The Monopoly Report – Episode 61

State Privacy Law from the POV of Civil Society w/ Travis Hall of CDT

Host: Alan Chapell
Guest: Dr. Travis Hall, State Director, Center for Democracy and Technology (CDT)
Date: January 14, 2026

Episode Overview

In this episode, Alan Chapell sits down with Dr. Travis Hall, the inaugural State Director at the Center for Democracy and Technology (CDT), to explore state privacy laws through the lens of civil society and user advocacy. They discuss the evolution and role of advocacy groups, challenges in quantifying consumer privacy expectations, data minimization as a central tenet of privacy, enforcement mechanisms, and points of possible agreement between industry and advocates on targeted advertising.

Key Discussion Points & Insights

1. What is the Center for Democracy and Technology (CDT)?

(04:31–07:22)

• CDT’s Origins & Focus:
  • CDT is a 30-year-old organization dedicated to user rights, emerging alongside the commercial internet.
  • Broader than EPIC (focused mainly on privacy), but significantly narrower than the ACLU (which tackles wider civil liberties).
  • CDT focuses on the suite of digital rights but avoids broader non-tech-related advocacy.
• Relationship with EFF:
  • CDT and the Electronic Frontier Foundation (EFF) were originally one organization, splitting over strategies: inside-the-beltway policy vs. outside litigation focus.
  • “EFF and CDT were born from that split. And we are now good friends... we kind of always have been rowing in the same direction.” (Travis Hall, 05:51)

2. CDT's Role and Approach at the State Level

(07:22–12:37)

• Travis’s Position:
  • Inaugural director for state engagement; covers the full CDT portfolio at the state legislative level.
  • CDT’s approach tends toward think-tank analysis but with advocacy based on research.
• Representation:
  • CDT advocates for users and their rights, providing technical expertise and nuance to lawmakers, counterbalancing well-resourced industry lobbying.
  • “We are representing users, which is constituents.” (Travis Hall, 10:38)

3. Consumer Expectations & Privacy Paradox

(12:37–15:48)

• Quantifying Expectations:
  • Reliance on polling, yet action rarely matches stated concern (“privacy paradox”):

    “...everybody says, oh yes, I really care about privacy. But... everybody clicks through the thing and doesn't read the privacy notice...” (Hall, 13:27)

• Rights vs. Expectations:
  • European laws focus more on rights violations and harms rather than on users’ expectations or consent.

4. Individual Choice vs. Structural Problems

(16:32–17:52)

• Data collection and defaults aren’t just a matter of individual responsibility—structural issues in platforms' architecture create persistent privacy risks.
• Analogy to food deserts:

  “It's a structural problem, and individual choices are not necessarily going to solve a lot of the structural problems.” (Hall, 16:32)

5. What Makes a Good State Privacy Law?

(17:52–22:03)

• Data Minimization:
  • “A strong law needs strong data minimization.”
  • Laws should require organizations to collect and use only information necessary for service or business—aiming to reduce incentives for maximal data gathering.
• Civil Rights Protections:
  • Focus on limiting discriminatory or biased data use, especially for marginalized communities.
• Enforcement:
  • Laws need robust enforcement—without it, even a well-written law “doesn’t mean anything.”

6. GDPR, Data Inventories, and Enforcement Practicalities

(22:03–26:27)

• Data Minimization Enforcement:
  • Difficult to audit/enforce (“almost a proctology exam”), but the GDPR helped push companies toward professionalization and improved data governance.
• Necessity of Regulatory Oversight:
  • Industry must be compelled to understand and document data they hold—GDPR-style requirements can benefit smaller companies by establishing clear rules and lowering barriers to entry compared to a ruleless or overcomplicated landscape.

7. State Enforcement and the Private Right of Action

(26:52–33:46)

• Who Enforces at the State Level?
  • State AGs (attorneys general) are main enforcers but are under-resourced and have competing priorities.
• Need for Adequate Resources:
  • “If you have like the one doctor for the entire state, then... there’s only a few patients that they're going to focus on and everybody else is kind of left sester.” (Hall, 29:25)
• Private Right of Action Debate:
  • Hall: Courts are the U.S. mechanism for regulatory change when enforcement is lacking.
  • Chapell: Laws like VPPA/SIPA show private rights of action often benefit no one but lawyers; reforms needed before expanding.

8. Measures of 'Enough' Enforcement

(34:26–36:23)

• Hall notes indicators like visible enforcement and changed corporate behavior.
• The desired incentive structure should be one where penalties for violations outweigh the commercial benefits of non-compliance.

9. Finding Common Ground – Improving Privacy in Targeted Advertising

(37:08–44:32)

• Three Areas for Improvement:
  1. Identifiability:
     • Rigorous deidentification and pseudonymity; reducing risk of reidentification to HIPAA/industry standards.
  2. Purpose Limitation/Data Minimization:
     • Only collect data needed for the transaction, not for speculative or all-encompassing marketing.
  3. Harm Minimization:
     • Avoid collecting data around sensitive contexts (e.g., abortion clinics, religious centers) and minimizing possibilities for government misuse or discriminatory retaliation.

  “Are you actually just collecting the stuff that you need and actually deleting the rest?” (Hall, 38:52)

• Societal Tension:
  • Recognizes a real tension between the economic utility of targeted ads and the externalities of mass data collection.
  • “[Targeted advertising is]... a little bit the original sin of how and why all this information is being collected.” (Hall, 41:15)
• Chapell: Industry has been too dismissive of advocacy concerns in the past, but recent events validate many of those warnings.

Notable Quotes & Memorable Moments

• On Regulatory “Origin Stories”:

  “EFF and CDT were born from that split. And we are now good friends. ...rowing in the same direction.” — Travis Hall (05:51)

• On Civil Society Advocacy:

  “We are representing users, which is constituents.” — Travis Hall (10:38)

• On Data Minimization as a Law’s Backbone:

  “A strong law needs strong data minimization... [to] only collect and use the information that they actually need to provide a service.” — Travis Hall (18:39)

• On Enforcement Resources:

  “If you have like the one doctor for the entire state... there’s only a few patients that they're going to focus on and everybody else is kind of left sester.” — Travis Hall (29:25)

• On the Purposes of Targeted Advertising:

  “[It’s] the original sin of how and why all this information is being collected.” — Travis Hall (41:15)

• Industry/Advocacy Crossover:

  “... the CDT was the advocacy organization that you go to as the industry and have frank discussions. ...engaging in that kind of process... is an absolute gift.” — Alan Chapell (45:08)

Key Timestamps

• 04:31–07:22 – Origins and mission of CDT, comparison with other advocacy orgs.
• 07:22–12:37 – CDT’s role at the state legislative level and approach to policymaker engagement.
• 12:37–15:48 – How civil society quantifies consumer expectations and the privacy paradox.
• 16:32–17:52 – Structural vs. individual solutions to privacy.
• 17:52–22:03 – Traits of a good state privacy law: data minimization, civil rights, enforcement.
• 22:03–26:27 – Enforcement: challenges and lessons from GDPR.
• 26:52–33:46 – State enforcement, AG resources, and debate over private right of action.
• 37:08–44:32 – Paths to improve privacy in targeted advertising.
• 44:46–45:51 – Resources and future of advocacy-industry collaboration.

Conclusion

This episode offers a rare, frank lens into how civil society organizations like CDT see the evolving patchwork of state privacy laws, their hopes for meaningful—and enforceable—regulation, and the opportunities for industry and advocacy groups to work toward better privacy outcomes. Travis Hall emphasizes the importance of strong data minimization, the need for real enforcement capacity, and the possibility for industry and advocacy to bridge divides, particularly on “pseudonymous” targeted advertising, as long as meaningful technical and policy limitations are put in place.

For more information on the CDT: cdt.org
Contact Travis Hall: Find on CDT website, LinkedIn, and Bluesky