California's privacy law was supposed to be a model. Then lobbyists got to work.

As states have hit the gas on privacy laws in the last year, industry is winning more concessions — and consumer groups are sounding the alarm.

CALIFORNIA, USA - JANUARY 20: A heavy police and California National Guard presence was on display around California State Capitol during Joe Biden's inauguration ceremony, on January 20, 2021 in Sacramento, California, United States. (Photo by Neal Waters/Anadolu Agency via Getty Images)

Critics say that each insufficient privacy bill that passes lowers the bar even more for what comes after — including possibly a national approach.

Photo: Neal Waters/Anadolu Agency via Getty Images

One morning back in February, Utah state Sen. Kirk Cullimore introduced an updated version of the bill that would soon become the state’s digital privacy law. His measure would be simpler for consumers and less burdensome for business than the California rules that have come to define state privacy in the U.S., the Republican told his fellow members of the tax committee.

Then Cullimore turned the session over to a lawyer from an obscure but powerful industry-backed lobbying group, explaining that the group had helped write the bill and could explain its merits.

“I really want to be upfront about this and my hope that a Utah model could be copied in other states,” Anton van Seventer, of the State Privacy and Security Coalition, told the legislators. “It could serve as the most updated and streamlined model for state privacy legislation in the U.S. today.”

California’s privacy bill, which passed in 2018, was a blow by consumer advocates against tech companies. Because of the state’s size and first-mover advantage, it helped establish what the advocates hoped would be the beginning of a national standard creating consumer protections — even as companies grumbled it overreached and was confusing.

In the last year, however, three more states have passed privacy bills, often with more input from industry, especially from the SPSC and its members, than California took. As a result, consumer groups and even Apple, a former member of the group, have begun ringing alarms. The critics say the new wave of bills has watered down user protections against targeted advertising or incorrect data, and that each insufficient bill that passes lowers the bar even more for what comes after — including possibly a national approach.

From Sacramento to Richmond

The process of undermining California’s comparatively robust protections got a boost last year in Virginia. As legislators in the commonwealth were getting ready to pass the nation’s second online privacy law, some were clear that it was not nearly the attack on tech’s business models that California’s had been. State Sen. David Marsden, a Democrat who introduced the bill, told Protocol during the deliberations that Amazon provided “the first cut of a draft to look at.” He also suggested that business interests from an array of sectors determined the “focus” of the bill, which took inspiration from Washington state’s failed efforts to pass a law, not California’s successes.

The result was a law that covered fewer uses of data by fewer businesses than California’s, though it also broadened some consumer rights over sensitive data and required GDPR-like assessments of certain high-risk processing. It was enough to garner praise from some consumer advocates, while raising muted concerns.

It’s not clear how central the SPSC was to the creation of the Virginia law, but Jim Halpert, a prominent Washington lawyer who represented the group until recently, was a member of a commission to advise the state on how to implement the law. Amazon also appears to have been a member of the group.

It’s not just Virginia: Figuring out exactly which companies SPSC represents and how it operates is tough. The group has little web presence, but a letter it sent to Pennsylvania state lawmakers about a data breach notification bill in 2020 listed several members including Apple, AT&T, Comcast, Facebook (now Meta), Google and Verizon. It also counted some financial companies like Visa, Mastercard and SoftBank among its membership at the time.

An updated list reviewed by Protocol finds the SPSC added health insurer Humana to its roster since 2020. But earlier this month Apple, which has driven Meta nuts by giving users more controls over targeted advertising, confirmed it had left the group over concerns that SPSC’s work is watering down protections for consumers.

And the SPSC’s work on state privacy has been prolific. In addition to SPSC’s presence in Virginia and Utah, the group sent Halpert, who has since left his firm to join the White House’s Office of the National Cyber Director, to speak for industry about a privacy proposal in New York in 2019. The group has disclosed lobbying in Washington state while registering to lobby, without necessarily disclosing much activity, in other states such as Tennessee and Iowa.

In Kentucky, Republican state Sen. Whitney Westerfield, who since January has led an effort to pass a consumer-friendly privacy bill, said the SPSC was “far and away” the most active industry group opposing it. The SPSC was also behind another state lawmaker’s bill, Westerfield said. That proposal was extremely similar to Virginia’s privacy law — and the SPSC boosted that bill “without so much as spitting in my direction,” he added.

“That happens, but I think it was classless not to communicate with me,” Westerfield said.

Westerfield and others suggested the introduction of the alternate bill in Kentucky appears to be part of a steady goalpost-moving project by the SPSC. The group would later tell Utah lawmakers their bill, which consumer advocates say is now the weakest state statute on the books, should become a nationwide model. But, Westerfield said, back before Utah’s bill had come into focus, the message from the SPSC to him was that any state privacy law should be less onerous than Virginia’s.

“I was frustrated with the coalition,” he said. “They had their eyes set, their minds set, at least in communicating with me, that Virginia was the model to have.”

The national stakes

Although the group is definitely active at the state level, it seems also to have its sights set higher. Halpert’s former law firm, DLA Piper, boasts on his profile that, as part of “a coalition of Fortune 500 companies, he has helped to draft more than a hundred US state privacy, data security, security breach notification laws, and consumer protection laws.” Similarly, the bio for Andy Kingman, another DLA Piper lawyer who works with the group, says the SPSC is “at the forefront of the policy arena in all 50 states.” The group spent more than $1.4 million on services through DLA Piper in 2020, according to tax filings.

The SPSC said in a statement it “supports efforts to give consumers greater transparency and control over their data” and “provides substantive expertise to state policymakers, including context on the operational implications of policy proposals.” Like many other industry groups, it has also called for a federal privacy law.

However, the rapid advance of state privacy statutes is changing the national conversation around consumer data protection. As privacy bills ricochet from state to state, each new one seems to be narrower in scope than the one before, widening exemptions and blunting enforcement mechanisms for protecting consumers.

When Utah passed its bill, for instance, a coalition of consumer groups began warning that exemptions in the ban on targeted advertising would actually allow Google or Meta to continue sharing data in-house for that exact purpose. The same opponents also worried consumers didn’t have any right to correct their data, and decried the bill’s “right to cure” provision, which gives business space to fix any lapses if they’re notified about them.

“I’m not sure a lot of other laws that you’re allowed to violate until someone tells you to stop, but it’s definitely been a constant refrain from industry,” said Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, which has been advocating in several states to counter industry lobbying.

Some of the provisions that most concern consumer advocates have also popped up in other states looking into privacy laws, including Iowa and Ohio.

The spread of course is not all necessarily the work of the SPSC. The larger political picture definitely plays a role, as leaders in red states are generally less interested in putting regulations on businesses. For instance, Cullimore, the Utah senator who brought in the group to explain the bill to lawmakers, noted several prior failures and said his measure could not have passed if it included more consumer-friendly language.

Retail and other industries have also taken a keen interest in privacy issues, and even other tech groups have shown up. TechNet — a lobbying group with members in cloud services, social media, telecom and more — touts its ability to track state-by-state issues, and appears to have done privacy-related work in Kentucky, New York, Iowa and others, and has celebrated Utah’s new privacy law.

Such activity — by the SPSC, TechNet and others — seems at times to conflict with business and trade group assertions that they want Congress to enact one nationwide privacy law, and that they fear having to navigate an inconsistent regulatory patchwork across different states.

Carl Holshouser, TechNet’s senior vice president for Operations and Strategic Initiatives, told Protocol that the group’s top priority is a federal bill. “While we wait for Washington to make progress on a federal law, TechNet will continue to urge state lawmakers debating privacy legislation to consider interoperability with existing laws and minimize the compliance costs and consumer confusion created by a state-by-state patchwork," he said.

Consumer groups say, though, that companies’ efforts to shape more recent state laws will isolate California’s protections to its state residents alone while lowering the bar for what businesses have to offer consumers elsewhere.

“It’s kind of terrifying about how bad it could get,” said Maureen Mahoney, a senior policy analyst at Consumer Reports who has addressed several state legislatures that are working on privacy. “Is it just going to get even worse and worse — industry having complete control over what these laws look like?”

The SPSC has made clear its long-term influence over state laws is the point. In fact, when van Seventer was introducing new bill text in Utah, he didn’t stop at suggesting it could be a model for other states.

“If we get this rolling,” he said, “it could even serve as the model for eventual federal legislation in this area when that’s taken up by the U.S. Congress.”


An IPO may soon be in Notion’s future

Notion COO Akshay Kothari says there’s room to grow, aided by a new CFO who knows how to take a company public.

Notion has hired its first chief financial officer: Rama Katkar.

Photo: Courtesy of Notion

It’s been a year since Notion’s triumphant $275 million funding round and $10 billion valuation. Since then the landscape for productivity startups trying to make it on their own has completely changed, especially for those pandemic darlings that flourished in the all-remote world.

As recession looms, companies looking to cut costs are less likely to spend money on tools outside of their Microsoft or Google workplace bundles. Enterprise platforms are bulking up and it could spell trouble for the productivity startups trying to unseat them. But Notion COO Akshay Kothari says the company is still aiming to build the next Microsoft, not be the next Microsoft. And in a move signaling a new chapter of maturity, Notion has hired its first chief financial officer: Rama Katkar, Instacart’s former VP of finance.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Securing the Enterprise

Securing the enterprise

There’s no let-up in the surge of cyberattacks against businesses. But shutting down the hackers will require many enterprises to evolve their strategy.

In today’s enterprise, “identity and security are very merged.”

Illustration: iStock/Getty Images Plus; Protocol
the Protocol team
Protocol focuses on the people, power and politics of tech, with no agenda and just one goal: to arm decision-makers in tech, business and public policy with the unbiased, fact-based news and analysis they need to navigate a world in rapid change.

How neobanks are helping consumers game credit scoring

The CFPB says it is closely monitoring secured credit cards offered by neobanks.

Regulators are scrutinizing neobanks' card offerings.

Photo: Oscar Wong/Moment/Getty Images

About one in six Americans has a credit score below 619, according to the CFPB. Another 23% have too thin a credit file to score or no file at all. That puts them in a credit trap: To build credit, these consumers need someone to give them a line of credit with which they can demonstrate good financial habits. But with scores that low, few lenders are prepared to offer them anything.

Neobanks say they can solve the problem through a new twist on secured credit cards. But regulators are already scrutinizing their offerings.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.


Steel decided World War II. Chips will decide whatever is next.

“Chip War: The Fight for the World’s Most Critical Technology” foreshadows the coming battle between nations over semiconductors.

“Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies.

Image: Scribner; Protocol

“World War II was decided by steel and aluminum, and followed shortly thereafter by the Cold War, which was defined by atomic weapons,” Chris Miller, a professor at Tufts University’s Fletcher School of Law and Diplomacy, writes in the introduction to his latest book. So what’s next? According to Miller, the next era, including the rivalry between the U.S. and China, is all about computing power.

That tech rivalry and the story of how the chip industry got from four to 11.8 billion transistors are all part of Miller’s book, “Chip War: The Fight for the World’s Most Critical Technology,” which comes out Oct. 4. “Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies: three from the U.S., one from Japan, and one from the Netherlands.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Latest Stories