The real action for tech regulation is far from Washington, D.C.

Congress doesn’t seem ready to take on privacy or competition, but states are refusing to wait around.

Capitol building

States are more eager to regulate tech than ever before.

Photo: Darren Halstead/Unsplash

Lawmakers are ready to change Big Tech — just not the ones in Washington, D.C.

Congress continues to flail when it comes to regulating privacy, competition and more, but state and even some local governments have already jumped in to fill the void in recent years. Now they’ve got big plans for 2022 that could have national implications.

As state legislatures convene this month, the bills and policies that emerge are likely to increase tech companies’ fears of a legislative patchwork — a system of divergent, and sometimes stringent, obligations among different states.

The fear of having to deal with dozens of different rules at once tends to prompt firms to seek national standards from Capitol Hill, and theoretically can force change across the U.S. or even the world. Sometimes, though, Big Tech makes the smallest possible concessions in response to new state laws. Apple’s decision to let apps alert users about how to get around the phone-maker’s commissions, for example, came at least partially in response to state policy pushes, as did the company’s moves to broaden access to repairs of its devices. As Amazon tries to outflank state-by-state approaches, it’s embraced a federal bill that requires online marketplaces to publish contact information of their third-party sellers. And of course, California’s online privacy law in some ways became a de facto U.S. standard when it went into effect in 2020, as companies determined it was easier to comply universally with some elements rather than pick out California users.

Most state tech policy initiatives collapse before becoming law, the same way they do in Congress. For that status quo to continue, though, tech companies would have to hold the line on a range of issues across up to 50 legislatures. The increasing appetite for some kind of regulation, combined with the Big Tech skeptics who have made work in state capitals a key strategy, makes changes even more likely.

Protocol spoke with tech trade groups that wrangle state issues for member companies as well as tech-skeptic and consumer groups to see what’s likely to come down the pike in the upcoming year. Of course, it can be hard to predict which bills will succeed, or what they might look like once they do, but here are the efforts that tech policy experts said they’re watching most closely.


The passage of California’s privacy law, which went into effect at the beginning of 2020, dismayed tech companies and made data protection the focus of industry pleas to Congress for national regulation. Congress has continued its decades of failures on the issue, but Colorado and Virginia have now adopted their own measures, which will become effective next year. Other states want in.

  • Washington state: Many experts thought the home of Microsoft and Amazon would regulate online data soon after California did, and policy-watchers say it could still be the next state to do so, since lawmakers have already filed paperwork to try again. “For the last several years, privacy bills in Washington state have made it very close to the finish line, but the two houses ultimately failed to come to an agreement,” said Maureen Mahoney, a senior policy analyst at Consumer Reports.
  • Florida: As in Washington, Florida has come close to regulating privacy, with a lot of lawmaker interest and legislative movement on the topic. But the state fell short last year with splits over whether consumers should be able to sue companies. Its latest bill was filed on Friday.
  • New York: A New York online privacy bill passed out of a Senate committee last year and has been re-upped for 2022. The bill would require that consumers consent to data processing beforehand — an “opt-in” model that’s stricter than laws and regulations allowing consumers to remove themselves from data use that’s already begun.
  • Connecticut, Ohio, Oklahoma and other states “may be particularly active in this area as well,” said Tom Foulkes, senior director of State Advocacy at BSA, a trade group representing companies such as Microsoft and IBM.

Content moderation

Nearly 35 states saw bills introduced last year aimed at forcing social media companies such as Facebook and Twitter to leave certain content up on their platforms — usually right-wing posts.

  • Florida: Alongside Texas, the Sunshine State managed to pass a law on the issue, though both statutes are temporarily being held by federal courts for likely violating the First Amendment. Florida, at least, may try to tweak its bill, said a spokeswoman for the Computer & Communications Industry Association, a tech trade group that sued both states over their laws.
  • New York: Rather than trying to force companies to keep up content, a trio of bills in the Big Apple would require platforms to adopt reporting mechanisms for vaccine misinformation, election misinformation and hate. “For every legislator convinced digital services are moderating too much content, there’s one certain they moderate too little,” said Matt Schruers, president of CCIA.
  • Utah: The governor last year vetoed the state’s anti-content moderation bill, but CCIA spokeswoman Heather Greenfield said it's was watching for the legislature to try again.

Competition and app stores

Wholesale antitrust reform aimed at Big Tech is another area where Congress has flexed its muscles, but even bipartisan interest from lawmakers may not be enough to secure passage for any bill. Federal lawmakers have also proposed regulating Apple and Google’s app stores following furious lobbying by both sides on the issue in several states.

  • New York: The state Senate’s deputy majority leader has pledged to keep pushing a competition law overhaul that would make it easier for the state to prove a company's dominance in court and harder for businesses to argue their conduct is justified. The bill is already scheduled for a legislative hearing this week. “It has a lot of tech tie-ins,” said Pat Garofalo, director of State and Local Policy at the American Economic Liberties Project, which pushes to rein in big companies.
  • Arizona: The state arguably came closest of any to passing its app store bill last year and seems poised to try again, said Garofalo, who authored a guide to “taking on Big Tech’s economic power” for state legislators. Georgia also came close, and a different New York bill that focuses just on app stores has been referred to committee again recently.


Workplace questions dominated 2021 for many tech companies, from hopes for longer-term remote options to unionization efforts. In the fall, amid California’s ongoing disputes about gig-worker classification, the state also passed a law preventing workers from having to comply with unsafe quotas in retail warehouses like Amazon’s.

  • Illinois: Given the deaths of six workers at an Amazon warehouse in the state during a December tornado, the state will likely be among those moving forward with warehouse legislation like California’s, according to Garofalo. He said he was also aware of New York lawmakers drafting a version.
  • Massachusetts: The state is already the next battleground over whether those who do work through Uber, DoorDash and similar companies should be treated as employees and what benefits they might receive. It’s in the form of a coming ballot measure, though, rather than legislative action.


While Amazon has come around to backing a federal proposal to combat stolen or counterfeit goods, its top lobbyist said the decision came in part in response to the threat of a state patchwork that the company’s allies are still fighting. “The House has worked out a compromise that online sellers and big-box retail can live with, and states should leave it to them," said Adam Kovacevich, CEO of the Chamber of Progress, which counts Amazon as a corporate partner.

  • California, Wisconsin, and New Hampshire all have hearings in January on marketplace bills, according to a spokesman for the chamber.



The #1 language learning app, Babbel gives you bite-sized lessons in a variety of languages. It'll have you speaking the basics in just 3 weeks. Plus, it has podcasts, games, videos and more to switch things up! Get 60% off today.

Learn more


We’ll be here again: How tech companies fail to prevent terrorism

Social media platforms are playing defense to stop mass shootings. Without cooperation and legislation, it’s not working.

The Buffalo attack showed that tech’s best defenses against online hate aren’t sophisticated enough to fight the algorithms designed by those same companies to promote content.

Photo: Kent Nishimura / Los Angeles Times via Getty Images

Tech platforms' patchwork approach to content moderation has made them a hotbed for hate speech that can turn deadly, as it did this weekend in Buffalo. The alleged shooter that killed 10 in a historically Black neighborhood used Discord to plan his rampage for months and livestreamed it on Twitch.

The move mirrors what happened in Christchurch, New Zealand, when a white supremacist murdered 51 people in a mosque in 2019. He viewed the killings as a meme. To disseminate that meme, he turned to the same place more than 1 billion other users do: Facebook. This pattern is destined to repeat itself as long as tech companies continue to play defense instead of offense against online hate and fail to work together.

Keep Reading Show less
Sarah Roach

Sarah Roach is a news writer at Protocol (@sarahroach_) and contributes to Source Code. She is a recent graduate of George Washington University, where she studied journalism and mass communication and criminal justice. She previously worked for two years as editor in chief of her school's independent newspaper, The GW Hatchet.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less

SAP’s leadership vacuum on display with Hasso Plattner’s last stand

Conflict of interest questions, blowback to the Ukraine response and a sinking stock price hang in the backdrop of Plattner’s last election to the SAP supervisory board.

Plattner will run for a final two-year transition term atop SAP’s supervisory board.

Photo: Soeren Stache/picture alliance via Getty Images

Just one man has been with SAP over its entire 50-year history: co-founder Hasso Plattner. Now, the 78-year-old software visionary is making his last stand.

On Wednesday, Plattner will run for a final two-year transition term atop SAP’s supervisory board, an entity mandated by law in Germany that basically oversees the executive team. Leaders at SAP, for example, report to the supervisory board, not the CEO.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at JoeWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.


Why Google Cloud is providing security for AWS and Azure users too

“To just focus on Google Cloud, we wouldn't be serving our customers,” Google Cloud security chief Phil Venables told Protocol.

Google Cloud announced the newest addition to its menu of security offerings.

Photo: G/Unsplash

In August, Google Cloud pledged to invest $10 billion over five years in cybersecurity — a target that looks like it will be easily achieved, thanks to the $5.4 billion deal to acquire Mandiant and reported $500 million acquisition of Siemplify in the first few months of 2022 alone.

But the moves raise questions about Google Cloud’s main goal for its security operation. Does Google want to offer the most secure cloud platform in order to inspire more businesses to run on it — or build a major enterprise cybersecurity products and services business, in whatever environment it’s chosen?

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@procotol.com.


The tools that make you pay for not getting stuff done

Some tools let you put your money on the line for productivity. Should you bite?

Commitment contracts are popular in a niche corner of the internet, and the tools have built up loyal followings of people who find the extra motivation effective.

Photoillustration: Anna Shvets/Pexels; Protocol

Danny Reeves, CEO and co-founder of Beeminder, is used to defending his product.

“When people first hear about it, they’re kind of appalled,” Reeves said. “Making money off of people’s failure is how they view it.”

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Latest Stories