One morning back in February, Utah state Sen. Kirk Cullimore introduced an updated version of the bill that would soon become the state’s digital privacy law. His measure would be simpler for consumers and less burdensome for business than the California rules that have come to define state privacy in the U.S., the Republican told his fellow members of the tax committee.
Then Cullimore turned the session over to a lawyer from an obscure but powerful industry-backed lobbying group, explaining that the group had helped write the bill and could explain its merits.
“I really want to be upfront about this and my hope that a Utah model could be copied in other states,” Anton van Seventer, of the State Privacy and Security Coalition, told the legislators. “It could serve as the most updated and streamlined model for state privacy legislation in the U.S. today.”
California’s privacy bill, which passed in 2018, was a blow by consumer advocates against tech companies. Because of the state’s size and first-mover advantage, it helped establish what the advocates hoped would be the beginning of a national standard creating consumer protections — even as companies grumbled it overreached and was confusing.
In the last year, however, three more states have passed privacy bills, often with more input from industry, especially from the SPSC and its members, than California took. As a result, consumer groups and even Apple, a former member of the group, have begun ringing alarms. The critics say the new wave of bills has watered down user protections against targeted advertising or incorrect data, and that each insufficient bill that passes lowers the bar even more for what comes after — including possibly a national approach.
From Sacramento to Richmond
The process of undermining California’s comparatively robust protections got a boost last year in Virginia. As legislators in the commonwealth were getting ready to pass the nation’s second online privacy law, some were clear that it was not nearly the attack on tech’s business models that California’s had been. State Sen. David Marsden, a Democrat who introduced the bill, told Protocol during the deliberations that Amazon provided “the first cut of a draft to look at.” He also suggested that business interests from an array of sectors determined the “focus” of the bill, which took inspiration from Washington state’s failed efforts to pass a law, not California’s successes.
The result was a law that covered fewer uses of data by fewer businesses than California’s, though it also broadened some consumer rights over sensitive data and required GDPR-like assessments of certain high-risk processing. It was enough to garner praise from some consumer advocates, while raising muted concerns.
It’s not clear how central the SPSC was to the creation of the Virginia law, but Jim Halpert, a prominent Washington lawyer who represented the group until recently, was a member of a commission to advise the state on how to implement the law. Amazon also appears to have been a member of the group.
It’s not just Virginia: Figuring out exactly which companies SPSC represents and how it operates is tough. The group has little web presence, but a letter it sent to Pennsylvania state lawmakers about a data breach notification bill in 2020 listed several members including Apple, AT&T, Comcast, Facebook (now Meta), Google and Verizon. It also counted some financial companies like Visa, Mastercard and SoftBank among its membership at the time.
An updated list reviewed by Protocol finds the SPSC added health insurer Humana to its roster since 2020. But earlier this month Apple, which has driven Meta nuts by giving users more controls over targeted advertising, confirmed it had left the group over concerns that SPSC’s work is watering down protections for consumers.
And the SPSC’s work on state privacy has been prolific. In addition to SPSC’s presence in Virginia and Utah, the group sent Halpert, who has since left his firm to join the White House’s Office of the National Cyber Director, to speak for industry about a privacy proposal in New York in 2019. The group has disclosed lobbying in Washington state while registering to lobby, without necessarily disclosing much activity, in other states such as Tennessee and Iowa.
In Kentucky, Republican state Sen. Whitney Westerfield, who since January has led an effort to pass a consumer-friendly privacy bill, said the SPSC was “far and away” the most active industry group opposing it. The SPSC was also behind another state lawmaker’s bill, Westerfield said. That proposal was extremely similar to Virginia’s privacy law — and the SPSC boosted that bill “without so much as spitting in my direction,” he added.
“That happens, but I think it was classless not to communicate with me,” Westerfield said.
Westerfield and others suggested the introduction of the alternate bill in Kentucky appears to be part of a steady goalpost-moving project by the SPSC. The group would later tell Utah lawmakers their bill, which consumer advocates say is now the weakest state statute on the books, should become a nationwide model. But, Westerfield said, back before Utah’s bill had come into focus, the message from the SPSC to him was that any state privacy law should be less onerous than Virginia’s.
“I was frustrated with the coalition,” he said. “They had their eyes set, their minds set, at least in communicating with me, that Virginia was the model to have.”
The national stakes
Although the group is definitely active at the state level, it seems also to have its sights set higher. Halpert’s former law firm, DLA Piper, boasts on his profile that, as part of “a coalition of Fortune 500 companies, he has helped to draft more than a hundred US state privacy, data security, security breach notification laws, and consumer protection laws.” Similarly, the bio for Andy Kingman, another DLA Piper lawyer who works with the group, says the SPSC is “at the forefront of the policy arena in all 50 states.” The group spent more than $1.4 million on services through DLA Piper in 2020, according to tax filings.
The SPSC said in a statement it “supports efforts to give consumers greater transparency and control over their data” and “provides substantive expertise to state policymakers, including context on the operational implications of policy proposals.” Like many other industry groups, it has also called for a federal privacy law.
However, the rapid advance of state privacy statutes is changing the national conversation around consumer data protection. As privacy bills ricochet from state to state, each new one seems to be narrower in scope than the one before, widening exemptions and blunting enforcement mechanisms for protecting consumers.
When Utah passed its bill, for instance, a coalition of consumer groups began warning that exemptions in the ban on targeted advertising would actually allow Google or Meta to continue sharing data in-house for that exact purpose. The same opponents also worried consumers didn’t have any right to correct their data, and decried the bill’s “right to cure” provision, which gives business space to fix any lapses if they’re notified about them.
“I’m not sure a lot of other laws that you’re allowed to violate until someone tells you to stop, but it’s definitely been a constant refrain from industry,” said Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, which has been advocating in several states to counter industry lobbying.
The spread of course is not all necessarily the work of the SPSC. The larger political picture definitely plays a role, as leaders in red states are generally less interested in putting regulations on businesses. For instance, Cullimore, the Utah senator who brought in the group to explain the bill to lawmakers, noted several prior failures and said his measure could not have passed if it included more consumer-friendly language.
Retail and other industries have also taken a keen interest in privacy issues, and even other tech groups have shown up. TechNet — a lobbying group with members in cloud services, social media, telecom and more — touts its ability to track state-by-state issues, and appears to have done privacy-related work in Kentucky, New York, Iowa and others, and has celebrated Utah’s new privacy law.
Such activity — by the SPSC, TechNet and others — seems at times to conflict with business and trade group assertions that they want Congress to enact one nationwide privacy law, and that they fear having to navigate an inconsistent regulatory patchwork across different states.
Carl Holshouser, TechNet’s senior vice president for Operations and Strategic Initiatives, told Protocol that the group’s top priority is a federal bill. “While we wait for Washington to make progress on a federal law, TechNet will continue to urge state lawmakers debating privacy legislation to consider interoperability with existing laws and minimize the compliance costs and consumer confusion created by a state-by-state patchwork," he said.
Consumer groups say, though, that companies’ efforts to shape more recent state laws will isolate California’s protections to its state residents alone while lowering the bar for what businesses have to offer consumers elsewhere.
“It’s kind of terrifying about how bad it could get,” said Maureen Mahoney, a senior policy analyst at Consumer Reports who has addressed several state legislatures that are working on privacy. “Is it just going to get even worse and worse — industry having complete control over what these laws look like?”
The SPSC has made clear its long-term influence over state laws is the point. In fact, when van Seventer was introducing new bill text in Utah, he didn’t stop at suggesting it could be a model for other states.
“If we get this rolling,” he said, “it could even serve as the model for eventual federal legislation in this area when that’s taken up by the U.S. Congress.”