REPORT: States get failing grades for privacy laws

Media Contacts
R.J. Cross

Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund; Policy Analyst, Frontier Group

REPORT: States get failing grades for privacy laws

Successful industry lobbying has watered down consumer protections

WASHINGTON D.C.  – Nearly half of states that have passed consumer privacy laws get a failing grade for protecting consumers’ data, finds The State of Privacy, a new scorecard report from the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund. Of the 14 states with laws, 6 received Fs, and none received an A.

Tech companies’ harvesting of personal information including demographics and browsing and search history has attracted more attention in recent years. Over 80% of Americans are concerned how companies collect and use their data. The U.S. currently has no comprehensive federal privacy law.

Since 2018, 44 states have considered consumer privacy bills that purportedly aim to protect consumers’ privacy and security. Many of these bills, however, have been heavily influenced by companies such as Amazon, leading to significantly weakened consumer protections across the country. 

“Many of these ‘privacy laws’ protect privacy in name only,” said Caitriona Fitzgerald, deputy director of EPIC. “In effect, they allow companies to continue hoarding our personal data and using it for whatever purposes they want. Big Tech should not be allowed to write the rules.”

The more data that companies collect, and the more companies that hold that data, the more likely it is that that consumers’ information will get exposed in a breach or a hack. Consumers are more likely to become the victim of identity theft or hyper-targeted scams. 

“The best way to keep data secure is to not collect it in the first place,” said R.J. Cross, U.S. PIRG Education Fund’s Don’t Sell My Data campaign director. “A law that really protects consumers would prevent companies from collecting and using people’s data however they want. Unfortunately, there’s not a privacy law in the country that does this as well as it should. The laws that are passing in most places are a bad deal for consumers.” 

Some states such as Illinois, Massachusetts, Maine and Maryland are considering stronger comprehensive consumer privacy legislation that would limit the data companies are allowed to gather about consumers to what’s necessary to deliver the service consumers are expecting to get. 

“Grading these laws really makes it clear that they’re almost all copy-and-paste versions of a bill industry originally wrote,” said Kara Williams, Law Fellow at EPIC and report co-author. “It’s encouraging to see some states considering a different approach.”