The type and amount of data that technology companies can collect about their users – and how it can be used – is governed by a patchwork of state laws and sector-specific regulation in the United States. As states like Massachusetts move to tighten protections around abortion access and limit federal immigration enforcement actions locally, debates over data privacy are spilling into those conversations.

“These huge tech companies can sell us shoes or a nice jumpsuit or whatever,” said Kade Crockford, director of technology and justice programs at the ACLU of Massachusetts. “They can also sell us fascism.”

Crockford joined CommonWealth Beacon reporter Jennifer Smith on The Codcast to discuss the national debate over data privacy and where Massachusetts fits in.

While states like California have carved out extensive regulations around personal data over the past decade, there is no national data privacy law. Efforts on the national level, like the American Data Privacy and Protection Act first introduced in 2022, have stalled in part because of concerns that a federal set of standards could preempt the stronger state standards.

The Massachusetts Senate passed a suite of data privacy reforms – the Massachusetts Data Privacy Act – in October 2025. Lawmakers said the bill would give the Bay State “among the strongest data privacy laws in the country” by creating new rules around informing customers about what data is collected and shared, limiting companies to collecting only the data “reasonably necessary” to provide the service, and banning the sale of sensitive personal data and children’s data. It would also give the attorney general the right to sue to enforce the law.

Lawmakers in the House are working on their version of the bill. At a time when federal immigration enforcement officials are increasingly using personal data to inform their work, Crockford said the trade-off of allowing unlimited data collection is rooted in a false promise.

“I think we have been sold a bill of goods by very wealthy, influential people in Silicon Valley for about 15 years now, that essentially says, ‘You like the internet? You like digital devices? Well, a totalitarian surveillance state is the only way that you can have those things,’” Crockford said.

The pitch from tech companies was that the reams of data collected would be used to improve the product and sell and deliver relevant ads online, Crockford said.

But there is a difference between necessary and unnecessary data collection, Crockford said. A period-tracking app, for instance, can offer users a prediction of their menstrual cycles.

“That’s super useful,” Crockford said, “but it doesn’t need your location data.” The proposed data minimization rule applying to sensitive data would say “that company cannot collect your precise geolocation data, or your biometric data, for that matter, because it has nothing to do with the service that you’ve requested from that company.”

Crockford said the concept “takes a while to explain, and it’s not a very sexy concept, but once people hear and understand what data minimization actually means, I think it makes a lot of sense to most consumers.”

During the episode, Crockford lays out the types of data that can be collected and sold (2:30), bipartisan efforts to regulate data collection (10:00), and what advocates want to see from lawmakers in the Bay State (15:45).