Connect with us


With More States Passing Privacy Legislation, Pressure for Federal Preemption Law Grows

Emerging state-level privacy bills have common threads with existing ones in California, Colorado and Virginia.



Photo of Utah Gov. Spencer Cox from February 2018

WASHINGTON, March 30, 2022 – As the federal government has yet to set comprehensive privacy legislation, states going their own way are finding some success following the California, Colorado, and Virginia consumer protection models.

Despite repeated calls from experts to address concerns surrounding consumer protection laws related to privacy, Congress has still not passed any legislation that would set a single, federal standards that Big Tech companies would have to adhere to.

Laura Ripso Vandruff, a partner with Kelley Drye – a law firm that handles consumer class action defenses, real estate, and manufacturing law – said during an event hosted by his firm on Thursday that emerging state-level privacy bills have common threads with existing ones. The longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

California, Colorado, and Virginia have successfully implemented their own laws, Utah’s legislature has sent a bill to Republican Gov. Spencer Cox to sign into law, and Oklahoma’s congressional House voted overwhelmingly in favor of a privacy law that will now pass to the Senate.

Florida, Massachusetts, New York, and Connecticut are some of the states that are also working on bills to address consume privacy, though they have not gained as much momentum.

“The bills that are being introduced and that have some traction are not necessarily copycat bills, but they have many common elements [with California, Colorado, and Virginia’s laws],” Kelley Drye partner Laura Ripso Vandruff said. “Things like opt-in for processing of sensitive data, opt-out for targeted advertising, [and] sales profiling. So, new consumer rights for access, affordability, deletion, correction, exclusion, categories of data or even categories of entities,” Ripso Vandruff said. She also pointed to private right of action, meaning that private citizens could seek punitive damages to compensate them against companies that violated their privacy rights.

Paul Singer, also a partner with Kelley Drye, noted that the bills that attempt more original strategies experience less success when it comes time to vote on them. “I think we are seeing that the bills that that take some of these more unique approaches are the ones that tend to be kind of stalling out, whereas the ones that are following some of the similar trends that we saw in Virginia and Utah are the ones that seem to be moving.”

Patchwork of privacy legislation will be challenge

But Singer said the longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

“As more state laws pass, [the more you are] dealing with a patchwork [of laws],” Singer said. “Trying to figure out compliance among these laws is going to get increasingly challenging as you go from four laws, to 14, to 40.”

Status of state legislation in progress

The New York Privacy Act, which would impose a distinctive duty of loyalty and care on companies collecting consumer data and called for regular data protection assessments, at least annually, is stuck in committee. Though there is still time, as New York’s legislative session does not adjourn until June, the bill has made little progress; it failed to pass in the 2021 legislative session and was reintroduced in January of 2022.

Tennessee legislative session ended before it could pass its bill, which featured a unique “safe harbor” clause for entities in compliance with the  NIST Privacy Framework. This would protect entities that reasonably comply with the NIST framework, but this clause has specifically faced push-back from entities such as Commonsense Media, who have argued that the framework should not be viewed as an alternative to the privacy bill, as it does not provide enough guidance to companies on how to responsibly handle consumer data.

Florida’s House Bill 9 is not advancing at this time, though it did pass in the House on March 2. This delay is likely in part due to its broad private right of action rules that would give citizens wide-ranging opportunities to pursue damages – as opposed to California’s narrowly defined private right of action which only would allow its citizens to seek damages in the event of data breaches. Florida’s private right of action would allow consumers to file suit against companies for a few reasons, including not deleting consumers’ data upon request, sharing or selling consumers’ data after a consumer has opted out, or sharing or selling the data of a consumer who is less than 16 years old, without consent.

Though some bills have met resistance, Singer added that consumers should not be too discouraged by partisan politics. “Do not assume that privacy is a partisan issue,” he said, pointing to Utah’s bill as an example of bipartisan success. “The reality is, is that privacy and the issues underlying is both a very Republican and a very Democratic issue, but maybe for different reasons.”

Singer explained that Republicans are often more concerned about how mass data collection can be used to manipulate consumers, whereas Democrats are often specifically concerned about the potential damage mass data collection can have on young people.

“Ultimately, they are getting at some of the same underlying issues with two different objectives, perhaps that have a lot of overlap, and it is going to continue to be that way.”


Led by Wyden, Democrats Call on NTIA to Reform Privacy Standards for .US Domains

The Democratic legislator called on NTIA end the automatic disclosure of .US web domain users’ personal information.



Photo of Sen. Ron Wyden, D-Ore., obtained from Flickr

WASHINGTON, September 21, 2022 – A bicameral coalition led by Sen. Ron Wyden, D-Ore., on Wednesday called on the National Telecommunications and Information Administration to end the automatic disclosure of .US web domain users’ sensitive personal information.

The all-Democrat coalition – including Sen. Elizabeth Warren, D-Mass.; Sen. Brian Schatz, D-Hawaii; and Rep. Anna Eshoo, D-Calif. – laid out its concerns Wednesday in a letter to Administrator Alan Davidson of the NTIA:

“It is highly concerning that NTIA, since at least 2005, has not directed its contractors administering .US to adopt any protections for this sensitive information. The automatic public disclosure of users’ personal information puts them at enhanced risk for becoming victims of identity theft, spamming, spoofing, doxxing, online harassment, and even physical harm,” the coalition wrote.

Rejecting the NTIA’s current disclosure policy, the coalition called anonymity “a necessary component of free speech” and argued that with better privacy protections, .US domains would be more attractive to new website creators.

Besides making .US users’ information private, the letter recommends requiring users’ “affirmative, informed consent” for all third-party data transfers, strengthening barriers against law-enforcement investigations, and notifying users if a foreign government seeks access to their data. The coalition stated that instituting stronger privacy measures wouldn’t increase rates of online crime.

“A privacy- protective .US should support NTIA in these negotiations by providing a model for best practices in the broader domain name ecosystem. We urge you to continue the fight for privacy, expression, and human rights,” the letter said.

Continue Reading


EU’s Digital Services Act May Be a Model for the United States

The Digital Services Act imposes transparency requirements and other accountability measures for tech platforms.



Photo of Mathias Vermeulen, public policy director at the AWO Agency, obtained from Flickr.

September 16, 2022 – European Union’s Digital Service Act, particularly its data-sharing requirements, may become the model for future American future tech policy, said Mathias Vermeulen, public policy director at the AWO Agency, at a German Marshall Fund web panel Monday.

Now in the final stages of becoming law, the DSA aims to create a safer internet by introducing transparency requirements and other accountability measures for covered platforms. Of note to the German Marshall Fund paneliests was the DSA’s provision that, when cleared by regulators, “very large online platforms” – e.g., Facebook and Twitter – must provide data to third-party researchers for the purpose of ensuring DSA compliance.

In addition, the EU’s voluntary Code of Practice on Disinformation was unveiled in June, requiring opted-in platforms to combat disinformation by introducing bot-elimination schemes, demonetizing sources of alleged misinformation, and labeling political advertisements, among other measures. Signatories of the Code of Practice – including American tech giants Google Search, LinkedIn, Meta, Microsoft Bing, and Twitter – also agreed to proactively share data with researchers.

Vermeulen said that he expects the EU will soon draft new legislation to address the privacy concerns raised by the Digital Service Act’s data-sharing requirements.

The risks of large-scale data sharing

To protect user privacy, the DSA requires data handed over to researchers to be anonymized. Many experts believe that “anonymous” data is generally traceable to its source, however. Even the EU’s recommendations on data-anonymization best practices acknowledges the inherent privacy risks:

“Data controllers should consider that an anonymised dataset can still present residual risks to data subjects. Indeed, on the one hand, anonymisation and re-identification are active fields of research and new discoveries are regularly published, and on the other hand even anonymised data, like statistics, may be used to enrich existing profiles of individuals, thus creating new data protection issues.”

An essay from the Brookings Institution – generally supportive of the DSA’s data-sharing provisions – argues that many private researchers do not have the experience necessary to securely store sensitive data, recommending that the EU Commission establish or subsidize of secure centralized databases.

Continue Reading

Expert Opinion

Jeff Pulver and Noah Rafalko: A Humble Request to the FCC on Robocalls

Blocking bad actors requires a whole new way of thinking, the authors say in this ExpertOp exclusive to Broadband Breakfast.



The authors of this Expert Opinion are Jeff Pulver (left), innovator in VoIP and Noah Rafalko, is a pioneer in TNID

Should the Federal Communications Commission seek out alternative platforms to solve their 2022 spam, scam and robocall issues? Yes! Does Blockchain offer valuable solutions? Yes! We would like to ask the FCC to increase the width of their lens when it comes to deploying solutions to solve their growing number of systemic challenges.

Any action to stop robocall insanity and tech-driven scams would be welcome. While Americans deal with the linger pandemic, mass shootings, an uncertain economy and war in Europe, the constant annoyance from scammers and 4.1 billion robocalls a month is just too much. Most people have responded by literally giving up voice communications all together.

Recently implemented legislation called STIR/SHAKEN is a step in the right direction, but it is not a long-term solution. The FCC  is simply taking old standards and applying them to new technologies. New thinking is needed; the next generation of technology must be explored. And the most promising of the new tools to protect our telecommunications system from fraudulent players lies in blockchain.

The key to stopping these nefarious acts lies in a digital identity solution powered by blockchain – a shard database or ledger. An identity solution enables customers to be confident that the communication is truly from enterprises they know and trust.

With blockchain, only authorized and verified messages get through. Spam and robocalls are virtually eliminated in one shot. All that’s required is a slight change in how we approach communications.

In a world where consumers are already doing whatever they can to self-manage their identity, it isn’t a large leap of faith to imagine adding a certified, digital ID to our telephone numbers.

Consumers freely use their telephone numbers to attest and manage their identity – even more than they use their Social Security numbers, birthdays, mother’s maiden name and secret questions. In our current digital universe, consumers use their phone numbers to register for store discounts, receive health and safety alerts and even transfer money to others.

And in their effort to stop spam and robocalls, consumers willingly add apps such as Hiya, paying over $300 million a year to these intermediaries.

The FCC needs to evolve and embrace the technology that allows consumers and mobile carriers who have a shared stake in attesting their identities. They need to recognize that blockchain technology offers an elegant, all-encompassing solution to the $40 billion in fraud that consumers fall victim to every year.

It’s time we leveraged a solution that’s already being used in other countries such as India, where blockchain technology helps protect over 600 million citizens from spam and robocalls.

Back in 2004, when the future of telecommunications was being written, the FCC was challenged with laying down rules governing Voice over Internet Protocol (VoIP). At that time, we hosted brown-bag lunches for Congress, and held open demonstration days at the FCC as well as a mini-trade show on the Hill in our effort to inform and educate Congress, staffers and other government employees on the latest and greatest innovations in Internet communications technology.

The FCC would be wise to revisit this practice of show and tell where they hear from the innovators of new game-changing technologies that can solve their biggest concerns. It certainly is wiser than simply taking advice handed down from lobbyists and relying on legislation that’s severely limited and unenforceable.

When the FCC uses its influence to investigate and embrace new and innovative technologies, they can finally make significant headway in restoring trust in the quality of service associated with our communications.

Jeff Pulver is an innovator in the field of Voice over Internet Protocol (VoIP). He was instrumental in changing how the FCC classified VoIP in 2004, paving the way for the development of video and voice internet communications. The co-founder of Vonage, Jeff has invested in over 400 start-ups. 

Noah Rafalko is a pioneer in TNID (Telephone Number ID), a blockchain solution that restores trust in communications. Noah is founder and CEO of TSG Global, Inc. which provides voice, messaging and identity management services for SaaS companies and large enterprises. This piece is exclusive to Broadband Breakfast.

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to The views reflected in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.

Continue Reading


Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field