California's privacy law was supposed to be a model. Then lobbyists got to work.

As states have hit the gas on privacy laws in the last year, industry is winning more concessions — and consumer groups are sounding the alarm.

CALIFORNIA, USA - JANUARY 20: A heavy police and California National Guard presence was on display around California State Capitol during Joe Biden's inauguration ceremony, on January 20, 2021 in Sacramento, California, United States. (Photo by Neal Waters/Anadolu Agency via Getty Images)

Critics say that each insufficient privacy bill that passes lowers the bar even more for what comes after — including possibly a national approach.

Photo: Neal Waters/Anadolu Agency via Getty Images

One morning back in February, Utah state Sen. Kirk Cullimore introduced an updated version of the bill that would soon become the state’s digital privacy law. His measure would be simpler for consumers and less burdensome for business than the California rules that have come to define state privacy in the U.S., the Republican told his fellow members of the tax committee.

Then Cullimore turned the session over to a lawyer from an obscure but powerful industry-backed lobbying group, explaining that the group had helped write the bill and could explain its merits.

“I really want to be upfront about this and my hope that a Utah model could be copied in other states,” Anton van Seventer, of the State Privacy and Security Coalition, told the legislators. “It could serve as the most updated and streamlined model for state privacy legislation in the U.S. today.”

California’s privacy bill, which passed in 2018, was a blow by consumer advocates against tech companies. Because of the state’s size and first-mover advantage, it helped establish what the advocates hoped would be the beginning of a national standard creating consumer protections — even as companies grumbled it overreached and was confusing.

In the last year, however, three more states have passed privacy bills, often with more input from industry, especially from the SPSC and its members, than California took. As a result, consumer groups and even Apple, a former member of the group, have begun ringing alarms. The critics say the new wave of bills has watered down user protections against targeted advertising or incorrect data, and that each insufficient bill that passes lowers the bar even more for what comes after — including possibly a national approach.

From Sacramento to Richmond

The process of undermining California’s comparatively robust protections got a boost last year in Virginia. As legislators in the commonwealth were getting ready to pass the nation’s second online privacy law, some were clear that it was not nearly the attack on tech’s business models that California’s had been. State Sen. David Marsden, a Democrat who introduced the bill, told Protocol during the deliberations that Amazon provided “the first cut of a draft to look at.” He also suggested that business interests from an array of sectors determined the “focus” of the bill, which took inspiration from Washington state’s failed efforts to pass a law, not California’s successes.

The result was a law that covered fewer uses of data by fewer businesses than California’s, though it also broadened some consumer rights over sensitive data and required GDPR-like assessments of certain high-risk processing. It was enough to garner praise from some consumer advocates, while raising muted concerns.

It’s not clear how central the SPSC was to the creation of the Virginia law, but Jim Halpert, a prominent Washington lawyer who represented the group until recently, was a member of a commission to advise the state on how to implement the law. Amazon also appears to have been a member of the group.

It’s not just Virginia: Figuring out exactly which companies SPSC represents and how it operates is tough. The group has little web presence, but a letter it sent to Pennsylvania state lawmakers about a data breach notification bill in 2020 listed several members including Apple, AT&T, Comcast, Facebook (now Meta), Google and Verizon. It also counted some financial companies like Visa, Mastercard and SoftBank among its membership at the time.

An updated list reviewed by Protocol finds the SPSC added health insurer Humana to its roster since 2020. But earlier this month Apple, which has driven Meta nuts by giving users more controls over targeted advertising, confirmed it had left the group over concerns that SPSC’s work is watering down protections for consumers.

And the SPSC’s work on state privacy has been prolific. In addition to SPSC’s presence in Virginia and Utah, the group sent Halpert, who has since left his firm to join the White House’s Office of the National Cyber Director, to speak for industry about a privacy proposal in New York in 2019. The group has disclosed lobbying in Washington state while registering to lobby, without necessarily disclosing much activity, in other states such as Tennessee and Iowa.

In Kentucky, Republican state Sen. Whitney Westerfield, who since January has led an effort to pass a consumer-friendly privacy bill, said the SPSC was “far and away” the most active industry group opposing it. The SPSC was also behind another state lawmaker’s bill, Westerfield said. That proposal was extremely similar to Virginia’s privacy law — and the SPSC boosted that bill “without so much as spitting in my direction,” he added.

“That happens, but I think it was classless not to communicate with me,” Westerfield said.

Westerfield and others suggested the introduction of the alternate bill in Kentucky appears to be part of a steady goalpost-moving project by the SPSC. The group would later tell Utah lawmakers their bill, which consumer advocates say is now the weakest state statute on the books, should become a nationwide model. But, Westerfield said, back before Utah’s bill had come into focus, the message from the SPSC to him was that any state privacy law should be less onerous than Virginia’s.

“I was frustrated with the coalition,” he said. “They had their eyes set, their minds set, at least in communicating with me, that Virginia was the model to have.”

The national stakes

Although the group is definitely active at the state level, it seems also to have its sights set higher. Halpert’s former law firm, DLA Piper, boasts on his profile that, as part of “a coalition of Fortune 500 companies, he has helped to draft more than a hundred US state privacy, data security, security breach notification laws, and consumer protection laws.” Similarly, the bio for Andy Kingman, another DLA Piper lawyer who works with the group, says the SPSC is “at the forefront of the policy arena in all 50 states.” The group spent more than $1.4 million on services through DLA Piper in 2020, according to tax filings.

The SPSC said in a statement it “supports efforts to give consumers greater transparency and control over their data” and “provides substantive expertise to state policymakers, including context on the operational implications of policy proposals.” Like many other industry groups, it has also called for a federal privacy law.

However, the rapid advance of state privacy statutes is changing the national conversation around consumer data protection. As privacy bills ricochet from state to state, each new one seems to be narrower in scope than the one before, widening exemptions and blunting enforcement mechanisms for protecting consumers.

When Utah passed its bill, for instance, a coalition of consumer groups began warning that exemptions in the ban on targeted advertising would actually allow Google or Meta to continue sharing data in-house for that exact purpose. The same opponents also worried consumers didn’t have any right to correct their data, and decried the bill’s “right to cure” provision, which gives business space to fix any lapses if they’re notified about them.

“I’m not sure a lot of other laws that you’re allowed to violate until someone tells you to stop, but it’s definitely been a constant refrain from industry,” said Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, which has been advocating in several states to counter industry lobbying.

Some of the provisions that most concern consumer advocates have also popped up in other states looking into privacy laws, including Iowa and Ohio.

The spread of course is not all necessarily the work of the SPSC. The larger political picture definitely plays a role, as leaders in red states are generally less interested in putting regulations on businesses. For instance, Cullimore, the Utah senator who brought in the group to explain the bill to lawmakers, noted several prior failures and said his measure could not have passed if it included more consumer-friendly language.

Retail and other industries have also taken a keen interest in privacy issues, and even other tech groups have shown up. TechNet — a lobbying group with members in cloud services, social media, telecom and more — touts its ability to track state-by-state issues, and appears to have done privacy-related work in Kentucky, New York, Iowa and others, and has celebrated Utah’s new privacy law.

Such activity — by the SPSC, TechNet and others — seems at times to conflict with business and trade group assertions that they want Congress to enact one nationwide privacy law, and that they fear having to navigate an inconsistent regulatory patchwork across different states.

Carl Holshouser, TechNet’s senior vice president for Operations and Strategic Initiatives, told Protocol that the group’s top priority is a federal bill. “While we wait for Washington to make progress on a federal law, TechNet will continue to urge state lawmakers debating privacy legislation to consider interoperability with existing laws and minimize the compliance costs and consumer confusion created by a state-by-state patchwork," he said.

Consumer groups say, though, that companies’ efforts to shape more recent state laws will isolate California’s protections to its state residents alone while lowering the bar for what businesses have to offer consumers elsewhere.

“It’s kind of terrifying about how bad it could get,” said Maureen Mahoney, a senior policy analyst at Consumer Reports who has addressed several state legislatures that are working on privacy. “Is it just going to get even worse and worse — industry having complete control over what these laws look like?”

The SPSC has made clear its long-term influence over state laws is the point. In fact, when van Seventer was introducing new bill text in Utah, he didn’t stop at suggesting it could be a model for other states.

“If we get this rolling,” he said, “it could even serve as the model for eventual federal legislation in this area when that’s taken up by the U.S. Congress.”


Gensler: Bitcoin may be a commodity

The SEC has been vague about crypto. But Gensler said bitcoin is a commodity, “maybe.” It’s the clearest glimpse of his views on digital assets yet.

“Bitcoin — maybe that’s a commodity token. That has a big market value, but that goes over there,” Gensler said, referring to another regulator, the CFTC.

Photoillustration: Al Drago/Bloomberg via Getty Images; Protocol

SEC Chair Gary Gensler has long argued that many cryptocurrencies are subject to regulation as securities.

But he recently clarified that this view wouldn’t apply to the best-known cryptocurrency, bitcoin.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


What the economic downturn means for pay packages

The war for talent rages on, but dynamics are shifting back to the employers.

Compensation packages could start to look different as companies reshuffle the balance of cash and equity.

Illustration: Nuthawut Somsuk/Getty Images

The market is turning. Tech stocks are slumping — which is bad news for employees — and even industry powerhouses are slowing hiring and laying people off. Tech talent is still in high demand, but compensation packages could start to look different as companies recruit.

“It’s a little bit like whiplash,” compensation consultant Ashish Raina said of the downturn. Raina, who mainly works with startups that have 200 to 800 employees, previously worked as the director of Talent at Index Ventures and head of Compensation and Talent Analytics at Box. “I do think there’s going to be an interesting reckoning in terms of pay increases going forward, how that pay is delivered.”

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

How 'Zuck Bucks' saved the 2020 election — and fueled the Big Lie

The true story of how Mark Zuckerberg and Priscilla Chan’s $419 million donation became the 2020 election’s most enduring conspiracy theory.

Mark Zuckerberg is smack in the center of one of the 2020 election’s multitudinous conspiracies.

Illustration: Mike McQuade; Photos: Getty Images

If Mark Zuckerberg could have imagined the worst possible outcome of his decision to insert himself into the 2020 election, it might have looked something like the scene that unfolded inside Mar-a-Lago on a steamy evening in early April.

There in a gilded ballroom-turned-theater, MAGA world icons including Kellyanne Conway, Corey Lewandowski, Hope Hicks and former president Donald Trump himself were gathered for the premiere of “Rigged: The Zuckerberg Funded Plot to Defeat Donald Trump.”

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.


From frenzy to fear: Trading apps grapple with anxious investors

After riding the stock-trading wave last year, trading apps like Robinhood have disenchanted customers and jittery investors.

Retail stock trading is still an attractive business, as shown by the news that crypto exchange FTX is dipping its toes in the market by letting some U.S. customers trade stocks.

Photo: Lam Yik/Bloomberg via Getty Images

For a brief moment, last year’s GameStop craze made buying and selling stocks cool, even exciting, for a new generation of young investors. Now, that frenzy has turned to fear.

Robinhood CEO Vlad Tenev pointed to “a challenging macro environment” marked by rising prices and interest rates and a slumping market in a call with analysts explaining his company’s lackluster results. The downturn, he said, was something “most of our customers have never experienced in their lifetimes.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Latest Stories