BISMARCK — A group of Republicans in the North Dakota House of Representatives is taking aim at enhancing internet privacy for residents.

House Bill 1330, proposed by Rep. Tom Kading of Fargo, seeks to prevent businesses operating in the state from selling a user's "protected data" without their consent.

As written, the bill would cover companies — including social media websites — which collect a user's protected data, sell it and do business in the state. Protected data would include the user's location, screen name, shopping habits, browsing history and more.

Rep. Jim Kasper of Fargo, Rep. Matthew Ruby of Minot and Rep. Nathan Toman of Mandan also backed the bill, which received a "do not pass" recommendation from the House Industry, Business and Labor Committee.

In an interview with Forum News Service prior to the committee hearing, Kading said he proposed the bill to combat the ever-increasing amount of personal data on the internet.

WDAY logo
listen live
watch live
Newsletter signup for email alerts

"The theory here is there is a lot of personal information out on the web and I think people should have the ability to opt in to whether or not the site your logging into can sell your information," he said. "I'm not really comfortable with Big Tech out there taking my browser history or anyone's browser history and selling it to someone else."

If passed, Kading believed all websites operating in the state would be required to adhere to it.

"The issue of jurisdiction does get a little bit complicated, but generally yes," he said.

The nine opponents who testified against the bill cited jurisdiction as a critical hang-up, saying the issue of online privacy would be best handled with one federal policy rather than left to individual states. Opponents also argued that while the bill targeted some of the country's largest technology firms, it would unduly harm the state's small businesses, which would also need to comply.

The Fargo legislator pointed to HIPAA, the Health Insurance Portability and Accountability Act, as an example of government intervention to protect privacy.

"To me, and I know it's not government, but it's more and more Big Brother-ish all the time to know everything you do," Kading told Forum News Service. "I think there's so much information being gathered about all of us that Big Tech knows more about us than we know about us."

"I just think people need some level of protection from having all of our personal information being sold to the highest bidder," Kading continued.

Copying California

According to Caitriona Fitzgerald, the interim Associate Director and Policy Director of the Electronic Privacy Information Center, California has led the United States on internet privacy issues. "In terms of a truly comprehensive law that limits how customer data is disclosed and transferred between companies, California is the only one with a law in place," she said.

The California Consumer Privacy Act was signed into law in 2018 after citizens organizing a signature drive came to a compromise with the state's Legislature. However, the act's swift passage left gaping holes, Fitzgerald noted, prompting Proposition 24, a ballot measure in the 2020 general election which addressed some of the original law's deficiencies.

Though the combined laws only apply to some of the state's largest companies, they do place limitations on a company's ability to transfer sensitive data, require more transparency regarding how data is used and give consumers the right to ask companies to revise or delete their data. With its passage, Proposition 24 will also create the California Privacy Protection Agency to enforce the legislation.

While California's law has "some weaknesses," Fitzgerald said, it provides a framework for other states.

"That's the model you want to see," she said. "You want to see rights for individuals, obligations on companies that collect data and make sure there’s a way to enforce both of those."

Federal hold-up

According to Fitzgerald, numerous federal privacy proposals have come close but ultimately failed to pass. A historically bipartisan issue, she estimated Democrats and Republicans are in agreement on about 90% of the main points, with two key issues stalling legislation: federal preemption and a private right of action.

Generally speaking, Democrats have sought to permit states to pass further privacy laws if they desire, while Republicans have advocated for a blanket national policy. Democrats have also called for a private right of action, which would allow individuals citizens to protect their own rights, while Republicans have opposed the idea.

Given the amount of work that has already been done, closeness to an agreement and mounting public pressure for action, Fitzgerald said she is "hopeful" Congress will soon reach an agreement.

'No dissent consent'

Fitzgerald argued that North Dakota's consent-oriented proposal is less-than-ideal for consumers. "You need to do more than this because the problem with consent is we all do it," she said. "We just click 'agree.' We don’t read the terms."

Europe's General Data Protection Regulation, which brought on the "Accept all cookies" or "Refine your choices" buttons which have become ubiquitous online, uses a similar consent-based approach.

"That hasn’t proven to be effective because we all see a hundred of them a day and very few people are taking the time to go through (it)," she said.

"This old model of 'no dissent consent' really doesn’t protect privacy," Fitzgerald continued. “You need to put obligations on the companies that are collecting data saying they can only collect it for the purposes that people would reasonably expect."

Starting a conversation

In discussions with both individual citizens, legislators and businesses, Kading noted contrasting opinions when it came to enhancing online privacy. "When I talk to individuals, they support it. The companies aren't as excited to support it," he said. "What that means in terms of votes, I guess we’ll see."

Kading hoped the bill could be "the beginning of a conversation" regarding internet privacy. Still, he acknowledged it may fall short in some areas.

"Is it perfect? Probably not. Are there things we could add or take out? I think so," Kading said. "But I think it's a conversation that the more people who are a part of it, the better off it's going to be."