By: Todd Feathers and Alfred Ng In late 2019, Utah state senator Kirk Cullimore got a phone call from one of his constituents, a lawyer who represented technology companies in California. “He said, ‘I think the businesses I represent would like to have some bright lines about what they can do in Utah,’ ” Cullimore told The Markup. At the time, tech companies in California were struggling with how they could comply with a new state law that gave individual Californians control over the data that corporations routinely gather and sell about their online activities. The lawyer, whom Cullimore and his office wouldn’t identify, recounted how burdensome his corporate clients found the rules, Cullimore remembered, and suggested that Utah proactively pass its own, business-friendly consumer privacy law. “He said, ‘I want to make this easy so consumers can make use of their rights and the compliance is also easy for companies. He actually sent me some suggested language [for a bill] that was not very complex,” Cullimore told The Markup. “I introduced the bill as that.” What followed over the next two years was a multipronged influence campaign straight out of a playbook Big Tech is deploying around the country in response to consumer privacy legislation. It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found. For example, when Cullimore introduced substitute language to his bill during a February hearing, he did so with the help of Anton van Seventer, a lobbyist for the State Privacy and Security Coalition, a nonprofit created by a handful of the nation’s biggest tech, retail, and advertising companies. The only advocacy group that called for stronger consumer protections during public hearings for Utah’s privacy law was Consumer Reports. In March, Utah governor Spencer Cox signed Cullimore’s bill into law—a clear victory for Big Tech and the strategy the industry has developed for confronting a growing threat to its business model. We reviewed public hearing testimony, public comments, and lobbying records in all 31 states that have considered consumer data privacy legislation since 2021 and found a coordinated, nationwide campaign by Big Tech to mold the rules to its will—a demonstration of how powerful tech companies can be when they coalesce around a common agenda. Not just in Utah, but in Virginia and Washington, and Minnesota, tech companies have provided draft language that led to the introduction of industry-friendly privacy bills, according to legislators The Markup interviewed and previous reporting by Protocol. Big Tech funded nonprofits like TechNet, the State Privacy and Security Coalition, and the Internet Association have traveled from state to state encouraging legislators to “mirror” those industry-authored bills. TechNet representatives, for example, have testified or supplied written comments on privacy bills in at least 10 states since 2021, more than any other organization, according to our analysis of state legislative records. Up-to-date lobbying information wasn’t available in several states, so that tally is likely an undercount. The companies aren’t just employing similar tactics, they’re employing the same people—75 of the lobbyists we identified are affiliated with a single Sausalito, California–based firm, Politicom Law. We found Politicom-affiliated lobbyists working on behalf of Apple, Google, Meta, and Microsoft in 21 states that have considered privacy legislation. “For a while, a lot of companies were hoping for a federal law that preempted everything,” said Justin Brookman, the director of privacy and technology policy for Consumer Reports, which has lobbied in favor of stronger consumer privacy protections in many states. “But given how things don’t move at the federal level, we’ve seen them deploy and more proactively push weak legislation.” While the tactics vary by state, the message and the asks are clear: Big Tech wants laws that prohibit consumers from bringing private lawsuits against companies who break the rules, that narrowly define what constitutes “selling” data, and that require consumers to opt out of data collection and tracking on every website they visit rather than honoring what is known as a global opt-out. “We openly support a number of organizations advocating for policies that help consumers, and we’re clear that our sponsorship doesn’t mean we endorse that organization’s entire agenda,” Google spokesperson Matt Bryant said in a statement. “While we actively participate in these discussions and believe collaborative problem solving is the best way to address a problem and have the greatest impact, we do not always agree with every policy or position that individual organizations or their leadership take,” Facebook spokesperson Andy Stone said. “New privacy laws should provide strong safeguards to consumers while also allowing the industry to continue to innovate,” TechNet’s vice president of state policy and government relations, David Edmonson, said in a statement. “The State Privacy & Security Coalition believes consumers deserve clear regulations that improve transparency and protect their data; and businesses need predictability and stability to properly implement privacy and security protections,” Andrew Kingman, the State Privacy and Security Coalition spokesperson, said in an email.
Writing the rules
The industry’s influence over the language didn’t stop there. For example, Marsden told The Markup that he and his colleagues relied heavily on experts from the nonprofit Future of Privacy Forum for “neutral answering of questions” about data privacy while they were drafting the bill. That neutral expertise, however, was funded largely by the tech industry. Nancy Levesque, a communications director for the Future of Privacy Forum, told The Markup that large tech companies only provide a “small percentage” of the group’s funding and that the nonprofit doesn’t coordinate its policy activities with their funders. “Donors do not set our policy agenda. FPF supports strong comprehensive privacy legislation,” she wrote in an emailed statement But the Future of Privacy Forum’s supporters page shows that more than 75 percent of the group’s funders are tech companies. And during 2020—the most recent year for which such information is available—66 percent of the group’s grant and contribution revenue came from just two donors, according to the nonprofit’s audited financial statement. The document does not identify the donors, and the organization didn’t respond to requests for comments on who they were. After the Virginia law passed, the Future of Privacy Forum’s senior counsel, Stacey Gray, also received a seat on a 10-member committee tasked with making recommendations for how the law—which doesn’t take effect until 2023—should be implemented. Also on the committee: Jim Halpert, the former general counsel of the State Privacy and Security Coalition, and Keir Lamont, from the Computer and Communications Industry Association. More than one-third of the CCIA’s members also fund the Future of Privacy Forum. There were no representatives from consumer or privacy groups on the committee. “We got the business world behind it and to some people that’s self-serving because the people most affected by it are the people who wrote it and what have you,” Marsden said. “But there wasn’t anybody else trying to write anything.”
Dominating the public debate
The signing of the Virginia Consumer Data Protection Act in April 2021 was a precedent-setting victory for Big Tech, and in the months since, the industry’s allies have crisscrossed the country urging other states to follow suit, according to The Markup’s review of public comments and hearing testimony. In its public comment on Hawaii’s proposed privacy legislation, the State Privacy and Security Coalition asked legislators to kill their data privacy bill because it didn’t adhere closely enough to the Virginia model. Hawaii’s privacy law hasn’t seen any activity since February. In Vermont, TechNet urged lawmakers to learn from “more recent experiences in states like Virginia” rather than follow California’s approach. And in Minnesota, the Internet Association encouraged the legislature to “mirror” the Virginia law. Neither law has made it out of committee since. In some cases, the representatives of these groups have been presented as neutral subject-matter experts to other lawmakers. For example, when Minnesota lawmakers convened on Sept. 27, 2021, for a hearing on a proposed privacy bill, they listened to presentations from two experts that the bill’s sponsor, Rep. Steve Elkins, had invited to speak. The experts were Gray, from the Future of Privacy Forum, and Halpert, the former general counsel of the State Privacy and Security Coalition. During their presentations, Gray did not discuss the funding Future of Privacy Forum receives from the tech industry and Halpert was listed only as a lawyer at DLA Piper. In other cases, lawmakers may be under the impression that they’re hearing from a diverse set of interested parties when, in reality, multiple groups are representing the same company. For example, in Alaska, records show that Microsoft submitted public comments on the state’s proposed privacy bill, and then so did the Software Alliance, a trade group that Microsoft founded. Four other groups that Microsoft belongs to—The Association of National Advertisers, the Digital Advertising Alliance, the Interactive Advertising Bureau, and the Network Advertising Initiative—also submitted public comments to Alaska lawmakers. The law hasn’t seen any movement since February. The end result, privacy advocates say, is that they’re being drowned out during public debates by Big Tech’s network of lobbyists and nonprofits. “The number of people and types of organizations that are signing in to share their position on this bill really has often swayed lawmakers in making a decision on whether to vote for a bill, against the bill, or just ask important questions,” said Jennifer Lee, a technology and liberty project manager at the ACLU of Washington. The Washington Privacy Act, which local privacy and consumer groups have vigorously fought, has failed to pass several years in a row but has been reintroduced each year.
Lobbying behind the scenes
The most opaque aspect of Big Tech’s influence campaign has been the industry’s coordinated lobbying efforts. Many states don’t require lobbyists to disclose which legislation they’ve worked on or how they sought to influence it, but those that do provide a small window into how Big Tech operates. When Colorado began considering a data privacy bill in 2021, tech lobbyists descended on the state. About a third of the 16 Big Tech lobbyists who worked on the Colorado bill—two employed by Facebook, two by Google, and one by Apple—are affiliated with Politicom Law, the California lobbying firm that The Markup found representing Big Tech companies on privacy bills across the country. The Colorado lobbyists also included some of Big Tech’s most prolific influencers, including Ron Barnes, Google’s head of state legislative affairs, who registered as a lobbyist in five of the 31 states that have considered privacy legislation since 2021. Only Joseph Dooley, a policy manager at Google, lobbied on behalf of Big Tech in as many of the states as Barnes, according to The Markup’s review of lobbying records. Colorado governor Jay Polis signed the Colorado Privacy Act last July. The secretive nature of lobbying work, combined with many states’ weak transparency laws, make it impossible to quantify how Big Tech’s lobbying blitz has shaped legislation. But privacy advocates say the sheer numbers are enough in some cases to overwhelm lawmakers. “It’s just a numbers game,” said Maureen Mahoney, a former policy analyst for Consumer Reports who has testified on privacy bills in multiple states. “If you have one or two advocates that are saying, ‘I want a bunch of changes to these bills to push back against industry,’ but you’ve got 20 lobbyists telling you they’re going to kill your bill unless you take this edit, legislators want their bills to move.” That disparity has influenced how key legislators view the public’s opinions on privacy. “The data privacy advocacy groups were totally unprepared and asleep at the switch as this legislation was going down,” Marsden, the sponsor of Virginia’s law, told The Markup. “I think the public is largely indifferent to data privacy things. It’s just an annoyance that a lot of people are willing to put up with.” Privacy groups say they haven’t been asleep; they just can’t fight the multi-state battle Big Tech is waging. And polling suggests Americans are concerned about their online privacy; they just don’t know what to do about it. “It’s been this coordinated national push to advance really weak privacy bills. We’ve definitely felt outnumbered,” Lee, from the ACLU of Washington, said. “They have tremendous resources and time to really influence the conversations happening in the legislature.” This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.