Mar 20, 2023

Tech Lobbyists Don’t Want States to Let You Sue Over Privacy Violations

Anna Edgerton, Bloomberg News

Fiber optic cables, center, and copper Ethernet cables feed into switches inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg , Bloomberg

(Bloomberg) -- As soon as Kentucky’s legislative session opened this year, state Senator Whitney Westerfield re-introduced a data privacy bill to give consumers more control over personal information online.

He knew what would come next. Last year, when he introduced similar legislation, industry lobbyists swooped in with an alternative bill based on a business-friendly law enacted by Virginia. It didn’t advance in Kentucky but managed to sow doubt about his proposal, which foundered.

Westerfield, a Republican, spent weeks this year fending off industry-sponsored amendments, including one that would strip out the right of individuals to sue a technology company over violations. He reluctantly agreed to that change, and several others to make his measure more like Virginia’s law, and got the bill through the state Senate last week.

Whether legalizing marijuana, restricting abortion or setting emission standards for cars, states are increasingly the focus of lobbyists seeking to shape the national debate. If they succeed in watering down legislation in one state, they can hold it up as a model for others, and even the US Congress.

In the race to craft internet privacy rules, the industry’s preferred model is clearly Virginia’s, passed in 2021 with the heavy involvement of tech companies, including representatives from Amazon.com Inc. and Microsoft Inc. who testified at hearings. Roughly 20 states this year are considering privacy measures, joining Virginia and four others that already have them in place.

Read more: Tech Giants Broke Their Spending Records on Lobbying Last Year

The outcome could alter the data-driven business models of the online economy.

“The strategy is unquestionably to model Virginia. Everyone opposed to the bill as-is has said it,” Westerfield said, expressing frustration with oft-repeated industry talking points.

Virginia’s law leaves enforcement up to the commonwealth’s attorney general, instead of allowing individuals to sue over violations — something known as “private right of action.” This was one of the most stubborn obstacles last year on a federal privacy bill that received bipartisan support in a committee but failed to advance further amid against determined lobbying. Three of the biggest companies that weighed in, Amazon, Meta Platforms Inc. and Alphabet Inc.'s Google, spent nearly $50 million on lobbying at the federal level in 2022 on issues such as privacy and competition.

After the effort faltered in the US Congress, lobbyists shifted their firepower to the state capitals across the country, even offering proposed legislative language.

“We cannot support a bill that has a private right of action,” a coalition of industry groups wrote in a letter regarding Westerfield’s measure. “As more states look to adopt these types of comprehensive privacy laws, it is untenable to have 50 jurisdictions where litigation of any type can be initiated.”

That letter, sent to Kentucky’s state senators, was signed by tech groups such as NetChoice and the State Privacy and Security Coalition, as well as AT&T Corp., Target Corp. and Walgreens Boots Alliance Inc. and local associations for grocers, manufacturers and retail.

California is the only state whose comprehensive privacy law includes a private right of action, but it’s limited just to certain kinds of data breaches. Seven states, including Oregon, Washington and Hawaii, are considering bills this year with the provision.

Related story: Big Tech Divided and Conquered to Block Key Bipartisan Bills

“Any bill can give you this set of rights to know what’s being collected, to be able to withdraw your consent and to be able to delete it,” said Washington State Representative Shelley Kloba. “But if someone violates that right, and you have no way to go after it yourself, why, that’s not really a right. You have to have a remedy available.”

Kloba pushed her People’s Privacy Act for years, but an alternative version in the state Senate – which didn’t have a private right of action – gained momentum. While that Senate bill didn’t pass, it became the template for states such as Virginia.

Tech companies warn of the cost and complexity of complying with a patchwork of legislation in different states and defend the idea of standardizing bills.

“For lawmakers looking to not only have a piece of legislation that works, but have a piece of legislation that succeeds, they need only look to the successes in states like Virginia and Utah,” said Carl Szabo, general counsel for NetChoice, a tech industry group. Utah’s law, like Virginia’s, doesn’t permit individuals to sue violators.

Earlier: California’s Kids Code Complicates Federal Privacy Bill Talks

Justin Brookman, director of technology policy at Consumer Reports, which supports a stronger privacy standard, recognized the compliance challenges for tech companies and said he doesn’t have a problem with states coalescing around similar legislation as long as it provides adequate protections.

“But there are definitely versions of that model that are just giveaways to industry that are meant to just stave off more serious reform efforts,” he said.

That leaves state policymakers weighing the provisions they think are important – like a private right of action – against the changes necessary to get to a bill that can pass.

This is the question facing Oregon Attorney General Ellen Rosenblum, whose privacy task force spent years crafting the bill now before that state’s legislature. That measure includes a private right of action, which she said is an important tool for consumers. However, it has also drawn the most opposition.

“That’s always controversial,” Rosenblum said. “We’re still negotiating this one. It’s still a work in progress.”

Last year’s federal bill, the American Data Privacy and Protection Act, called for some restrictions on the private right of action, including a delay on implementation and a requirement to notify enforcement authorities before filing a civil action.

Brookman said keeping some degree of individual enforcement is essential for having a law that means anything.

“If we have rights then we should be able to protect them ourselves and not have to petition a regulator,” Brookman said. “A small attorney general’s office just doesn’t have the capacity to really police all of the privacy nonsense out there.”

Kentucky’s Westerfield said he offered to limit his private right of action so people could go to court and ask for an order to stop the offending behavior but not seek compensation — an effort he said would avoid a “trial-bar bonanza.”

But ultimately he realized that even that pared-down enforcement mechanism would still draw enough industry opposition to prevent the bill from passing so he agreed to leave it out. He said the bill's prospects in the state House are "not hopeless, but slim," even without private right of action.

“The Constitution created the courts for redress of grievances, and I think it’s bad form for us to limit the use of courts,” Westerfield said. “But if I put in a full-blown private right of action, the bill stands no chance.”

--With assistance from Jennah Haque.