Does Your State Care About Your Digital Privacy?

To be sure, even consumers covered by relatively weak data privacy laws are in some ways better off than their counterparts in states with none.  

All 18 state data privacy laws grant consumers baseline rights, including the right to access the data a company has about them and have it deleted on request. 

Most also give state residents the right to correct untrue or outdated information that they find. Nearly all also give consumers the right to opt out of several ways a company might use or process their data, including generating detailed profiles or dossiers of them, targeting them with ads, and selling their data to someone else. 

Many also require companies to conduct formal risk assessments of their own data privacy and security practices (though not to make them public). Most prohibit companies from treating consumers who choose to exercise their opt-out and other rights differently from those who do not (by charging them higher prices, for example). And most try to prevent companies from using personal data in ways that violate anti-discrimination and other civil rights laws. 

All those are important rights and safeguards. The problem, many privacy advocates say, is that they do not on their own add up to real privacy protection. 

One big reason is that instead of limiting the data companies can collect in the first place, most of these laws put the onus on consumers to police their own data after the fact. 

What’s more, consumers often have to do that policing one company at a time—something almost none of us has the time or resources to do. Even if you doggedly opt out at every website you use, and tell every company you know you’ve interacted with to delete your data, trying to corral the vast networks of anonymous data brokers and marketing firms that have been buying and selling your data for years would be impossible. 

“That’s just not a workable or meaningful system,” says Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center. “And rights that aren’t usable are not truly rights.” 

What provisions would add up to robust consumer protections, according to privacy advocates? Here’s a list. 

Data minimization: The best way to give consumers control over their personal information, privacy advocates say, is a strong “data minimization” standard. This simple but powerful idea would permit companies to collect, process, or sell only the data they need to deliver the good or service the consumer asked for. (Not incidentally, strong data minimization also reduces the chance that our personal data winds up in the hands of identity thieves and other fraudsters, who often exploit information they get via data breaches.)

A prototypical example is based on a 2013 enforcement by the Federal Trade Commission: a flashlight app needs access to your device to turn on and off the light, but it doesn’t need access to your geolocation information. A strong data minimization standard would prevent such an app from even asking consumers for such access. 

Industry coalitions say that kind of data minimization is far too restrictive—that it would stifle innovation by, for example, preventing companies from offering goods, services, and features that consumers would want but haven’t explicitly requested. They also say the line between what data companies do and do not legitimately need is impossibly indistinct and unenforceable. 

So far, only Maryland has strong data minimization requirements that do more than prevent companies from collecting data for purposes that aren’t listed in their privacy policies—a standard that privacy advocates say lets companies collect data for almost any reason they want, as long as they disclose it in the legal boilerplate that almost nobody reads. 

Universal opt-outs: If lawmakers won’t embrace strong data minimization, privacy experts say the next best approach is to give consumers tools that enable them to exercise their rights conveniently and efficiently. 

Two types have emerged so far. A “universal opt-out mechanism” is software that, when activated, automatically instructs every website you visit to opt you out of certain data practices, which usually include selling your data and using it to target you with ads. (Consumer Reports helped create the Global Privacy Control technical standards behind the most popular universal opt-out tools.)  

In order for such tools to be effective, however, lawmakers have to require companies to honor the opt-out signals—and only 12 of the 18 states with digital privacy laws have done so.  

Authorized agents: Another way to help consumers take advantage of their privacy rights is to give them the right to appoint an “authorized agent” that can send data rights requests on their behalf. This potentially lets consumers outsource the task of telling hundreds or thousands of companies not to collect, share or sell their data, and to delete any they already have. Consumers are taking advantage of authorized agent provisions when they use CR’s free Permission Slip mobile app this way. 

So far, about two-thirds of the 18 states have authorized agent provisions.

Several state privacy laws contain loopholes that let companies ignore certain restrictions, say consumer advocates. 

Some, for example, ostensibly forbid the sale of certain personal data but define “sale” so narrowly that companies can easily work around the rule. Some ban only a transfer of data in exchange for monetary compensation, letting some companies argue that selling access to personal data isn’t a sale if the data itself never changes hands, or that transferring data in exchange for nonmonetary compensation isn’t a sale. 

Another notable example: Several of the laws restricting the use of personal data exempt “pseudonymous data,” which is typically defined as personal data that shouldn’t be attributable to a specific individual without additional info. The issue here, consumer advocates say, is that supposedly pseudonymous data often includes identifiers such as IP addresses and device IDs that can easily be used by the purchaser of the data to reconnect it to a specific person. Three state laws (Iowa, Kentucky, and Tennessee) include this loophole. 

Other states exempt entire industries on the grounds that they’re already covered by sector-specific privacy rules, such as the Health Insurance Portability and Accountability Act or the financial industry’s Gramm-Leach-Bliley Act. The concern here is that those laws, passed in the 1990s, lack important protections, and that consumers may be misled by the resulting ambiguities. (Many people wrongly assume that all health-related websites, services, and apps are covered by HIPAA, for example.) 

Several states also create carve-outs for small and midsized businesses, ostensibly to shield them from the cost of compliance. But such companies are significant contributors of consumer information to the data economy, as a CR study recently demonstrated. And in some cases, the definitions of small and midsized business mean all but the state’s very largest companies are exempt. 

Yet another concern of privacy advocates is inadequate enforcement. “You can have the nice rights you want in a bill, but if there’s no enforcement, they’re just nice words,” says Hayley Tsukayama, associate director of legislative action at the Electronic Frontier Foundation. 

Most of the laws rely heavily on state attorney general offices, which privacy advocates say often don’t have the resources or expertise to regulate the vast scope of data practices in their state. “There’s no way they can meaningfully enforce violations, and industry knows that,” says Fitzgerald of the Electronic Privacy Information Center. Justin Brookman, CR’s director of technology policy, says only two enforcement actions have happened so far under these 18 state laws. 

Instead, consumer advocates say, state privacy laws should include a “private right of action,” explicitly giving consumers the right to bring lawsuits if their privacy rights have been violated and giving companies a strong financial incentive to comply. 

To date, only California’s privacy law includes a private right of action and only in the event of a data security breach. 

Consumer advocates say all these shortcomings are largely the result of intense lobbying by companies that profit from the data economy. 

“Their position has been, let’s do the bare minimum amount of privacy that doesn’t fundamentally change our business practices and try to lock that in as the ceiling for what can be in a privacy bill,” says CR’s Schwartz. 

Indeed, the 2018 passage of California Consumer Privacy Act kicked off a kind of lobbying arms race. As federal data privacy bills failed to gain momentum over the following years, it became increasingly clear that the future of data privacy would be contested one state legislature at a time. The next state law to pass, in Virginia in 2021, was drafted by a tech industry lobbyist, as the legislator who sponsored it acknowledged in a 2021 Reuters report. That law’s more narrowly crafted restrictions soon became the template for many of the bills that followed. 

After Virginia, it became hard for state legislators to push back against the momentum, says EPIC’s Fitzgerald. “They were told these were privacy bills, and some believed in good faith they were doing something good for their constituents,” she says. “Unfortunately, the bills do little to protect consumers.” 

Others disagree. “Our multi-sector coalition is proud to have been one of many stakeholders that have worked on a comprehensive privacy framework that now covers well over 100 million Americans and has received overwhelming bipartisan support across state legislatures with dramatically different political dynamics,” Andrew Kingman, counsel to the State Privacy & Security Coalition, wrote in response to CR’s questions on the range of concerns expressed by privacy advocates. The group’s members include technology, retail, financial, telecom, healthcare, and consumer products companies. 

The map of state privacy laws continues to evolve. Since 2023, several states have passed laws on what privacy advocates call the “Connecticut model,” after that state’s 2022 law, that are somewhat more protective of consumer rights than those based on Virginia. (Most notably, they include universal opt-out and authorized agent provisions.) 

And in May, Maryland governor Wes Moore signed into law what consumer advocates say is the strongest state measure yet, with the possible exception of California. It includes strong data minimization provisions, special protections for sensitive data related to race, religious beliefs, and health, and civil rights elements aimed at preventing the discriminatory use of personal data.

Regardless of the current data privacy laws in your state, there are some simple ways to limit how much personal data companies collect on you. Try these for starters:
• Limit GPS tracking on your smartphone. 
• Stop your apps from tracking you. 
• Use your browser’s privacy settings (and consider switching to a more secure browser, or using a privacy-protecting browser extension). 
• Use CR’s free Permission Slip mobile app, which shows what kinds of information companies collect and lets you, with a simple tap, tell the company to stop selling your data or delete it entirely.
• For step-by-step instructions on those measures, and a more thorough list, check out these 30-second privacy fixes. For even more protection, try CR’s free Security Planner tool, which will makes customized recommendations after you answer a few simple questions.