Ruffled by the industry’s lobbying efforts to weaken legislative privacy laws, D.C.-based nonprofit the Electronic Privacy Information Center (EPIC), is pushing for states to emulate a bipartisan federal privacy bill that was indefinitely stalled in Congress last year.

Lawmakers in Massachusetts, Illinois, Indiana and New York are modeling state privacy laws based on the American Data Privacy and Protection Act (ADPPA), according to Politico‘s report.

The hope is that a state version of the ADPPA creates an alternative to the industry’s push for weaker state privacy laws in California, Virginia, Utah, Colorado and Connecticut, according to Caitriona Fitzgerald, the deputy director at EPIC.

“While [the] industry complains to Congress of a ’50 state patchwork’ of state privacy laws, they are quietly pushing their version of what a privacy law should look like in an increasing number of states,” Fitzgerald said in a statement.

The existing patchwork of statewide laws brings massive compliance challenges to marketers. For example, the total compliance cost of California privacy law is estimated at $55 billion, about 1.8% of the Gross State Product (GSP), according to a Standardized Regulatory Impact Analysis. To build in further compliance with four more states whose laws vary to some degree is no easy feat, sources told Adweek. Meanwhile, the Federal Trade Commission is cracking down on businesses, especially mobile applications, that collect people’s geolocation data.

“Instead of five state regulators potentially looking at [businesses], you’ll [potentially] have 15,” said Gary Kibel, a privacy and data security lawyer at Davis and Gilbert.

Based on recent investigations of lobbying records, recordings of public testimony, and interviews with lawmakers, The Markup found how lobbying efforts weakened bills. The federal privacy bill, in its current form, was largely rejected by the ad industry for several reasons.

“Restrictions on first-party and third-party data and targeted advertising are why we opposed the federal law,” said Lartease Tiffith, evp for public policy at the IAB. “Furthering this patchwork of laws that consumers and businesses have to figure out and comply with is not good for the industry.”

A greater degree of signal loss

The ADPPA places tougher restrictions on businesses compared to existing privacy laws, such as in California. It gives people more control over their data, including the right to access, correct, and delete the data held by businesses. People can also object to businesses sharing their data with a third party or target ads toward them, further curtailing targeted advertising.

You see several complaints, particularly in Europe, about opt-in consent fatigue.

Alan Chapell, head of marketing consulting firm Chapell and Associates

The concern is that asking people for opt-in consent will lead to more significant signal loss among marketers.

“Anytime that you have to ask for permission, you’re going to have some signal loss,” said Alan Chapell, a lawyer and head of marketing consulting firm Chapell and Associates.

But, as we have seen across Europe, more consumer power doesn’t necessarily mean a better user experience.

“You see several complaints, particularly in Europe, about opt-in consent fatigue,” Chapell added.

Europe’s GDPR, based on people’s opt-in consent, saw a 12.5% drop in the intermediary consumers on sites as a result of this requirement, according to researchers who were studying the economic downside of GDPR.

Brands reevaluate data collection

While neither of the privacy proposals among the four states has been scheduled for a hearing, it’s a stark reminder for brands to reevaluate their sensitive data collection protocols, such as geolocation and health data.

The ADPPA provisions require heightened protections for sensitive data, prohibiting targeted advertising to children and teens, mitigating algorithmic discrimination and harm, and fostering greater transparency and accountability through impact assessment and executive certification. 

“While these changes would certainly drive disruption to current practices, they are also changes that are necessary to create a safer, more respectful online ecosystem which ultimately benefits marketers and consumers alike,” said Arielle Garcia, chief privacy officer at UM Worldwide.

Garcia said the ad industry should redirect the capital invested in lobbying against legislative efforts toward collaborating to establish self-governing standards and solutions.

“Rather than await or resist the inevitable change, it is incumbent upon the marketers to lead the charge in recalibrating industry norms,” she added.