In late 2019, Utah state senator Kirk Cullimore got a phone call from one of his constituents, a lawyer who represented technology companies in California.
âHe said, âI think the businesses I represent would like to have some bright lines about what they can do in Utah,âââ Cullimore told The Markup.
At the time, tech companies in California were struggling with how they could comply with a new state law that gave individual Californians control over the data that corporations routinely gather and sell about their online activities.
The lawyer, whom Cullimore and his office wouldnât identify, recounted how burdensome his corporate clients found the rules, Cullimore remembered, and suggested that Utah proactively pass its own, business-friendly consumer privacy law.
âHe said, âI want to make this easy so consumers can make use of their rights and the compliance is also easy for companies. He actually sent me some suggested language [for a bill] that was not very complex,â Cullimore told The Markup. âI introduced the bill as that.â
What followed over the next two years was a multipronged influence campaign straight out of a playbook Big Tech is deploying around the country in response to consumer privacy legislation.
Itâs common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.
During the 2021 and 2022 Utah legislative sessionsâwhen Cullimoreâs bill made its way through the legislatureâAmazon, Apple, Facebook, Google, and Microsoft collectively registered 23 active lobbyists in the state, according to their lobbying disclosures.
Thirteen of those lobbyists had never previously registered to work in the state, and some of them were influential in shaping Cullimoreâs legislation.
For example, when Cullimore introduced substitute language to his bill during a February hearing, he did so with the help of Anton van Seventer, a lobbyist for the State Privacy and Security Coalition, a nonprofit created by a handful of the nationâs biggest tech, retail, and advertising companies.
The only advocacy group that called for stronger consumer protections during public hearings for Utahâs privacy law was Consumer Reports.
In March, Utah governor Spencer Cox signed Cullimoreâs bill into lawâa clear victory for Big Tech and the strategy the industry has developed for confronting a growing threat to its business model.
We reviewed public hearing testimony, public comments, and lobbying records in all 31 states that have considered consumer data privacy legislation since 2021 and found a coordinated, nationwide campaign by Big Tech to mold the rules to its willâa demonstration of how powerful tech companies can be when they coalesce around a common agenda.
Not just in Utah, but in Virginia and Washington, and Minnesota, tech companies have provided draft language that led to the introduction of industry-friendly privacy bills, according to legislators The Markup interviewed and previous reporting by Protocol.
Big Tech funded nonprofits like TechNet, the State Privacy and Security Coalition, and the Internet Association have traveled from state to state encouraging legislators to âmirrorâ those industry-authored bills.
TechNet representatives, for example, have testified or supplied written comments on privacy bills in at least 10 states since 2021, more than any other organization, according to our analysis of state legislative records.
Lobbyists and lobbying firms in 31 states representing tech companies and organizations as those states considered privacy legislation.
And lobbyists have come in droves: We counted 445 lobbyists and lobbying firms that actively represented Amazon, Apple, Google, Meta, Microsoft, TechNet, and the State Privacy and Security Coalition in the 31 states we examined, during the time those statesâ legislatures were considering privacy legislation.
Many of them registered as lobbyists for the first time in the weeks immediately before or after a privacy bill was introduced.
Up-to-date lobbying information wasnât available in several states, so that tally is likely an undercount.
The companies arenât just employing similar tactics, theyâre employing the same peopleâ75 of the lobbyists we identified are affiliated with a single Sausalito, Californiaâbased firm, Politicom Law.
We found Politicom-affiliated lobbyists working on behalf of Apple, Google, Meta, and Microsoft in 21 states that have considered privacy legislation.
âFor a while, a lot of companies were hoping for a federal law that preempted everything,â said Justin Brookman, the director of privacy and technology policy for Consumer Reports, which has lobbied in favor of stronger consumer privacy protections in many states.
âBut given how things donât move at the federal level, weâve seen them deploy and more proactively push weak legislation.â
While the tactics vary by state, the message and the asks are clear: Big Tech wants laws that prohibit consumers from bringing private lawsuits against companies who break the rules, that narrowly define what constitutes âsellingâ data, and that require consumers to opt out of data collection and tracking on every website they visit rather than honoring what is known as a global opt-out.
Microsoft declined to comment for this story, while Apple and Amazon didnât respond to requests for comment. Google and Facebook both distanced themselves from the industry groups that they are members of.
âWe openly support a number of organizations advocating for policies that help consumers, and weâre clear that our sponsorship doesnât mean we endorse that organizationâs entire agenda,â Google spokesperson Matt Bryant said in a statement.
âWhile we actively participate in these discussions and believe collaborative problem solving is the best way to address a problem and have the greatest impact, we do not always agree with every policy or position that individual organizations or their leadership take,â Facebook spokesperson Andy Stone said.
âNew privacy laws should provide strong safeguards to consumers while also allowing the industry to continue to innovate,â TechNetâs vice president of state policy and government relations, David Edmonson, said in a statement.
âThe State Privacy & Security Coalition believes consumers deserve clear regulations that improve transparency and protect their data; and businesses need predictability and stability to properly implement privacy and security protections,â Andrew Kingman, the State Privacy and Security Coalition spokesperson, said in an email.
Writing the Rules
In 2021, Virginia became the second state after California to enact a consumer data privacy law.
The billâs chief sponsor, state senator Dave Marsden, told The Markup in an interview that the first draft of that legislation was written by an Amazon lobbyist. Protocol was the first to report that connection.
The industryâs influence over the language didnât stop there.
For example, Marsden told The Markup that he and his colleagues relied heavily on experts from the nonprofit Future of Privacy Forum for âneutral answering of questionsâ about data privacy while they were drafting the bill.
That neutral expertise, however, was funded largely by the tech industry.
The Future of Privacy Forum receives money from Amazon, Apple, Google, Facebook, and Microsoft, as well as industry groups like the Interactive Advertising Bureau and DLA Piper, the law firm behind the State Privacy and Security Coalition.
Nancy Levesque, a communications director for the Future of Privacy Forum, told The Markup that large tech companies only provide a âsmall percentageâ of the groupâs funding and that the nonprofit doesnât coordinate its policy activities with their funders.
âDonors do not set our policy agenda. FPF supports strong comprehensive privacy legislation,â she wrote in an emailed statement
But the Future of Privacy Forumâs supporters page shows that more than 75Â percent of the groupâs funders are tech companies.
And during 2020âthe most recent year for which such information is availableâ66Â percent of the groupâs grant and contribution revenue came from just two donors, according to the nonprofitâs audited financial statement.
The document does not identify the donors, and the organization didnât respond to requests for comments on who they were.
After the Virginia law passed, the Future of Privacy Forumâs senior counsel, Stacey Gray, also received a seat on a 10-member committee tasked with making recommendations for how the lawâwhich doesnât take effect until 2023âshould be implemented.
Also on the committee: Jim Halpert, the former general counsel of the State Privacy and Security Coalition, and Keir Lamont, from the Computer and Communications Industry Association. More than one-third of the CCIAâs members also fund the Future of Privacy Forum.
There were no representatives from consumer or privacy groups on the committee.
âWe got the business world behind it and to some people thatâs self-serving because the people most affected by it are the people who wrote it and what have you,â Marsden said. âBut there wasnât anybody else trying to write anything.â
Dominating the Public Debate
The signing of the Virginia Consumer Data Protection Act in April 2021 was a precedent-setting victory for Big Tech, and in the months since, the industryâs allies have crisscrossed the country urging other states to follow suit, according to The Markupâs review of public comments and hearing testimony.
In its public comment on Hawaiiâs proposed privacy legislation, the State Privacy and Security Coalition asked legislators to kill their data privacy bill because it didnât adhere closely enough to the Virginia model. Hawaiiâs privacy law hasnât seen any activity since February.
In Vermont, TechNet urged lawmakers to learn from âmore recent experiences in states like Virginiaâ rather than follow Californiaâs approach.
And in Minnesota, the Internet Association encouraged the legislature to âmirrorâ the Virginia law. Neither law has made it out of committee since.
In some cases, the representatives of these groups have been presented as neutral subject-matter experts to other lawmakers.
For example, when Minnesota lawmakers convened on Sept. 27, 2021, for a hearing on a proposed privacy bill, they listened to presentations from two experts that the billâs sponsor, Rep. Steve Elkins, had invited to speak.
The experts were Gray, from the Future of Privacy Forum, and Halpert, the former general counsel of the State Privacy and Security Coalition.
During their presentations, Gray did not discuss the funding Future of Privacy Forum receives from the tech industry and Halpert was listed only as a lawyer at DLA Piper.
In other cases, lawmakers may be under the impression that theyâre hearing from a diverse set of interested parties when, in reality, multiple groups are representing the same company.
For example, in Alaska, records show that Microsoft submitted public comments on the stateâs proposed privacy bill, and then so did the Software Alliance, a trade group that Microsoft founded.
Four other groups that Microsoft belongs toâThe Association of National Advertisers, the Digital Advertising Alliance, the Interactive Advertising Bureau, and the Network Advertising Initiativeâalso submitted public comments to Alaska lawmakers.
The law hasnât seen any movement since February.
The end result, privacy advocates say, is that theyâre being drowned out during public debates by Big Techâs network of lobbyists and nonprofits.
âThe number of people and types of organizations that are signing in to share their position on this bill really has often swayed lawmakers in making a decision on whether to vote for a bill, against the bill, or just ask important questions,â said Jennifer Lee, a technology and liberty project manager at the ACLU of Washington.
The Washington Privacy Act, which local privacy and consumer groups have vigorously fought, has failed to pass several years in a row but has been reintroduced each year.
Lobbying Behind the Scenes
The most opaque aspect of Big Techâs influence campaign has been the industryâs coordinated lobbying efforts.
Many states donât require lobbyists to disclose which legislation theyâve worked on or how they sought to influence it, but those that do provide a small window into how Big Tech operates.
When Colorado began considering a data privacy bill in 2021, tech lobbyists descended on the state.
Apple, Amazon, Facebook, Google, and Microsoft registered a combined 15Â lobbyists who reported working to influence the bill, according to their lobbying disclosures. It was a similar team to those Big Tech has deployed elsewhere.
About a third of the 16 Big Tech lobbyists who worked on the Colorado billâtwo employed by Facebook, two by Google, and one by Appleâare affiliated with Politicom Law, the California lobbying firm that The Markup found representing Big Tech companies on privacy bills across the country.
The Colorado lobbyists also included some of Big Techâs most prolific influencers, including Ron Barnes, Googleâs head of state legislative affairs, who registered as a lobbyist in five of the 31 states that have considered privacy legislation since 2021.
Only Joseph Dooley, a policy manager at Google, lobbied on behalf of Big Tech in as many of the states as Barnes, according to The Markupâs review of lobbying records.
Colorado governor Jared Polis signed the Colorado Privacy Act last July.
The secretive nature of lobbying work, combined with many statesâ weak transparency laws, make it impossible to quantify how Big Techâs lobbying blitz has shaped legislation. But privacy advocates say the sheer numbers are enough in some cases to overwhelm lawmakers.
âItâs just a numbers game,â said Maureen Mahoney, a former policy analyst for Consumer Reports who has testified on privacy bills in multiple states.
âIf you have one or two advocates that are saying, âI want a bunch of changes to these bills to push back against industry,â but youâve got 20 lobbyists telling you theyâre going to kill your bill unless you take this edit, legislators want their bills to move.â
That disparity has influenced how key legislators view the publicâs opinions on privacy.
âThe data privacy advocacy groups were totally unprepared and asleep at the switch as this legislation was going down,â Marsden, the sponsor of Virginiaâs law, told The Markup.
âI think the public is largely indifferent to data privacy things. Itâs just an annoyance that a lot of people are willing to put up with.â
Privacy groups say they havenât been asleep; they just canât fight the multi-state battle Big Tech is waging. And polling suggests Americans are concerned about their online privacy; they just donât know what to do about it.
âItâs been this coordinated national push to advance really weak privacy bills. Weâve definitely felt outnumbered,â Lee, from the ACLU of Washington, said. âThey have tremendous resources and time to really influence the conversations happening in the legislature.â
Correction
This story has been updated after an earlier version misstated the first name of Colorado governor Jared Polis.
By Todd Feathers and Alfred Ng
Also published here
Photo by Joakim Honkasalo on Unsplash