Nearly Half of State Privacy Laws Are Failing—Because Big Tech Wrote Them

The Report Card

The Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund published "The State of Privacy," a comprehensive assessment grading all 14 states with comprehensive privacy laws. The results are damning.

California received the highest grade at B+. No state earned an A. Six states received outright failing grades: Texas, Indiana, Virginia, Utah, Tennessee, and Iowa. The remaining states landed somewhere in between, with none achieving what the researchers consider adequate consumer protection.

The grading criteria evaluated enforcement provisions, data risk assessment transparency, individual rights, restrictions on manipulative design, and how broadly each law defines personal data.

The Virginia Model: Written by Amazon

Every state with a comprehensive privacy law except California closely follows what researchers call the "Virginia model." According to a 2022 investigation by The Markup, this model was partially drafted by Amazon.

The numbers tell the story of industry influence. Across the 31 states that considered privacy bills in 2021 and 2022, 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple, and industry front groups worked to shape the legislation.

EPIC's Sara Geoghegan stated that Big Tech lobbyist involvement often results in "watered down bills," with some states' laws having "been written by Amazon and Big Tech."

What Makes These Laws Weak

The report identifies several patterns that make most state privacy laws ineffective:

• No private right of action: Most states do not allow individuals to sue companies for violations. Only the state attorney general can enforce the law, creating a bottleneck that limits accountability.
• Opt out instead of opt in: Companies can collect and sell your data by default. The burden falls on consumers to actively request that tracking stop, a process most people never complete.
• Broad exemptions: Many laws exempt entire categories of data or business activities, leaving significant gaps in coverage.
• Weak enforcement mechanisms: Even when violations are found, penalties are often too small to change corporate behavior.

Why California Stands Apart

California's B+ grade reflects its unique legislative history. The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), were driven by ballot initiatives rather than industry friendly legislative processes. This gave consumer advocates significantly more influence over the final text.

California's law includes a private right of action for data breaches, stronger enforcement through a dedicated privacy agency, and broader definitions of personal information. It is not perfect, but it demonstrates what privacy legislation looks like when industry lobbyists do not control the drafting process.

What Strong Privacy Laws Should Include

According to the report, effective privacy legislation requires:

• Data minimization requirements that limit collection to what is strictly necessary
• Stringent regulations on health data, biometric information, and location tracking
• Civil rights protections enabling individuals to sue over discriminatory profiling
• Opt in consent models where companies must ask before collecting data
• Meaningful penalties that scale with company revenue

Illinois, Maine, Massachusetts, and Maryland are currently considering stronger legislation that could meaningfully constrain commercial surveillance.

What This Means for You

Unless you live in California, your state's privacy law probably is not protecting you the way you think it is. Companies continue collecting data about you without meaningful limits, tracking your online behavior, email reading habits, and location data through pixels and scripts embedded across the web.

Until legislators pass laws that genuinely prioritize consumer rights over corporate convenience, the most reliable privacy protection comes from the tools you choose to use. Blocking tracking pixels in your email, using privacy focused browsers, and limiting the data you share are steps you can take today, regardless of what your state legislature decides.