Starting in 2018, the U.S. states have been passing consumer privacy laws. Roughly half the states have now passed these laws. While there was promise earlier on that these laws might improve privacy protection in the U.S., the verdict is now becoming clear—the laws are overall quite poor. I’d give most of them Ds or Fs.
When California began the trend in 2018, industry lobbyists sprang into action and descended to states trying to weaken and rewrite their laws. The battle began in Washington, which crafted an anemic law heavily influenced by industry. That law never passed. The fight then shifted to Virginia, where a weak law passed based on a similar recipe. Virginia’s law became a blueprint for many other states, many of which copied and pasted much of it. Even those that didn’t largely followed the same model.
A few years ago, I critiqued the state consumer privacy laws as lacking in imagination: “[W]hile I applaud the sentiment about the states passing privacy laws, I don’t think most really move the needle on privacy.”
The Tragedy of Vermont
Recently, Vermont’s attempt to pass a consumer privacy law took a dark turn. The Vermont legislature passed a hollowed-out bill. Ordinarily, I’d shrug it off as just another disappointment. This year, Alabama, Oklahoma, and Louisiana passed privacy laws that are tremendously weak. Even all the hot sauce in Louisiana can’t give their law any flavor. But I wasn’t expecting much.
Vermont was different. The Vermont bill was powered by Representative Monique Priestley of the Vermont House. She has been a champion of consumer privacy. She has spoken to a wide range of stakeholders and is more knowledgeable about the issue than almost any legislator, federal or state. The original bill was bold and innovative. It had a private right of action and real teeth. It would have made an impact. But it was voted by the governor, despite passing with overwhelming bipartisan support.
The new bill has been weakened by lobbyists so much that Priestley had to vote against it. Imagine how much of a stinker this bill had to be for someone who worked so tirelessly on it to vote no.
Monique Priestley
Priestley wrote:
What happened on this bill in Vermont follows a playbook. Big Oil used it. Big Tobacco used it. And now Big Tech is using it. Flood the building, astroturf the business community, spread misinformation, threaten veto pressure, and wait for the Legislature to tire. Some of the same Big Tech lobbyists who pulled on strings to shape our bill are shaping the dangerously weak federal bill.
The federal bill she’s speaking about is the SECURE Data Act, a disastrous skunkworks of a bill. I critiqued it here.
She continues:
Our government, our businesses, our media, and the very fabric of how we exist, all depends on Big Tech. We are not getting ahead of this. We are devastatingly behind. This bill will not change Big Tech’s harmful business practices. It will not protect consumers. It bakes the status quo of mass data collection and abuse into law. To my fellow Committee members: thank you for the many hours and incredible work you put into this bill. I know I’m not alone in wishing the outcome had been different. This House passed a very strong privacy law two years ago, but unfortunately Big Tech’s power has influenced weakening it to the point that I must regretfully vote against it.
The Battle for Effective Privacy Law Is Being Lost
Sadly, I believe the battle for effective privacy law is being lost. In 2024, I wrote about my disappointment with state consumer privacy laws:
These laws are a missed opportunity. We have a great window now to experiment with various approaches to regulating privacy. Although the GDPR is the best and broadest law, it has many weaknesses. The oft-mentioned saying that the states are the “laboratories of law” is sadly not what is occurring here in the U.S. The states are largely just cutting and pasting, not conducting new experiments. I will put it nicely – the states are currently lacking in imagination. I could describe the state consumer privacy laws in less gentle ways, but I’ll leave that to your imagination.
What’s wrong with the laws?
- The state consumer privacy laws are toothless. They will be weakly and infrequently enforced. For why this will be the case, see my recent paper about how the deck is stacked against effective enforcement: Enforcing Privacy Law: Why Private Litigation is Essential, 107 B.U. L. Rev. (2027).
- The laws lack a private right of action, the most effective tool in the enforcement quiver.
- The laws rely most heavily on individual privacy rights which aren’t very effective and hardly anybody uses. I wrote about this problem in my article, The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023).
- The laws provide duties that are hollow. Except for Maryland, the laws have empty data minimization provisions that sound nice but do nothing in practice. The laws require privacy impact assessments but these requirements are poorly implemented and turn into meaningless paper-pushing.
- The laws basically take the maligned notice-and-choice approach to privacy and put lipstick on that pig. For more on why this approach is doomed, see my short essay with Woodrow Hartzog, Kafka in the Age of AI and the Futility of Privacy as Control, 104 B.U. L. Rev. 1021 (2024).
Ultimately, the laws don’t move the needle on privacy protection in a meaningful way. They don’t ask that much of companies. But companies still throw tantrums over these laws . . . like children flipping out over being asked to spend a few minutes cleaning up their room.
As Big Tech keeps winning, people are growing angrier and angrier about the harms of tech. But the industry ignores public sentiment and plows ahead, basking in its hypnotic power over policymakers. Like a Jedi mind trick, lobbyists utter the magic incantation of “innovation” and policymakers collapse and kiss their feet. It infuriates me because privacy doesn’t have to be a zero sum game.
In the early days of the internet, Big Tech promised that everyone would win. But now, it’s often becoming painfully clear that when Big Tech wins, we the people lose.
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 180 courses.
Subscribe to Solove’s Free Substack
A supplement to Solove’s regular newsletter with more in-depth discussions
