A recent report reveals that nearly half of the state consumer privacy laws in the U.S. fail to provide adequate protection for individuals’ data, undermining consumer rights and making protections weaker than they were before the laws were enacted. The findings, based on an assessment conducted by two prominent advocacy organizations—the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund—show that eight of the 19 states with data privacy laws received failing grades. These states’ privacy laws are largely ineffective, allowing companies to continue collecting and using personal data without proper regulation or oversight.
While these laws are marketed as tools to protect consumer privacy, they fail to provide the level of security that was expected when they were passed.
The report praises two states, Maryland and California, for enacting strong data privacy laws that offer genuine consumer protection. Maryland’s recently passed law, in particular, is seen as a model for other states to follow. It limits the amount of data companies can collect, prohibits the sale of sensitive data, and bans the use of targeted advertising aimed at minors. This comprehensive framework has been touted as a step in the right direction, and lawmakers in Vermont, Massachusetts, and Maine are now working to draft similar laws that would mirror the protections offered in Maryland’s legislation. These states’ ongoing efforts are seen as crucial in strengthening consumer privacy laws across the country.
However, the report also highlights a significant issue: many state privacy laws are built on templates created by industry groups, which often prioritize the interests of businesses over consumers. The advocacy groups argue that these laws are often written in ways that provide little power for individuals to protect their privacy, despite claims that they are designed to do so. This structural flaw allows companies to continue their data collection practices with little regard for the privacy of consumers. As a result, while the laws are presented as consumer safeguards, they offer minimal real protection and fail to give individuals control over their own data.
To be effective, the report stresses that privacy laws must focus on several key areas: minimizing the amount of consumer data that companies collect, regulating the use of sensitive data, preventing consumer profiling based on collected data, and ensuring strong enforcement mechanisms. Unfortunately, the majority of the state privacy laws reviewed in the report fall short of these objectives. Of the 19 states profiled, 17 received grades of C+ or below, with none earning an A. This reflects the fact that most state privacy laws lack critical provisions necessary to safeguard consumer data and empower individuals to exercise their privacy rights fully. The report’s findings underscore the need for stronger, more effective data privacy protections at the state level to keep pace with the rapidly growing concerns surrounding consumer data security.