This International Privacy Day, Choosing Hope Over Despair
Fighting for privacy rights has always been an uphill battle, perhaps now more than ever. Despite periodic moments of public outcry over abuses of state and corporate power enabled by egregious data practices (and decades of bipartisan lip service to the importance of “protecting privacy”), Congress has repeatedly failed to pass comprehensive privacy legislation. In the past several years, we have seen two good-faith, bipartisan efforts flounder, with both the American Data Privacy and Protection Act (ADPPA, in 2022) and the American Privacy Rights Act (APRA, in 2024) showing promise and making progress but ultimately failing.
In the 119th Congress, the relevant committee chairs in both chambers have signaled interest in advancing weak, industry-friendly bills that would do little more than entrench the status quo and could potentially strip states of their own privacy authority. And alarmingly, in his first week in office, President Trump terminated the Democratic members of the Privacy and Civil Liberties Oversight Board, leaving it without the quorum necessary to commence investigations and issue reports that are crucial to protecting civil liberties in governmental anti-terrorism programs. Removing these commissioners also jeopardizes cross-border data flows governed by the EU-U.S. Data Privacy Framework.
The new administration and Congressional leaders may scrap prior federal, bipartisan progress on privacy. But the privacy fight continues to be important and is far from over. Despite the adverse national political terrain, there are several promising privacy fronts in 2025, notably at the state level and in the world of technical standards.
While the states have generally been underwhelming in protecting privacy, new efforts are underway to help states pass better privacy laws. Last year, Maryland passed the country’s first privacy law with meaningful data minimization requirements, and we are seeing more such bills being introduced. CDT has supported two model comprehensive state privacy bills from our partners at the Electronic Privacy Information Center (EPIC) and Consumer Reports that both include strong, common sense privacy protections — one modeled after the ADPPA, and another containing a stronger version of the Connecticut standard.
Further, as more state laws come into effect, we expect more state-based enforcement. For instance, even though Texas’ privacy law could be stronger, the state has begun aggressively enforcing it, notably through the Texas Attorney General’s privacy and security initiative. The office recently announced an enforcement action against Allstate and Arity for allegedly collecting location data without consent and using it to justify increasing insurance premiums. The office also launched an investigation into a variety of companies for data practices related to children, and settled a case with Meta under its biometric privacy law for $1.4 billion.
California, as the first state to pass a comprehensive privacy law, has also enforced that law, including through settlements with DoorDash for failing to disclose it sold consumer data and failing to provide the required opt-outs, and with Sephora for failing to disclose that it sold consumer data and failing to process user opt-outs through the required global privacy controls. Other states with laws already in effect, or coming into effect this year, should plan to follow these examples and make clear that privacy is a priority. Meanwhile, more and more states are enacting laws to protect privacy from AI surveillance tools such as facial recognition. America’s “laboratories of democracy” are doing their part; should the 119th Congress choose to tackle comprehensive privacy, it should take care to bolster state efforts, not undermine them.
This Congress will also be required to take on an important privacy fight related to government surveillance with Section 702 of the Foreign Intelligence Surveillance Act, set to expire next spring. Last year, Congress came just one vote short of passing a critical warrant rule for this law, and a district court recently ruled that warrantless queries were unconstitutional.
At the World Wide Web Consortium (W3C), a new Privacy Working Group (which CDT helped establish) is working to standardize the Global Privacy Control (GPC), a browser setting that will allow web users to “flip a switch” to request their information not be sold or shared with others. The GPC is particularly relevant for residents of jurisdictions where individuals have the right to opt out of data collection, processing, or sales under certain circumstances. Technical solutions like GPC enable people to exercise these privacy rights in a way that avoids overwhelming individuals with site-by-site or app-by-app requests. California and Colorado already have a mandatory requirement for websites to respect GPC signals, and Connecticut, Texas, Oregon, and others will in the future. The California legislature is poised for another effort to legally require browser and mobile device companies to support sending a GPC signal, a requirement that Governor Gavin Newsom vetoed in 2024 (AB 3048). (Currently, none of the market-leading browsers supports GPC, so exercising an opt-out right involves additional work to install an extension or switch software for most web users.)
Privacy matters not only for its own sake, but because it is an enabling right without which other fundamental civil and human rights are at greater risk. In a world where virtually all human behavior can create a data trail, and in a country where there is very little to prevent either government or private actors from using data to their own ends, CDT remains steadfast in its commitment to privacy.