Opinion/Guest column: Protecting data privacy from Big Tech
Elyse Wallnut
Worcester Telegram & Gazette
July 12, 2026, 5:01 a.m. ET
Sometime in the last decade, small businesses and nonprofits across the United States became some of Big Tech’s most reliable advocates – without most of them ever knowing it. This is playing out across the country as states, one by one, adopt their own data privacy legislation in the absence of a federal law. It’s happening in Massachusetts right now, and it matters far beyond state lines
My eyes were opened to this when I testified before the Vermont Legislature this year in support of its state data privacy bill. I’m a nonprofit marketing strategist, and I accepted the invitation to lend my expertise because I spent years inside the digital advertising machine – running what became data-intensive campaigns for nonprofit organizations I believed in – before coming to understand that better, less invasive paths to reaching our audiences exist
Vermont’s bill had already been vetoed once in 2024 due to sustained lobbying pressure on the governor, even after it passed the House and Senate. It was rebuilt from a gutted version this year. When I testified, the bill still had teeth. That quickly changed. I’m relaying this because what happened next could easily happen in Massachusetts, too
In Vermont, as they have in at least 32 other states, the Big Tech lobbyists came. Their playbook is now predictable: They bring talking points to trade associations, chambers of commerce and nonprofit alliances. These groups then take the points to their members, genuinely worrying them that compliance costs will hurt them and that regulating data use will stall the marketing tactics they depend on. The resulting testimony reaches the legislature, looking like a groundswell of community concern that overwhelms lawmakers into weakening protections.
Massachusetts has its own privacy bills pending before the Legislature right now – and the same playbook is already in motion. What these associations aren’t telling their members is that most of them are too small to face compliance obligations under any of these bills. And they leave out the business-friendly components that benefit small businesses and nonprofits.
The Massachusetts bills contain data-minimization provisions limiting data collection to what’s necessary to provide a consumer with the service they requested, and nothing more. That’s good for residents, who gain protection without having to read a single privacy policy. And it’s good for small businesses that don’t build their own technology and inherit whatever practices their platforms and tools embed. When compliance falls only on large data holders – those holding personal data on 60,000 or more people – their tools become privacy-safe by default, and smaller operators inherit compliant infrastructure. That’s an investment in consumer trust that you can market. The bill also stops large national competitors from collecting your customers’ data and using it to lure them away.
Data that’s not collected is also data that can’t be sold to the likes of immigration enforcement officers tracking residents in your neighborhoods, entities monitoring union workers organizing for better conditions, and groups logging period-tracking apps and visits to reproductive health clinics
Dangerous data practices are legal in most of the United States because we don’t have a federal data privacy law – yet. But Big Tech has realized that if it can push through enough weak privacy laws across the states, they can convince lawmakers that Americans are willing to accept the bare minimum for the national standard. And that’s exactly what’s happening
Kentucky’s law, thought to be one of the weakest in the United States, is the foundation of the SECURE Data Act, the proposed federal bill currently before Congress. If passed, that proposed federal bill would override any state law with stronger protections. By passing a strong version of a data privacy bill this year, Massachusetts has the chance to defeat the lobbying strategy built to suggest Americans will accept this
Paths to revenue resilience exist through data privacy practices, not in spite of them. A 2026 Harvard Business Review study found that brands with strong privacy practices saw 12.3% higher purchase intent and $869 million more in shareholder value on average. McKinsey’s landmark digital trust research revealed that companies prioritizing data privacy, AI ethics and cybersecurity are 1.6 times more likely to experience revenue and profit growth rates of 10% or more. What this shows us is that, compared to peers who invest in data protection for the sake of compliance only, those who make respect for data privacy part of their brand’s standards exceed. Protecting people makes them trust you, and they’ll open their wallets as a result.
Public demand for privacy is not going away. In 2021 – with no law forcing it – Apple required app developers to ask permission before tracking users across their phones. Given the choice, 84% of people said no. Businesses that never planned for the possibility of having to ask for consumer consent felt the impact immediately. We can treat that as punishment, or we can take it as prescient
It costs us to fight the groundswell of evidence that tells us protecting each other pays. The cost is not just in revenue, but in the impact we’re having on real, human lives. That includes our own
Elyse Wallnut is the founder of Agility Lab Consulting, and has advised organizations navigating data privacy legislation across the United States and international jurisdictions
