How America’s biggest tech companies quietly rewrote the nation’s privacy laws

What Marsden did not tell his colleagues was this: Amazon had personally referred him to the Future of Privacy Forum, and had disclosed to him that it financed the nonprofit. The bill under discussion — the Virginia Consumer Data Protection Act — had been drafted not by Marsden, not by his staff, not by any consumer advocate, but by Meade Spoots, a contract lobbyist working for Amazon. Spoots had handed the finished legislation to Marsden’s office. On that same day, Amazon’s policy manager Bill Way testified in support of the very bill that his employer had written, praising it for making Virginia “a leader in consumer privacy.”

Virginia’s law passed both legislative chambers and was signed into law less than six weeks after it was introduced. It has since traveled to more than a dozen other states, copied nearly word-for-word, becoming the de facto national template for data privacy in America. And almost none of the millions of people now governed by it know that it was authored by the company most invested in ensuring it would be weak.

This is not a story about one rogue lobbyist or one unusually pliant legislature. It is a story about a system — a coordinated, well-funded, and remarkably consistent strategy by the technology industry to write the rules of the data economy before anyone else can. Documented across seven states by researchers at Issue One, it is a story that stretches from Richmond, Virginia to Juneau, Alaska, from Hartford, Connecticut to Helena, Montana. And it is a story whose consequences fall on every person whose location data is for sale, whose teenager is algorithmically profiled, whose personal history sits in a data broker’s file waiting to be purchased by whoever wants it.

I. The Vacuum That Swallowed Us

To understand how we got here, you have to start with the vacuum. For more than two decades, Congress has failed to pass a comprehensive federal privacy law. What exists instead is a patchwork: sector-specific statutes, each covering one slice of life, none covering the whole. The Children’s Online Privacy Protection Act — COPPA — was signed in 1998, two years before the first iPhone, eight years before Facebook opened to the general public. It covers children under thirteen and relies on parental consent mechanisms that companies have spent years learning to route around. Teenagers are not covered at all.

The most ambitious recent effort, the American Data Privacy and Protection Act, won bipartisan support and cleared a House committee in 2022. The American Privacy Rights Act followed in 2024. Both collapsed under the weight of irreconcilable disagreements — over enforcement powers, over whether states could go further than federal law, over the precise scope of individual rights. Those disagreements were real. But they were also, in every instance, amplified and sharpened by industry lobbying.

Within that federal vacuum, something else was happening. Beginning with the California Consumer Privacy Act in 2018, states began legislating on their own. Nearly twenty states have now passed some form of comprehensive privacy statute. On its face, this looks like democracy working — when the national government fails, the states step up. In practice, it created something else: an opportunity. The kind of opportunity that well-resourced industries seize when governance is fragmented, time is short, and expertise is scarce.

State legislatures, unlike Congress, typically operate on short sessions. A single legislative aide may be responsible for analyzing hundreds of bills in a session. Technical expertise is thin. Outside guidance — from lobbyists, from industry-funded think tanks, from trade associations presenting themselves as neutral experts — fills the gap left by staffing constraints. Whoever arrives first with a draft bill, a set of talking points, and a roster of credentialed “experts” ready to testify wields enormous power over what ultimately becomes law.

The technology industry understood this before most legislators did.

II. The Playbook

The strategy that Big Tech developed for state privacy legislation is not, to its architects, a secret. It operates in lobbying disclosures, in hearing testimony, in the careful language of “technical amendments.” What makes it powerful is not concealment but consistency: the same moves, made in state after state, by the same players, producing the same outcome.

• Write the Bills
  Industry lobbyists and their outside counsel draft full legislation or key sections, presenting them as technical “best practices.” These drafts, circulated across statehouses, often mirror the Virginia model almost verbatim. When lawmakers are pressed for time and lack staff, the industry version becomes the starting point — and, frequently, the final product.
• Control the Amendments
  Even when lawmakers introduce stronger bills, the industry works behind the scenes to reshape them. Lobbyists propose “technical fixes,” offer redlines, and request late-stage clarifications that narrow definitions, expand exemptions, weaken enforcement, or quietly convert prohibitions into opt-outs.
• Flood the Zone
  When a strong privacy proposal gains traction, the industry rarely confronts it head-on. Instead, it creates competition. Multiple alternative bills — usually modeled on the Virginia framework — are introduced simultaneously, overwhelming legislative staff, dividing advocacy coalitions, and manufacturing pressure to settle on a “compromise” that almost always resembles the industry’s preferred version.
• Launder Corporate Positions Through Proxy Groups
  Tech firms rarely testify under their own names. They rely on trade associations, think tanks, chambers of commerce, and coalitions that appear independent but share the same corporate funders. These organizations testify in hearings, publish white papers, and brief legislators under names emphasizing “consumer empowerment,” “innovation,” or “harmonization” — while remaining bankrolled by the very companies whose data practices they claim to be holding accountable.

At the center of this network sits a document: the Virginia Consumer Data Protection Act, the industry’s preferred template. Its features are not accidental. It includes no private right of action — meaning individual consumers cannot sue companies that violate their data rights. Enforcement is limited to the attorney general, a single, typically underfunded office. Definitions of “sensitive data” are narrow, leaving broad categories of deeply personal information unprotected. And the default is “opt out” rather than any genuine limit on collection: companies can harvest your data unless you actively stop them.

III. How Virginia Was Made

Amazon’s lobbyist Meade Spoots wrote the bill. That sentence alone is worth sitting with. Not a senator. Not a consumer advocate. Not a bipartisan task force convened to weigh competing interests. An Amazon contract lobbyist handed finished legislation to a state senator, and that legislation became the national template for data privacy.

The speed of the Virginia process was no accident. Virginia’s legislative session is famously short — 26 days in 2021. The bill was introduced January 20, passed both chambers by March 2, and took effect January 1, 2023. In the period between the 2019-2020 and 2020-2021 legislative cycles, Amazon alone reported $320,000 in lobbying expenses in Virginia. Its political donations in the state had grown from $27,750 in 2016 to $277,500 in 2020 — a tenfold increase. Amazon, Google, and Microsoft together registered 17 lobbyists during the 2021 session, up from 12 in the previous cycle.

When questioned about the bill’s origins, Senator Marsden spoke of calls with “dozens of stakeholders” and “all kinds of amendments” entertained to meet business needs. Amazon’s own policy manager, Bill Way, testified that the law would make Virginia “a leader in consumer privacy” — a remarkable performance of neutrality from the man whose employer had written the legislation being praised. The neutral expert, Gray of the Future of Privacy Forum, was there to lend credibility; the Amazon-funded think tank provided the academic gloss. The lobbyist who drafted the bill was not mentioned.

What Amazon built in Richmond, it then exported. The Virginia model became the industry’s preferred standard — the bill text that lobbyists brought to the next statehouse, and the next, and the one after that. It spread not because it was the best policy available, but because it was the most convenient policy for the companies whose data practices it was supposed to regulate.

IV. The Ground War: Washington and Connecticut

Virginia did not arise from nothing. The ground had been prepared two years earlier in Washington State, where the tech industry’s first major push to establish a favorable privacy template played out in 2019.

Washington’s SB 5376 was introduced in January 2019, based on Europe’s GDPR. The bill’s ambitions were real; the Attorney General’s office even testified in favor of including a private right of action that would have let individuals sue companies that violated their data rights. But the industry mobilized with a force that had rarely been seen in Olympia. Amazon spent $2.3 million on lobbying in 2019 — a 547 percent increase from the year before. It hired four additional lobbyists. Microsoft’s President Brad Smith personally called state legislators to win support. Microsoft’s Chief Privacy Officer testified. A senior policy director at Microsoft, Ryan Harkins — a name that would recur across multiple states — annotated the final legislative draft and crossed out sections he deemed unsatisfactory.

The bill’s sponsor’s own Chief Privacy Officer set the terms plainly. The goal of the legislation, Alex Aleben told the committee, was “not to disrupt business, but to allow business to operate as usual with consumer protections.” The private right of action was stripped. The bill died anyway — but its failure was productive. The industry had learned what it could and could not achieve in Washington. When the Virginia bill appeared two years later, it incorporated those lessons.

Connecticut’s story is different in texture but identical in structure. Senate Majority Leader Bob Duff introduced a consumer data privacy bill in 2020 that included a private right of action. He later recalled the scene that greeted his bill at the hearing: the room was filled, he said, with “every single lobbyist I’ve ever known in Hartford.” The bill died. He reintroduced it in 2021. It died again, killed by opposition from TechNet, the Software Alliance, hospital networks, automakers, and retailers — a coalition so broad it looked like a public consensus rather than a coordinated industry campaign.

In 2022, a version finally passed. But the bill that became law had been substantially rewritten in conversation with Andrew Kingman of the State Privacy and Security Coalition — a multi-industry lobbying group whose members include Amazon, Google, Meta, and Comcast. The Connecticut Data Privacy Act closely mirrors the Virginia model. Consumer Reports, which gave the bill tepid support, later clarified that the organization backed it only to prevent an even weaker version from passing. Kingman, meanwhile, continued pitching Connecticut’s law in other statehouses as a “consumer-friendly” model.

V. Small Legislatures, Big Leverage

If the eastern states were the laboratories where the playbook was refined, the smaller, more remote states were where its power became most stark. In Alaska and Utah, the industry encountered minimal organized resistance — and produced results to match.

Alaska’s Consumer Data Privacy Act, introduced in 2021 and again in 2022, aimed to give Alaskans stronger control over their personal data than the Virginia model allowed. The bill proposed stronger enforcement provisions and a broader definition of the data subject to protection. The tech industry arrived to contest it.

Amazon registered a lobbyist in Alaska for the first time in 2021, disclosing “matters relating to data management” as the subject. Meta registered a lobbyist for the first time in 2022, for “matters related to data privacy and information technology.” TechNet and the Consumer Technology Association registered for the first time as well. The total influx of lobbying expenditure was modest by national standards — but Alaska’s legislature is part-time, its staff is skeletal, and the sheer appearance of national industry representatives carries weight that it would not in Sacramento or Albany.

The decisive moment came in March 2022, when Microsoft’s Senior Director of Public Policy, Ryan Harkins — the same man who had annotated the Washington State bill in 2019 — appeared before the Alaska House Judiciary Committee and delivered a 30-minute PowerPoint presentation on data privacy. He was positioned as a neutral technical expert, capable of answering legislators’ questions about pseudonymous data, private rights of action, and the finer points of data governance. He was nothing of the sort. He was an industry advocate whose employer’s entire business model depended on weak privacy protections. The bill did not advance.

Utah’s story is, if anything, more instructive, because the co-optation was not even concealed. Senator Kirk Cullimore, the sponsor of Utah’s 2022 Consumer Privacy Act, told his own Senate Revenue and Taxation Committee at the bill’s introduction that it had “a lot of input” from business interests. The final text had been developed with Anton van Seventer, a lobbyist for the State Privacy and Security Coalition, who was introduced to the committee as “counsel” — a framing that implied legal expertise rather than paid advocacy. Van Seventer told the committee he hoped the Utah model would be adopted in other states and eventually at the federal level. A TechNet executive testified for thirty seconds, saying simply that he wanted to align his comments with “his colleague Anton.”

A local business group provided the final touch. Dave Davis, president of the Utah Retail Merchants Association, told the committee he “ordinarily wouldn’t be speaking in favor of more government regulations,” but that the bill struck the right balance. This is the playbook’s most elegant move: finding a local face to say what a national lobbyist cannot say without seeming self-interested. The Utah Retail Merchants Association gave the industry’s position a local accent, a small-business affect, a sense of community investment. Utah’s law passed in less than a month.

VI. Cracks in the Playbook

Montana was supposed to be easy. A small, part-time legislature. Limited staff. A Republican-dominated statehouse in a state with no history of aggressive tech regulation. When Senator Daniel Zolnikov — himself a Republican — introduced SB 384 in February 2023 with ambitions to model it on Connecticut’s stronger privacy framework, the industry expected a straightforward intervention.

What happened instead was something rare: a lawmaker who pushed back.

Andrew Kingman of the State Privacy and Security Coalition arrived in Montana having spent the previous months in Maryland championing the Connecticut model as a sensible, balanced standard. In Montana, he privately urged Zolnikov to abandon that same Connecticut model. Zolnikov noticed the contradiction. He later said: “To say that my state doesn’t deserve the right protections as four or five other states? That really didn’t bode well with me.”

Zolnikov’s account of the lobbying process is a glimpse into the machinery that usually operates invisibly. He explained that while national lobbyists spend years shaping legislation, Montana lawmakers have weeks. He never met the national lobbyists in person. “Technical” changes were delivered by email and by phone, often at the last minute — a pressure tactic designed to prevent careful review, to create a sense that the amendments were routine clarifications rather than substantive rewrites.

Montana’s law passed with some of Zolnikov’s stronger provisions intact, though not all. It was a partial victory — remarkable mainly because partial victories are so unusual. In most states, the playbook runs its course without a lawmaker calling it out from the dais.

VII. The Small-Business Mirage — Maine

In Maine’s 2024 session, two privacy bills competed for the legislature’s attention. Representative Maggie O’Neil’s LD 1977 was the stronger proposal: it required data minimization — the principle that companies should collect only the data genuinely needed for their services — expanded the definition of sensitive personal data, and included a private right of action allowing individuals to sue for violations. Senator Lisa Keim’s LD 1973 was the industry’s answer: modeled on Virginia and Connecticut, drafted with direct input from a Meta lobbyist and a Charter Communications lobbyist.

LD 1977 generated 256 lobbying reports, more than any other bill in that legislative session — more than the state budget. Thirty-five groups submitted written testimony opposing it before the Judiciary Committee’s public hearing alone. The coalition arrayed against O’Neil’s bill reads like a directory of American industry: banking, retail, automotive, insurance, healthcare. Maine’s State Chamber of Commerce, the National Retail Federation, L.L. Bean, the Maine Automobile Dealers Association, the American Council of Life Insurers, and State Farm all filed opposition. The banking sector was represented by the Maine Bankers Association, the Maine Credit Union League, and Kennebec Savings Bank, a local institution whose presence gave the opposition a community texture it might otherwise have lacked.

The message from Andrew Kingman of the State Privacy and Security Coalition crystallized the industry’s argument in its most confident form. He argued that LD 1977 deviated so significantly from the established template that it would isolate Maine’s economy — as if a state choosing to offer its residents stronger privacy protections was the equivalent of economic self-sabotage. The argument against “patchwork” regulation is perhaps the industry’s most versatile rhetorical weapon: it presents the industry’s preferred standard as a kind of legal gravity, inevitable and natural, while casting any deviation from that standard as the destabilizing act.

By April 17, when the session ended, neither bill had advanced. The industry had accomplished something subtle: by flooding the process with opposition to LD 1977 while simultaneously promoting the weaker LD 1973, it had created conditions of total gridlock. Maine’s citizens ended the session with no new privacy protections at all — a worse outcome, in immediate practical terms, than if the stronger bill had simply been voted down. Gridlock is not neutral; in a world where the data economy continues to accelerate, it is a victory for those who prefer the current rules.

VIII. The Network Behind the Curtain

Most state legislators will never see an Amazon executive in a hearing room. What they see instead is the network — an elaborate ecosystem of organizations that present corporate positions as neutral expertise, industry preferences as consumer empowerment, and the interests of multinational platforms as the concerns of small-town businesses.

The State Privacy and Security Coalition, whose lobbyist Andrew Kingman appears in the Virginia, Connecticut, Montana, and Maine case studies, counts among its members Amazon, Comcast, Google, and Meta, alongside NetChoice and TechNet. The Future of Privacy Forum, presented in Virginia as independent expertise, receives corporate membership funding from AT&T, Comcast, Google, Meta, Amazon, and Microsoft. Chamber of Progress, a nonprofit lobbying group that presents itself as advocating for technology and innovation, was founded by a former Google lobbyist and receives backing from Apple, Google, Amazon, and Meta.

These organizations share more than funders. They share arguments. The testimony filed by TechNet in Alaska echoes the arguments made by the State Privacy and Security Coalition in Maine. The talking points delivered by Chamber of Progress in one state reappear in a state chamber of commerce letter in another. The same language about “patchwork” regulation, the same warnings about “excessive litigation,” the same assurances that the Virginia or Connecticut model provides “strong consumer protections” — all of it circulates through the network with the efficiency of a well-run communications operation, because that is precisely what it is.

IX. What Is Actually at Stake

The case for treating this as a crisis — rather than merely a policy dispute — rests on what the data economy actually does with the information it collects, and who gets hurt when the law looks the other way.

For children and teenagers, the harms are the most immediately legible. Recent litigation has revealed how platforms use behavioral data — mood indicators, attention patterns, time-on-app metrics, information about what content makes a user linger — to shape algorithmic recommendation systems in ways that keep young people engaged. Engagement, for a platform monetizing attention, is good; that the content driving that engagement may be harmful is a separate consideration, and a less financially pressing one. Without data minimization requirements, without strict limits on the collection of behavioral data on minors, nothing in current law prevents this from continuing. The Virginia model, replicated across the country, leaves it untouched.

For national security, the stakes are different but no less severe. Foreign adversaries — Chinese intelligence, Russian state actors, others — no longer need to hack government systems to build dossiers on American military personnel, public officials, or ordinary citizens. The data broker industry, operating legally under current frameworks, aggregates precise location data, financial records, behavioral profiles, and relationship maps into packages available for purchase on the open commercial market. As a 2024 federal investigation revealed, sensitive location data can be purchased in bulk for sums that represent trivial investments for a state intelligence apparatus. The regulations that might prevent this sale do not exist in states that follow the Virginia model.

And then there is the question that sits beneath all the others: who controls the information environment in which democratic decisions are made? The vast behavioral datasets that tech platforms have accumulated — datasets built on personal information collected without meaningful consent, governed by laws written by the companies that benefit from collecting it — now feed AI systems that determine which content reaches which people, which political messages appear in which feeds, which narratives are amplified and which are suppressed. This is not a hypothetical future risk. It is the operational reality of the current internet, and it runs on data that weak privacy laws leave largely unprotected.

This is not just a privacy problem; it is, as the report’s authors write, a democratic one. The erosion of meaningful privacy protections does not happen in a vacuum. It happens in the same political environment where faith in institutions is declining, where the integrity of shared information is contested, where the platforms most invested in the current system are also among the most powerful shapers of public opinion. The industries writing the laws governing their own behavior are the same industries that mediate much of the nation’s political communication. The conflict of interest is not incidental. It is the story.

X. Signs of Resistance

The trajectory is not inevitable. That is the other thing the seven case studies show, if you look carefully at what happened in the places the playbook partially failed.

Senator Zolnikov in Montana called out a lobbyist for contradicting himself across state lines, and it mattered. The bill that passed was not what Zolnikov had hoped for, but it was stronger than what the industry wanted — and the public exposure of the playbook’s workings was itself a form of accountability. Maryland passed a data-minimization privacy law in 2024, becoming the only state outside California to adopt a rights-protective framework that limits data collection at the source rather than simply regulating what companies can do with data they’ve already collected. It is a meaningful distinction: minimization attacks the surveillance economy’s foundation, while the Virginia model merely tightens its edges.

In 2025, not a single industry-written privacy bill passed in any state — the first such year in the modern era of state privacy legislation. Whether this represents a turning point or a temporary pause is not yet clear. But it suggests that the playbook, once widely understood, becomes harder to run. Transparency is the mechanism that disrupts it: when legislators know who wrote the bill, when journalists ask about the funding sources of the “neutral experts,” when residents can identify the red flags in weak legislation before it passes, the industry’s structural advantages diminish.

The 2026 legislative cycle will test this. Dozens of states are actively considering privacy bills. Congress continues to debate national legislation, including a Republican Privacy Working Group operating within the House Committee on Energy and Commerce. The decisions made in the next two to three years will determine whether the United States builds a rights-based framework for the data economy or cements a surveillance-based one — and whether the rules governing both are written by the public or by the companies that profit from collecting our data.

XI. What Strong Looks Like — and What to Demand

Distinguishing a strong privacy bill from a weak one is not technically difficult, once you know what to look for. The tell-tale signs of an industry-backed bill are consistent across every state examined in the Issue One research:

Does the bill include a private right of action — the right of individuals to sue when their data rights are violated? If not, enforcement depends entirely on a single attorney general’s office that is already stretched thin and politically constrained. Does the bill include data minimization — an actual limit on how much data companies can collect — or does it merely regulate what can be done with unlimited data after it has already been gathered? Does it define “sensitive data” broadly, covering location history, biometric data, inferred characteristics, and behavioral profiles, or narrowly, leaving the most commercially valuable categories unprotected? Does it include broad “business purpose” exemptions that effectively let companies continue their current practices under a different name?

These questions — who wrote the bill, who benefits from its weaknesses, who is being presented as a neutral expert and who funds them — are questions that journalists, legislators, advocacy groups, and engaged citizens can all ask. They are questions whose answers are, in principle, available in public lobbying disclosures, in hearing testimony, in the bill text itself. The infrastructure for accountability exists. What has been missing is the understanding that it needs to be used.

The Virginia Consumer Data Protection Act was written by an Amazon lobbyist and is now the law of the land across a substantial portion of the United States. The Future of Privacy Forum receives its funding from the same platforms it appears to hold accountable. Microsoft’s senior policy director has testified in Alaska, annotated draft legislation in Washington, and appeared in statehouses across the country presenting industry interests as technical expertise. The State Privacy and Security Coalition has lobbied in favor of the Connecticut model in Maryland and against it in Montana, in the same legislative year, without apparent contradiction.

These facts are not difficult to ascertain. They are available in lobbying disclosures, in hearing recordings, in public testimony. What has been missing is not the information but the synthesis — the recognition that what looks, in each individual state, like routine legislative process is, in aggregate, a coordinated national campaign to write the rules of the data economy before anyone else can.

Issue One’s research — across seven states, drawing on lobbying disclosures, hearing testimony, and bill text — provides that synthesis. What it shows is a system that is neither accidental nor inevitable. The statehouses that became laboratories of industry capture could have been laboratories of genuine consumer protection. Some still can be. The path forward runs through transparency about who writes the bills, accountability for who funds the experts, and enforcement mechanisms that give the rules actual teeth.

The data economy will be governed. The only question is who governs it, and for whom. Right now, the answer — in most states, under most laws passed in the last five years — is that the companies collecting your data are writing the rules about how your data can be collected. That is not a technical failure of the legislative process. It is a democratic one. And democratic failures, unlike software bugs, require democratic solutions.