WASHINGTON -- A year ago, President Obama stood behind a podium at the Federal Trade Commission and called for legislation that would set a single national standard for when companies have to tell consumers that their personal information was stolen or misused.
"Right now, almost every state has a different law on this, and it's confusing for consumers and it's confusing for companies -- and it's costly, too, to have to comply to this patchwork of laws," he said.
But the proposal didn't go anywhere and even drew criticism from some who said the bill would actually leave some Americans with fewer protections. That's because although there is no national data breach notification standard, nearly every state has a law addressing the issue on the books -- some of them stronger than the national proposal.
That status quo fit into a now familiar pattern: While attempts to create strong federal privacy and data security protections have floundered in recent years, state legislators and attorneys general have stepped up to fill gaps.
And on Wednesday, the American Civil Liberties Union announced a new, bipartisan campaign to introduce privacy bills in 16 states and the District of Columbia. In a press call, ACLU executive director Anthony Romero argued that congressional gridlock makes a state-by-state movement among the most effective ways to push for nationwide changes.
"My colleagues and I will be using the lawmaking powers we have to empower our constituents to take control of their own privacy," said Michigan State Rep. Peter Lucido, R, who is co-sponsoring legislation as part of the campaign. The federal government should have taken the lead on these issues but didn't, Lucido said.
The bills include proposals that do things like require a warrant before law enforcement agencies can gain access to emails, provide checks on location-tracking technology, or create new rules about the use of student information.
D.C. Council member David Grosso, I-At large, introduced a student privacy bill as part of the push. "These are things that I think just haven't been broadly enough addressed on the national stage," he said.
Americans care about privacy. In a Pew Research survey released last year, over 90 percent of respondents said being in control of who can get information about them is important. Roughly the same number said controlling what information is collected is important. But few feel they are actually in control of their personal information, Pew found.
On the national level, the FTC serves as the government's chief privacy watchdog. But the agency is generally limited to enforcing the rules that Congress sets or relying on its authority to go after companies it believes are engaging in deceptive or unfair practices. Although the agency has bolstered its ability to investigate tech-related privacy problems and gone after tech giants like Google and Facebook, it doesn't have the resources to go after every potential infraction.
"The FTC just doesn't have time -- it's fabulous, but they have so many things on their plate," said Danielle Citron, a University of Maryland law professor currently serving as a senior fellow at the Future of Privacy Forum.
"The FTC has been the nation's lead law enforcement agency on consumer privacy for decades, and has taken extensive steps to protect Americans' privacy online and offline," said Maneesha Mithal, associate director of the FTC's division of privacy and identity protection. The agency, she added, "regularly partners with other federal and state agencies on privacy issues."
The FTC has brought over 500 privacy-related enforcement actions, according to Mithal. Although Mithal acknowledges the agency has limited resources, she said it has been "successful in using particular cases to get word out more broadly" on privacy and data security issues.
But when a case doesn't reach the level of federal involvement, states can often investigate because they have "mini-FTC" acts -- laws that typically give the state attorneys general some of the same powers to go after deceptive or unfair business practices. And for years now, they've pushed for stronger privacy and data security practices through enforcement actions and new legislative proposals, said Citron, who is finalizing a paper about how state attorneys general influence privacy norms.
"What we've seen in the last 10 years on the state level is state lawmakers and attorneys general seeing a vacuum because they are on the front lines," she said. "Consumers are coming to them with problems."
You can even thank states for the privacy policies you see on websites, according to Citron. State attorneys general were among the first officials to raise alarm bells over the lack of disclosure about how websites track visitors and were more aggressive in pursuing the issue than federal watchdogs, she said.
One of the first major investigations into online tracking involved Internet advertising company DoubleClick, now owned by Google. The FTC dropped an investigation into whether DoubleClick's practices violated consumers' privacy in 2001 after the company committed to voluntary changes. But a group of state attorneys general pushed on, eventually reaching an agreement with DoubleClick that included more concessions, including a requirement that the company publicly disclose how it gathered information from people who visit websites -- and that any site using the company to place ads must disclose DoubleClick's activities in their privacy policies.
This, she argues, is one of the most important things about state-level privacy enforcement and laws: They create a sort of race to the top where people often end up with the most robust of the state-level protections because companies want to ensure they comply with the strongest privacy protections that may apply.
"It becomes increasingly impractical for Google to have 50 different privacy standards across the states," said Romero.
That means the patchwork of protections the president warned about on data breach notifications may be better for everyday consumers than national laws. "If we had a federal law data breach law passed, it would probably be very weak and preempt state laws," Citron explained.