Policy

California's privacy law was supposed to be a model. Then lobbyists got to work.

As states have hit the gas on privacy laws in the last year, industry is winning more concessions — and consumer groups are sounding the alarm.

CALIFORNIA, USA - JANUARY 20: A heavy police and California National Guard presence was on display around California State Capitol during Joe Biden's inauguration ceremony, on January 20, 2021 in Sacramento, California, United States. (Photo by Neal Waters/Anadolu Agency via Getty Images)

Critics say that each insufficient privacy bill that passes lowers the bar even more for what comes after — including possibly a national approach.

Photo: Neal Waters/Anadolu Agency via Getty Images

One morning back in February, Utah state Sen. Kirk Cullimore introduced an updated version of the bill that would soon become the state’s digital privacy law. His measure would be simpler for consumers and less burdensome for business than the California rules that have come to define state privacy in the U.S., the Republican told his fellow members of the tax committee.

Then Cullimore turned the session over to a lawyer from an obscure but powerful industry-backed lobbying group, explaining that the group had helped write the bill and could explain its merits.

“I really want to be upfront about this and my hope that a Utah model could be copied in other states,” Anton van Seventer, of the State Privacy and Security Coalition, told the legislators. “It could serve as the most updated and streamlined model for state privacy legislation in the U.S. today.”

California’s privacy bill, which passed in 2018, was a blow by consumer advocates against tech companies. Because of the state’s size and first-mover advantage, it helped establish what the advocates hoped would be the beginning of a national standard creating consumer protections — even as companies grumbled it overreached and was confusing.

In the last year, however, three more states have passed privacy bills, often with more input from industry, especially from the SPSC and its members, than California took. As a result, consumer groups and even Apple, a former member of the group, have begun ringing alarms. The critics say the new wave of bills has watered down user protections against targeted advertising or incorrect data, and that each insufficient bill that passes lowers the bar even more for what comes after — including possibly a national approach.

From Sacramento to Richmond

The process of undermining California’s comparatively robust protections got a boost last year in Virginia. As legislators in the commonwealth were getting ready to pass the nation’s second online privacy law, some were clear that it was not nearly the attack on tech’s business models that California’s had been. State Sen. David Marsden, a Democrat who introduced the bill, told Protocol during the deliberations that Amazon provided “the first cut of a draft to look at.” He also suggested that business interests from an array of sectors determined the “focus” of the bill, which took inspiration from Washington state’s failed efforts to pass a law, not California’s successes.

The result was a law that covered fewer uses of data by fewer businesses than California’s, though it also broadened some consumer rights over sensitive data and required GDPR-like assessments of certain high-risk processing. It was enough to garner praise from some consumer advocates, while raising muted concerns.

It’s not clear how central the SPSC was to the creation of the Virginia law, but Jim Halpert, a prominent Washington lawyer who represented the group until recently, was a member of a commission to advise the state on how to implement the law. Amazon also appears to have been a member of the group.

It’s not just Virginia: Figuring out exactly which companies SPSC represents and how it operates is tough. The group has little web presence, but a letter it sent to Pennsylvania state lawmakers about a data breach notification bill in 2020 listed several members including Apple, AT&T, Comcast, Facebook (now Meta), Google and Verizon. It also counted some financial companies like Visa, Mastercard and SoftBank among its membership at the time.

An updated list reviewed by Protocol finds the SPSC added health insurer Humana to its roster since 2020. But earlier this month Apple, which has driven Meta nuts by giving users more controls over targeted advertising, confirmed it had left the group over concerns that SPSC’s work is watering down protections for consumers.

And the SPSC’s work on state privacy has been prolific. In addition to SPSC’s presence in Virginia and Utah, the group sent Halpert, who has since left his firm to join the White House’s Office of the National Cyber Director, to speak for industry about a privacy proposal in New York in 2019. The group has disclosed lobbying in Washington state while registering to lobby, without necessarily disclosing much activity, in other states such as Tennessee and Iowa.

In Kentucky, Republican state Sen. Whitney Westerfield, who since January has led an effort to pass a consumer-friendly privacy bill, said the SPSC was “far and away” the most active industry group opposing it. The SPSC was also behind another state lawmaker’s bill, Westerfield said. That proposal was extremely similar to Virginia’s privacy law — and the SPSC boosted that bill “without so much as spitting in my direction,” he added.

“That happens, but I think it was classless not to communicate with me,” Westerfield said.

Westerfield and others suggested the introduction of the alternate bill in Kentucky appears to be part of a steady goalpost-moving project by the SPSC. The group would later tell Utah lawmakers their bill, which consumer advocates say is now the weakest state statute on the books, should become a nationwide model. But, Westerfield said, back before Utah’s bill had come into focus, the message from the SPSC to him was that any state privacy law should be less onerous than Virginia’s.

“I was frustrated with the coalition,” he said. “They had their eyes set, their minds set, at least in communicating with me, that Virginia was the model to have.”

The national stakes

Although the group is definitely active at the state level, it seems also to have its sights set higher. Halpert’s former law firm, DLA Piper, boasts on his profile that, as part of “a coalition of Fortune 500 companies, he has helped to draft more than a hundred US state privacy, data security, security breach notification laws, and consumer protection laws.” Similarly, the bio for Andy Kingman, another DLA Piper lawyer who works with the group, says the SPSC is “at the forefront of the policy arena in all 50 states.” The group spent more than $1.4 million on services through DLA Piper in 2020, according to tax filings.

The SPSC said in a statement it “supports efforts to give consumers greater transparency and control over their data” and “provides substantive expertise to state policymakers, including context on the operational implications of policy proposals.” Like many other industry groups, it has also called for a federal privacy law.

However, the rapid advance of state privacy statutes is changing the national conversation around consumer data protection. As privacy bills ricochet from state to state, each new one seems to be narrower in scope than the one before, widening exemptions and blunting enforcement mechanisms for protecting consumers.

When Utah passed its bill, for instance, a coalition of consumer groups began warning that exemptions in the ban on targeted advertising would actually allow Google or Meta to continue sharing data in-house for that exact purpose. The same opponents also worried consumers didn’t have any right to correct their data, and decried the bill’s “right to cure” provision, which gives business space to fix any lapses if they’re notified about them.

“I’m not sure a lot of other laws that you’re allowed to violate until someone tells you to stop, but it’s definitely been a constant refrain from industry,” said Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, which has been advocating in several states to counter industry lobbying.

Some of the provisions that most concern consumer advocates have also popped up in other states looking into privacy laws, including Iowa and Ohio.

The spread of course is not all necessarily the work of the SPSC. The larger political picture definitely plays a role, as leaders in red states are generally less interested in putting regulations on businesses. For instance, Cullimore, the Utah senator who brought in the group to explain the bill to lawmakers, noted several prior failures and said his measure could not have passed if it included more consumer-friendly language.

Retail and other industries have also taken a keen interest in privacy issues, and even other tech groups have shown up. TechNet — a lobbying group with members in cloud services, social media, telecom and more — touts its ability to track state-by-state issues, and appears to have done privacy-related work in Kentucky, New York, Iowa and others, and has celebrated Utah’s new privacy law.

Such activity — by the SPSC, TechNet and others — seems at times to conflict with business and trade group assertions that they want Congress to enact one nationwide privacy law, and that they fear having to navigate an inconsistent regulatory patchwork across different states.

Carl Holshouser, TechNet’s senior vice president for Operations and Strategic Initiatives, told Protocol that the group’s top priority is a federal bill. “While we wait for Washington to make progress on a federal law, TechNet will continue to urge state lawmakers debating privacy legislation to consider interoperability with existing laws and minimize the compliance costs and consumer confusion created by a state-by-state patchwork," he said.

Consumer groups say, though, that companies’ efforts to shape more recent state laws will isolate California’s protections to its state residents alone while lowering the bar for what businesses have to offer consumers elsewhere.

“It’s kind of terrifying about how bad it could get,” said Maureen Mahoney, a senior policy analyst at Consumer Reports who has addressed several state legislatures that are working on privacy. “Is it just going to get even worse and worse — industry having complete control over what these laws look like?”

The SPSC has made clear its long-term influence over state laws is the point. In fact, when van Seventer was introducing new bill text in Utah, he didn’t stop at suggesting it could be a model for other states.

“If we get this rolling,” he said, “it could even serve as the model for eventual federal legislation in this area when that’s taken up by the U.S. Congress.”

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins