete data on request, those provisions are largely ineffective, the report says. The burden is on consumers to make the requests with each and every company that collects the data – most of which are hidden from view – and third-party data that companies access from other sources are typically not included.
“Consumers could, in theory, request companies delete their data, [but] they would have to submit requests one at a time to the hundreds — if not thousands — of entities holding their information,” the report says.
California’s DELETE Act, which took effect last year, is an exception. lt allows consumers to make one deletion request that all data brokers in the state must comply with.
Four states – California, Colorado, New Jersey and New Hampshire – give the state attorney general some leeway to strengthen requirements, an authority the report considers important to making the laws effective.
“Rulemaking authority is critical in providing guidance to businesses on compliance with the law and ensuring the law can keep pace with technology,” the report says.
For enforcement, the laws rely on the state AG to bring actions against companies for violations, something the report sees as having limited deterrent effect.
“The scope of data collection online is simply too vast for one entity to regulate, particularly state attorneys general with limited resources,” the report says.
It’s much better to allow a private right of action, but only California has that, and even in that state, the right is limited to cases involving a data breach. If there’s no breach, consumers can’t sue if a company is believed to be collecting or holding data in violation of the law.
“A private right of action is the most important tool legislatures can give to their constituents to protect their privacy,” the report says. “ A private right of action ensures that controllers have strong financial incentives to comply with state privacy laws.”
The report points to the Biometric Information Privacy Act, in Illinois, which has a private right of action and covers data taken from people’s pictures, fingerprints, voiceprints, retina scans and other types of imaging.
“Lawsuits under that law have led to changes to harmful business practices, such as forcing facial recognition company Clearview AI to stop selling its face surveillance system to private companies,” the report says.
Poor report cards
In an assessment, the report gives California the highest mark for its law, a B+, because it establishes a dedicated agency, with rulemaking authority, to enforce the law, and it includes other protections that go beyond what the other states have. But the California law has its own weaknesses, including with its data minimization provision. Although it puts limits on what companies can collect and keep, the provision is lacking detailed restrictions.
The report gives Colorado, Oregon, New Jersey and Delaware C grades, mainly because they lack data minimization rules and a private right of action, and it gives Connecticut, New Hampshire and Montana D grades.
The remaining half dozen states get Fs. These are Texas, Virginia, Indiana, Tennessee, Utah and Iowa.
“While at the moment, the state of existing state privacy laws is weak, the good news is nothing is permanent,” the report says.
Access The State of Privacy: How state “privacy” laws fail to protect privacy and what they can do better.