Big tech is hungry for consumer data. Mass. needs privacy legislation now

Tech companies openly admit we are entering a new phase of AI-powered surveillance. One billionaire tech founder claims AI will be “constantly watching and recording” every action through ubiquitous body and doorbell cams. The AI race has only accelerated industry’s lust for our data — because captains of industry believe they need more and more data about us to train their AI models. And the longer we allow the unfettered collection of our personal information, the less we will be able to do about it, and the more likely we will become acclimated and resigned to the false idea that we don’t want or deserve digital privacy or freedom.

We have little hope the current administration will protect us. The Trump White House’s executive order on AI explicitly embraces the fallacy that “To win [the battle for AI ‘supremacy’], United States AI companies must be free to innovate without cumbersome regulation.” But lawmakers in Massachusetts recognize just how much privacy we have lost and what is necessary to claw it back. In September, the Senate unanimously passed the Massachusetts Data Privacy Act (MDPA), which would limit data abuse and ban the sale of our sensitive data. The House is currently considering its own version, the Massachusetts Consumer Data Privacy Act (MCDPA), which, if passed, would be the most privacy protective state privacy law in the country. Its privacy protections would also foster a vibrant and sustainable online marketplace by giving us meaningful choices as consumers and rewarding businesses for being trustworthy stewards of our data.

We’re a couple of law professors who are also Bostonians. Together, we’ve studied digital privacy issues for a combined five decades, and we think there are three important things you should know as the MDPA and MCDPA take center stage in the debate over data privacy.

First, big tech companies have spent a lot of time and money trying to convince the American public that we don’t deserve strong privacy rules because they would hurt small businesses. Don’t fall for it. Most of the noise coming from “small businesses” is really big tech in disguise. This includes downplaying their role in scorched-earth lobbying against any strong privacy rule by bankrolling and leveraging “small business collectives” to give the appearance of some kind of grassroots movement. Fake grass-roots movements are what are known in the trade as astroturfing, and they are a trick.

Vermont State Rep. Monique Priestley, whose gold-standard privacy bill was killed last year with the help of Silicon Valley lobbyists, wrote that the tech industry often exerts its influence on policy debates through organizations that claim to represent local interests but may have hidden financial backing and inflated membership. But similar rules already exist in other states and countries without such catastrophe. California, Maryland and many other states already have reasonable restrictions on how our data is collected and used. Illinois allows people to bring a lawsuit directly against companies who wrongfully collect and use their biometric information. The sky will not fall if we get the reasonable privacy rules we deserve.

That brings us to our second point: Surveillance-based “targeted” advertising, which auctions you off to the highest bidder to show you an ad based on your web browsing and mountains of personal data, doesn’t work as promised and, on balance, isn’t good for either consumers or small businesses. The price of being an ordinary member of society should not be having all of your online activity tracked, assembled and used to manipulate you. And we should applaud and support any law — like the MCDPA — that would rein it in. When we spoke with MIT economist Alessandro Acquisti, one of the most respected scholars in the field, he told us how “the online advertising industry has long extolled the benefits of targeted advertising, presenting it as an economic win-win for publishers, merchants and consumers alike. And yet, in reality, there is little robust empirical evidence that any stakeholder — other than the data intermediaries themselves — actually benefits from this type of advertising.”

Acquisti’s latest research shows that for consumers, behavior-based ads like the ones that pop up for a certain brand after you reveal an interest in them while browsing online are associated with higher prices and lower-quality vendors. In other words, when consumers buy through targeted ads, they risk spending more and getting a worse product or product experience than if they had purchased through search results. There’s also strong research tending to show that targeted advertising only brings in marginally higher revenues for companies. So who benefits? Big tech platforms make huge profits from sending us tailored ads for banned or scam items. In 2024, for instance, Facebook’s internal projections predicted the company would make 10% of its annual revenue from these types of fraudulent ads.

Besides, any marginal gains small businesses achieve using behavioral ads stand to be wiped out by the massive advantage that big tech companies gain in order to target (and thus siphon off) those same consumers elsewhere online. Small businesses will never have more data (or a greater ability to target consumers) than large tech companies, and if data is what determines the fight for our attention and money, then Silicon Valley will win every time. In other words, when it comes to behavioral advertising, Silicon Valley gets the meal and gives small businesses the table scraps.

History is clear: If companies can collect it or use data to make a little extra profit at our expense, they will.

This brings us to our third and final point, which is simple: the only way things will improve is if we pass rules that limit how much data companies can collect about us, and ensure that the data they collect is used to make our lives and experiences better rather than worse. All the “I Agree” buttons, transparency disclosures and opt-out rights in the world mean nothing if companies can still collect whatever data they want and use it however they please.

The heart of the privacy bill that the Massachusetts legislature is now considering is a simple but firm rule that companies should collect and use only the personal information that they need to provide services for consumers. In privacy law, we call this “data minimization.” It would mean, for example, that a flashlight app for your phone wouldn’t be able to collect your location data and your fitness trackers wouldn’t be able to share your health data with third-party advertisers. Data Minimization has been a basic and uncontroversial part of most data privacy laws around the world since the 1970s. Maryland recently passed its own law requiring data minimization, joining California and Colorado. Massachusetts should follow suit.

If companies can collect it or use data to make a little extra profit at our expense, they will. And laws like the ones under consideration at the State House right now are necessary to protect the people of Massachusetts from Silicon Valley’s bottomless appetites. The Legislature should ignore the high-priced lobbyists and pass a law that actually protects us from data-hungry business practices that benefit no one but big tech.

Woodrow Hartzog is the Andrew R. Randall Professor of Law at Boston University School of Law. Neil Richards is the Koch Distinguished Professor in Law at Washington University in St. Louis, where he teaches courses on privacy and technology and directs the Cordell Institute.