
Tell the CFPB: Don’t let data brokers buy and sell our personal info
Of the 19 states that have passed data privacy laws, nearly half of them receive a failing grade.
Take Action
Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund
Don't Sell My Data Campaign, Associate, U.S. PIRG Education Fund
Across the country states are passing consumer privacy laws. It might sound like a good thing. After all, the U.S. currently lacks a federal comprehensive privacy law, and the more specific laws that do exist haven’t kept up with the times. HIPAA, for example, doesn’t protect the data that health websites, apps, or wearables like FitBits collect about us. Something needs to change.
Since 2018, 44 states have considered comprehensive consumer privacy bills that purportedly aim to protect people’s privacy and security. So far 19 states have passed them. Many of these bills, however, have been heavily influenced by companies such as Amazon, leading to significantly weakened consumer protections across the country.
We partnered with our friends over at EPIC to grade state privacy laws. The bad news: Of the 19 state privacy bills that have passed, nearly half fail to protect people’s personal information. The good news: It’s not too late to change course – and some states already have.
Photo by Edmund Coby, PIRG Staff | TPIN
Right now we’re all having our data collected way more often than we realize, and it’s getting sold to a bunch of companies we’ve never even heard of. That puts our personal security at risk.
Almost every company we interact with collects some amount of data on us. Sometimes it’s data that makes sense. Amazon needs your shipping address, and Uber needs your location. When data collection gets out of hand, however, it can cause you big problems. And today, it’s getting out of hand a lot.
The fast-food chain Tim Hortons was accused by Canadian authorities of using its mobile app to harvest users’ location data 24/7, even when the app was closed. According to a 2023 Mozilla Foundation investigation, all 25 major car brands may collect data including health diagnoses and genetic information from your car’s computers and apps.
Companies not only gather unnecessary data, they often use your data for irrelevant purposes. A study by Human Rights Watch, for example, found that educational apps and websites used by schools were harvesting the data of millions of schoolchildren and sending it to third parties while students learned. We found Mastercard monetizes your credit card transaction history by making it available to the online advertising industry. We also found that Allstate’s data broker Arity monetizes driver data in much the same way.
The websites and apps you rely on often have secret tracking technology like cookies in the background. Tracking cookies stay on your browser or device long after you’ve left a webpage or even shut down your computer for the day. They follow you across sites over time, collecting information like your location and browsing and search history. They then transmit that information to third party companies you’ve never heard of, and those companies turn around and sell your data to even more companies you’ve never heard of. These companies are called data brokers, and they are particularly bad for your security.
The more data companies collect, the more dangerous it is for you. And the more entities companies share your data with, the more likely it is that your personal information will be exposed in a breach or a hack. Your bank account number could end up with identity thieves. Your contacts could end up with scammers. Your phone number can end up on annoying robocall and robotext lists.
Data security problems affect millions every year. In 2023, the FTC received more complaints about identity theft — over 1 million complaints from consumers — than any other category. The second most common complaint was about imposter scams — schemes where fraudsters falsely claim to be a relative in distress or a business a consumer has shopped at previously requesting money or personal information. In 2023, consumers lost nearly $2.7 billion to imposter scams. The more personal information scammers have about a consumer’s life, the more convincing these scams become.
Data brokers and the online advertising industry that harvest a lot of our information are particularly dangerous. Every time we load a webpage that shows us a targeted ad, there’s a big auction happening in the background with companies exchanging our browsing, location and other data. A recent study found that these auctions expose the average American’s data 747 times per day.
All across the country, tech and other companies are pushing for weak laws. The majority of the 19 state laws passed so far closely follow a model that was initially drafted by industry giants such as Amazon. From tech to telecomms, there’s a lot of companies making a lot of money in data.
In 2021, Virginia became the second state in the nation to pass a comprehensive consumer data privacy law. Where California’s law — which was passed in 2018 — established some real protections, Virginia’s was almost entirely void of meaningful provisions. A notable difference: While California’s rules became law in response to a proposed ballot question, Virginia’s legislation had been handed to the bill sponsor by an Amazon lobbyist, and it was based on an earlier bill from Washington state that had been modified at the behest of Amazon, Comcast, Microsoft, and other industry lobbyists.
The Virginia law was weak. Companies could continue collecting whatever data they want as long as it was disclosed somewhere in a privacy policy. While consumers could, in theory, request companies delete their data, they would have to submit requests one at a time to the hundreds — if not thousands — of entities holding their information. Consumers also had no ability to hold companies accountable in court for violating the privacy law meant to protect them. Virginia gets an F in this scorecard.
“Everyone said ‘follow Virginia, Virginia is the model.’ No one could explain why Virginia was the model, that was just the model they all went with.”Sen. Whitney Westerfield, on his privacy bill
Former Kentucky State Senator (R)
Unfortunately, Virginia became the model state legislators have been pushed to match. Kentucky Sen. Whitney Westerfield (R) tried to counter this pressure for a weak privacy bill by running a strong privacy bill over multiple years. Sen. Westerfield’s bill passed the Senate in 2023, but the state ultimately enacted a Virginia-style bill (and like Virginia, receives an F on this scorecard). In a Vermont hearing convening state legislators to share their experience of industry lobbying on their privacy bills, Sen. Westerfield said, “Everyone said ‘follow Virginia, Virginia is the model.’ No one could explain why Virginia was the model, that was just the model they all went with.”
Photo by Edmund Coby, PIRG Staff | TPIN
More recently, some lobbyists have pivoted to pushing the “Connecticut model” — a pretty similar bill to Virginia, but with a couple of actual perks for consumers. Most notably, Connecticut allows consumers to use a browser tool to automatically opt-out of websites collecting data. That is pretty neat. The law, however, included no ability for someone like the Attorney General to specify what that tool should look like – something you really need in order to make sure it all works.
The story in Connecticut is the story of other states. What passed in 2022 ended up notably weaker than what co-sponsor Sen. Bob Duff had introduced every year previously since 2019. As he told The Markup, during a hearing on his bill in 2020 the room was “literally filled with every single lobbyist I’ve ever known in Hartford, hired by companies to defeat the bill.” Connecticut gets a D in this scorecard.
The scale of the tech industry lobbying is hard to ignore. An investigation by the Markup identified 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple, and industry front groups in 31 states that heard privacy bills in 2021 and 2022. A 2023 analysis from Pluribus News of state tech lobbying found that in the 19 states with thorough lobbying disclosure requirements, major tech and industry lobbying groups spent $13.4 million – triple what they spent in these states a decade ago.
In the Vermont convening of state legislators who had faced industry lobbying on privacy bills, many shared stories of vast efforts. When Maine was considering privacy legislation in 2024, Rep. Maggie O’Neil — the sponsor of a strong privacy bill that failed to pass by only a handful of votes on the last day of the legislative session — recounted seeing “more lobbyists hired in the building than I have ever seen on bills before” in her 8 years in the Legislature. Sen. Love testified that it was a similar story in Maryland: “I will tell you, I have not in my six years, in my second term, seen as hard a lobbying job as these folks did. They put so much money into pushing and lobbying.”
One strategy state legislators have noticed is tech companies using trade groups and business organizations to openly criticize strong bills rather than testifying against bills themselves. Rep. O’Neil noticed this tactic in Maine: “Very rarely did we hear directly from a Facebook or a Google or an Amazon. There were organizations that lobbied on their behalf . . . like TechNet or State Privacy and Security Coalition.” Meta, Google and Amazon are all members of both TechNet and the State Privacy and Security Coalition.
Another strategy that emerged last session is industry coordination with local businesses. An investigation by Politico found that the State Privacy and Security Coalition (SPSC) coordinated efforts amongst local Vermont business groups – including the Vermont Chamber of Commerce, the Vermont Retail & Grocers Association, and the Vermont Ski Areas Association – to oppose the strong Vermont bill that contained a private right of action.
The State Privacy and Security Coalition (SPSC) in particular has been an effective lobbying force. Politico found that SPSC worked to oppose and water down strong privacy bills—or to support bills similar to the weak industry model—in at least 32 states.
These industry-preferred bills aren’t just a bad deal for the residents of those states. Where the states go, Congress often follows. The more states that coalesce around regulations heavily shaped by the industry they’re meant to regulate, the lower the bar we’re setting for a federal law in the future. And given how we haven’t been able to update any of our previous federal small-potatoes privacy bills like HIPAA for the world of smartphones, a bad law today could mean a bad law for all of us for 20+ years.
The consumer data laws we’re seeing now just don’t do enough to change the status quo. They generally allow consumers to access, correct, and delete personal data companies have about them – but sending requests, one at a time, to every company that’s ever held their information. These laws only work if you vast swaths of time to do so, which, seriously, no one does.
There are ways to protect consumers’ data security. Instead of bad bills, states should:
In our scorecard, if a state did all of that, it’d get an A+.
California first passed the CCPA in 2018, and then made it stronger in 2020. Last year, it passed the DELETE Act, giving people the ability to tell hundreds of data brokers to delete their data with one push of a button.
Things California does well:
Things it could do better:
In 2024 Maryland passed the second strongest state privacy law in the country, the Maryland Online Data Privacy Act. Maryland legislators successfully pushed back against industry lobbying after multiple years of considering a data privacy law.
Things Maryland does well:
Things it could do better:
Colorado passed the Colorado Privacy Act in 2021. In 2024, the state amended its law to include slightly stronger protections for the data of minors 16 and under. In July 2024, Colorado residents gained the ability to download a special browser tool to automatically broadcast to websites they don’t want their data to be sold. (Read our guide on that here).
Things Colorado does well:
Things it could do better:
The governor signed New Jersey’s Data Privacy Law on Jan. 16, 2024. While it largely resembles Connecticut’s law, it made a couple key changes, including closing the HIPAA loophole that would have exempted health entities from having to follow the state’s privacy law at all.
Things New Jersey does well:
Things it could do better:
After working on data privacy for multiple years, the state Legislature passed the Minnesota Consumer Data Privacy Act in 2024. While this law largely still follows the Connecticut “model,” Minnesota made several key improvements, including limiting the number of industries exempt from the law.
Things Minnesota does well:
Things it could do better:
Passed in June 2023, the Oregon Consumer Privacy Act was the result of a working group led by the Oregon Attorney General’s office. Despite this, it still followed the Connecticut model, though Oregon did add some important protections – including minimizing the number of entities who were exempt from the law. In Jan. 2026, Oregon residents will be able to download a special browser tool to automatically broadcast to websites they don’t want their data to be collected. (Read our guide on that here).
Things Oregon does well:
Things it could do better:
The Delaware governor signed the Personal Data Privacy Act into law on Sept. 11, 2023. The legislature was pressured by industry groups to water it down to match Connecticut and Virginia.
Things Delaware does well:
Things it could do better:
Connecticut’s Data Privacy Act was first introduced in 2019 and originally included strong provisions such as a private right of action. The bill, however, was whittled down over time, making it more similar to Virginia’s failing law. In 2022, Connecticut’s bill was passed with a few additional provisions — such as requirements to honor global opt-out signals — making it a little stronger than Virginia. This bill has now become a favored piece of template legislation for lobbyists, particularly in bluer states.
A year after its original passage, Connecticut passed legislation amending the law to include heightened protections for kids and teens online and adding a category of sensitive data for “consumer health data.” It also banned targeted advertising to minors. The “Connecticut model” pushed by industry in other states does not include these updates.
Things Connecticut does well:
Things it could do better:
The New Hampshire privacy law was passed in January 2024. It’s largely modeled off Connecticut’s law with one notable improvement: it granted the state’s Attorney General some rulemaking authority.
Things New Hampshire does well:
Things it could do better:
Before Republican Sen. Daniel Zolnikov introduced the Consumer Data Privacy Act, a tech lobbyist told him the Connecticut model was too difficult for industry to comply with and that it would be better to introduce something closer to the weaker Virginia model. According to Politico, after Zolnikov heard the same lobbyist testify in Maryland — a blue state — that industry would be happy with a Connecticut model, he strengthened his bill.
Zolnikov has expressed frustration with being pushed to pass a weaker bill in Montana than in blue state counterparts. “I’m not an idiot,” Zolnikov said in an interview with Politico after the passage of his bill, directing his comments at the lobbyist. “And you treating us in Montana like a bunch of rural backwoods folks is quite an insult.”
Things Montana does well:
Things it could do better:
Rhode Island passed the Rhode Island Data Transparency and Privacy Protection Act Act in 2024.
What Rhode Island does well:
Things it could do better:
Texas passed the Texas Data Privacy and Security Act (TDPSA) in June 2023. It’s not a strong law. However, the AG’s enforcement of privacy violations (under TDSPA, the state’s data broker registry law, and unfair and deceptive practices statute) has made the state an enforcement leader. That’s not because Texas’ law is particularly strong, but because the AG’s team has been taking its enforcement strategy seriously. It’s been neat to see.
What Texas does well:
What it could do better:
While the TDPSA leaves a lot to be desired, in 2023 Texas enacted a pretty great data broker registry law. This will require data brokers – shadowy companies that specialize in harvesting and selling data – to register with the state. That’s a win for transparency. The next step? Maybe Texas will pass its own DELETE Act, and let consumers tell all those data brokers to delete their data with the click of one button.
Kentucky passed the weak Kentucky Consumer Data Protection Act in 2024 after multiple years considering a stronger law that would have given consumers the ability to sue companies for their violations. This law fails to give consumers meaningful protections.
Nebraska passed the Nebraska Data Privacy Act in 2024 and it went into effect Jan. 1, 2025. One bright spot is that Nebraska does allow consumers to use a special tool to automatically tell websites they don’t want their data sold (see our tips guide for how) – though that right comes with some limitations that other states, like Texas, don’t have. Other than that, Nebraska’s law fails to give consumers meaningful protections.
In 2021, Virginia became the 2nd state to pass a data privacy law. The original bill text was handed to the sponsor by an Amazon lobbyist, enshrining such industry-friendly measures it’s hard to say this bill does all that much for consumers. It’s gone on to be a favorite template of industry lobbyists across the country, pushing states to all match Virginia’s bad standard.
Indiana passed the Indiana Consumer Data Protection Act in May, 2023. Unfortunately, like with all of the other states that get a failing grade, it provides no meaningful privacy protections to consumers.
Tennessee passed the Tennessee Information Protection Act in May, 2023. Unfortunately, like with all of the other states that get a failing grade, it provides no meaningful privacy protections to consumers.
Utah passed the Utah Consumer Privacy Act in March, 2022. It started with a Virginia model, and then weakened it by making the law apply only to businesses making more than $25 million a year.
Unfortunately, like with all of the other states that get a failing grade, it provides no meaningful privacy protections to consumers.
Iowa passed the Iowa Data Privacy Act in March, 2023. It is the weakest law in the nation. Like with the other states that get a failing grade, it provides no meaningful privacy protections to consumers.
While the state of consumer data protection is not strong currently, the good news is nothing is permanent. Last year Maryland and Minnesota broke the pattern of weak laws passing. Very strong privacy bills with data minimization and a private right of action made good progress in Vermont and Maine, and are expected to return this session.
Even states that have passed imperfect laws can still improve. Amendments are always possible. A year after enacting the Connecticut Data Privacy Act, the state passed amendments to better protect health data and heighten protections for kids and teens online.
We think a part of the problem is that a lot of people don’t know this is happening. A lot of industry’s pull happens in backrooms or in hearings that don’t get much attention. We hope to help give state legislators a different place to look for support crafting state bills. And we hope to educate everyone about how to increase their personal security.
All states still have the ability to better protect their residents’ personal security.
Right now, there are no rules stopping tech companies from monetizing the data of kids and teens.
Sign the petition
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.
Ellen works on data privacy issues for PIRG's Don't Sell My Data campaign. Ellen lives in Chicago, where she enjoys reading, listening to podcasts and spending time with friends.