Rather than wait for federal Internet privacy laws, a growing number of states are pursuing their own proposals. Virginia, Washington, New York, Minnesota, Oklahoma and Florida are moving ahead with data protection legislation, as the COVID-19 pandemic continues to drive more users online for work, education and other daily activities. California passed its Consumer Privacy Act in 2018. But Internet privacy experts warn that companies will find it difficult to do business across state lines should this state-by-state model take hold.

The Wall Street Journal reports that, at law firm Frankfurt Kurnit Klein & Selz, chair of the Privacy & Data Security Group Tanya Forsheit said, “the notion that you can divide up your business to treat consumers in California differently than you do in Washington or Virginia is silly.” National Retail Federation chair Cy Fenton reported that the difficulty of “responding to divergent approaches” is that “your targeted advertising becomes a little less effective.”

Virginia officials aim to “craft a business-friendly approach to regulation … [and], unlike California’s law, which gives consumers a limited right to sue companies for privacy lapses,” offers Virginians no such rights. This move was criticized by Consumer Reports and “other advocacy groups,” although Amazon and IBM support the bill.

“If states could look to Virginia as a model, and states sort of follow that in some sort of a uniform way, that would be helpful to us,” said IBM chief privacy officer Christina Montgomery, who pointed out that the Virginia proposal uses terms for data “controllers” and “processors” similarly to EU rules.

In Washington state, Democratic senator Reuven Carlyle “introduced an updated version of the Washington Privacy Act, which has stalled each of the past two years over concerns the attorney general couldn’t enforce the resulting law alone … [and] representative Shelley Kloba, also a Democrat, unveiled a competing bill, backed by the American Civil Liberties Union of Washington, that includes a private right of action and allows local governments to pass potentially stronger privacy protections.”

Kloba said she was open to compromise because, “it is just so much more urgent that we have a privacy policy in place.”

Digital advertising company GumGum, rather than analyzing user data such as browsing history, instead “places ads by analyzing content and metadata on pages users visit.” But the company’s director of global compliance T’Juana Albert said that the company gets about 10 requests a day to “to stop selling consumers’ information.” She noted that, “compliance questions for third-party vendors could multiply as more businesses share data to market their products and more state laws come online.”

“Oftentimes, [outside partners] are the ones that are not compliant,” she said. “You as a business don’t necessarily know that.”