The fight over online privacy is usually focused on Capitol Hill. But federal regulation of privacy issues has yet to be fully fleshed out by Congress. So for now, state legislatures are taking a crack at it.

California, Colorado and Virginia all have their own privacy laws, and Utah may join them. The state’s legislature has signed off on a new bill, and it’s just awaiting the governor’s signature.

But consumer advocates say this presents a patchwork of protections.

Margaret McGill is a tech reporter for Axios. She said tech lobbying groups have been urging state legislatures to pass less stringent laws than, for instance, the one in California, which provides more privacy rights to consumers.

Margaret McGill: There’s been a push among tech companies and lobbying groups to engage at the state level and make sure that there aren’t a bunch of California copycats in statehouses. And this Utah bill is being held up by the industry as an example of their preferred model for privacy regulations at the state level. I think both consumer groups and tech companies would prefer there be a national privacy law rather than going from state to state, but because there has not been any action by Congress on this, the states are where this fight is played out.

Kimberly Adams: Right. And it seems like a fight over what’s going to be the baseline model for privacy regulation at the state level.

McGill: That’s right. The Utah bill says that consumers can opt out of data collection. But the consumer groups that I’ve talked to said that that’s actually really hard and unworkable in practice for consumers to figure out — how to go from website to website and opt out. And they also have concerns about enforcement. In the case of the Utah model, complaints from consumers will be routed to a division within the attorney general’s office. Consumer groups say that’s not really much incentive for companies to follow the law, and what they would like to see instead is for people to have a private right of action — a way to sue these companies for privacy violations.

Adams: Why are these individual state fights over privacy regulation getting so much national attention?

McGill: I think this is a big issue because states are acting in the void that Congress has created. And so, what’s gonna happen is states are just going to figure out what works best in their state and for their constituency. And I think that means a lot of companies are putting a lot of money into their state lobbying operations. Because what they don’t want is 50 different state privacy laws that they then have to try and comply with.

Adams: What happens then to potential federal privacy regulations, if we do end up with a hodgepodge of laws across different state lines?

McGill: Well, I think that there’s hope, both from the consumer groups and from the companies, that as more and more states pass laws, that will increase the pressure on federal lawmakers to do something once and for all. A lot of people thought that when the California law passed, that would be the trigger for federal action. And that really didn’t happen. I’m not sure what the future is, though, for a federal privacy law. It seems like it’s something that everybody wants, but nobody can quite figure out how to make it happen.

Related links: More insight from Kimberly Adams

We link to McGill’s recent article on the Utah bill.

If you’re curious about the distinctions between the Utah bill and California’s law, here’s one: California lets consumers sue companies directly for privacy violations, unlike Utah’s bill.

We’ll include a link to a National Law Review piece, which outlines some other provisions in Utah’s legislation. Plus a 2019 piece from Recode laying out details of the California bill before it went into effect.

We’ll also link to a New York Times article about how California’s law paved the way for the state’s first privacy agency and how the former chief technologist of the Federal Trade Commission has been building it from the ground up.