State Privacy Laws Move Forward, but Are They Strong Enough?

Consumer Reports has no financial relationship with advertisers on this site.

A number of states are moving to adopt sweeping consumer-privacy laws in the coming weeks, though some advocates are urging the states to impose even stronger measures.

Consumer Reports, meanwhile, unveiled a model privacy bill that would make protections automatic rather than force consumers to "opt out" of sharing personal information.

Virginia is expected shortly to become the second state after California to approve comprehensive legislation. The Virginia Consumer Data Protection Act, or CDPA, could be followed by similar actions in Florida, Minnesota, New York, Oklahoma, Utah, and Washington.

Though the bills promise significant new rights for consumers, some experts hope legislators will go even further.

“Virginia’s law is a tremendous step forward,” says Justin Brookman, the director of privacy and technology policy for Consumer Reports. “It offers rights to access, delete, and opt out of the sharing of data that folks don't have today. But it's not as strong as it could be.”

Consumer Reports published a model state privacy bill Tuesday, detailed below, with recommendations on how future state laws could better protect consumers.

It departs in some major ways from the California law and the pending legislation in Virginia and other states. Among other issues, it would impose privacy protections by default rather than put the burden on consumers to protect themselves.

Some privacy experts and technology companies say they’d prefer to see a federal privacy law, rather state measures.

“The best solution is a comprehensive federal privacy law that empowers people to understand how personal information they share is collected, used, and protected,” says Robert Callahan, senior vice president of state government affairs at the Internet Association, a trade group whose members include Amazon, Google, and Facebook.

“In the absence of federal action," he adds, "we know that states will continue to consider state-level privacy laws of their own. Such approaches must be thoughtful and include reasonable enforcement measures to be workable.”

What the Virginia Law Would Do

The CDPA and other state proposals give consumers many of the same protections that were rolled out by the California Consumer Privacy Act.

“They all share a common suite of consumer rights,” says Joseph Jerome, the director of platform accountability and state advocacy at Common Sense Media, a consumer advocacy group.

Like California’s law, the CDPA would give Virginians the right to know what details companies have collected about them, the right to access and delete that information, and the right to stop companies from disclosing certain kinds of data to third parties.

However, Jerome says, “there are huge differences in terms of specific provisions, and what a company might have to do on the back end in terms of compliance.”

One key difference is that the California law lets consumers authorize an outside service to contact companies on their behalf. Consumer Reports has found that doesn’t always work in practice, but if the kinks are worked out, it has the potential to make things much easier for consumers.

The Virginia bill doesn’t have that provision, but it does include some additional protections, such requiring consumers’ consent before processing sensitive data including precise location details and information about race, religion, health, and sexual orientation.

Privacy experts say that the CDPA and other bills in consideration share a major flaw with California’s law: They make consumers do a lot of work to control how companies collect and use their data.

Last summer, a Consumer Reports study found it can be extremely tough to exercise your rights under California’s law.

Over 500 California residents participated in the study, submitting requests to a total of 214 businesses to stop sharing their data with other companies. In 62 percent of cases, participants either didn’t know whether their request was successful, or said they could never figure out how to make the request at all.

Progress has been made since then, according to CR researchers. But even if companies make things easier, some privacy advocates want laws to shift the burden from consumers to the businesses collecting the information.

The laws, they say, still let companies continue operating more or less as usual. Consumers have to take the time to learn who has their data, and then make sure hundreds or even thousands of services are contacted in order to put a stop to it.

CR’s Model Makes Privacy the Default

The model privacy bill proposed by Consumer Reports would stop a lot of the data collection before it starts.

“Under our proposal, privacy is the default. You shouldn't have to worry about it, or exercise a thousand privacy choices to protect yourself,” Brookman says.

In addition to the right to access, delete, and correct data held by companies, CR’s model has a number of fresh provisions, including:

• Limiting data collection to what is reasonably necessary for a company to operate the services consumers are asking for. A mapping app can ask for your location, for instance, but not go much beyond that. “Privacy laws must set limits on the data that companies can collect and share,” the model bill reads. “This is preferable to an opt-out based regime which relies on users to hunt down and navigate divergent opt-out processes for potentially hundreds of different companies.”
  

• A broad prohibition against secondary uses or sharing of data. The law wouldn’t allow you to be bombarded with requests for permission to track you or sell your information. “We do not characterize this framework as an ‘opt-in’ approach either, as secondary data sharing is simply prohibited,” the model bill says. This could keep people from having to click on as many permission boxes when they visit new sites.

• Non-discrimination. Companies would not be allowed to penalize consumers for exercising their privacy rights. The bill says it “cuts off exploitative programs that could separate consumers into privacy haves and have-nots, and clarifies that legitimate loyalty programs, that rewards consumers for repeated patronage, are supported by this bill.”

The Consumer Reports model bill also includes strong enforcement provisions.

First, CR’s model bill includes a “private right of action,” in which consumers can sue companies for violating a law.

Last year, a privacy bill in Washington state that came close to passing fell apart when privacy advocates pushed for a private right of action, while technology companies argued that enforcement should be restricted to the state’s attorney general.

The CR bill also excludes any language preempting local governments from passing their own privacy laws. Preemption is an especially hot topic on the federal level, with technology companies saying that preemption is needed to keep them from having to scramble to follow dozens of state and city laws that could be enacted.

“A vast patchwork of inconsistent state privacy laws will lead to confusion for the businesses that must comply and for consumers whose rights and protections will vary from state to state,” says Callahan, the Internet Association executive.

These two enforcement issues are the biggest blockers when it comes to privacy legislation in both statehouses and in Congress, says Omer Tene, the vice president and chief knowledge officer at the International Association of Privacy Professionals.

“But at the same time there's been great convergence and agreement from both sides of the aisle,” Tene says. “It’s not low-hanging fruit, but it's doable, and sometimes Congress just wants a win.”