With the looming presidential election, a United States Supreme Court majority that is hostile to civil rights, and a conservative effort to rollback AI safeguards, strong state privacy laws have never been more important.

But late last month, efforts to pass a federal comprehensive privacy law died in committee, leaving the future of privacy in the US unclear. Who that future serves largely rests on one crucial issue: the preemption of state law.

On one side, the biggest names in technology are trying to use their might to force Congress to override crucial state-level privacy laws that have protected people for years.

On the other side is the American Civil Liberties Union and 55 other organizations. We explained in our own letter to Congress how a federal bill that preempts state law would leave millions with fewer rights than they had before. It would also forbid state legislatures from passing stronger protections in the future, smothering progress for generations to come.

Preemption has long been the tech industry’s holy grail. But few know its history. It turns out, Big Tech is pulling straight from the toxic strategy that Big Tobacco used in the 1990s…

  • chicken@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    2 days ago

    In 2022, industry front groups co-signed a letter to Congress arguing that “[a] growing patchwork of state laws are emerging which threaten innovation and create consumer and business confusion.” In 2024, they were at it again this Congress, using the term four times in five paragraphs.

    Big Tobacco did the same thing.

    Is this really a fair comparison though? A variety of local laws about smoking in restaurants makes sense because restaurants are inherently tied to their physical location. A restaurant would only have to know and follow the rules of their town, state and country, and the town can take the time to ensure that its laws are compatible with the state and country laws.

    A website is global. Every local law that can be enforced must be followed, and the burden isn’t on legislators to make sure their rules are compatible with all the other rules. Needing to make a subtly different version of a website to serve to every state and country to be in full compliance with all their different rules, and needing to have lawyers check over all of them would create a situation where the difficulty and expense of making and maintaining a website or other online service is prohibitive. That seems like a legitimate reason to want unified standards.

    To be fair there are plenty of privacy regulations that this wouldn’t apply to, like the example the article gives of San Francisco banning the use of facial recognition tech by police. But the industry complaint linked in the article references laws like https://www.oag.ca.gov/privacy/ccpa and https://leg.colorado.gov/bills/sb21-190 that obligate websites to fulfill particular demands made by residents of those states respectively. Subtle differences in those sorts of laws seems like something that could cause actual problems, unlike differences in smoking laws.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      Needing to make a subtly different version of a website to serve to every state and country to be in full compliance

      do they need to? I don’t think so. they could just follow privacy best practices everywhere, if they can’t afford to do whatever they want with user and visitor data.

      they don’t want this solution, however, but in my understanding instead to force every state to have weaker privacy laws

      • chicken@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        19 hours ago

        do they need to? I don’t think so.

        Why not? How can you be sure that all these laws are going to be about all the same things and not have many tricky edge cases? What would keep them from being like that? Again, these laws give unique rights to residents of their respective states to make particular demands of websites, and they aren’t copy pastes of each other. There’s no documented ‘best practices’ that is guaranteed to encompass all of them.

        they don’t want this solution, however, but in my understanding instead to force every state to have weaker privacy laws

        I can’t speak to what they really want privately, but in the industry letter linked in the article, it seems that the explicit request is something like a US equivalent of the GDPR:

        A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.

        To me that seems like a pretty sensible thing to be asking for; a centrally codified set of practices to avoid confusion and complexity.