State Sen. Mike Bell recalls telling his son he planned to buy new duck hunting waders. The next time he logged on to Facebook, he started receiving ads about those very hunting accessories.
"That's a little spooky when that happens," Bell said in a recent meeting of a legislative committee studying data privacy and the potential for a state law to keep the public's information from being misused.
From the time he signed a contract with a social media company, Bell wants to know whether he agreed to eavesdropping and the ensuing avalanche of ads on Facebook for Bass Pro Shop.
Bell, a Riceville Republican, and Rep. Johnny Garrett, a Goodlettsville Republican, are looking closer at data privacy legislation after their initial foray earlier this year was steered into a study committee because of concerns by the business community.
Some of that resistance from business and technology groups remains because of fears about increased costs to deal with government regulation. The business community also has noted that Tennessee already has laws dealing with information security, which is different from data privacy.
(READ MORE: How to best maintain your online security)
Garrett and Bell, nevertheless, are concerned the agreements people sign with social media companies aren't transparent enough, making their personal information open for theft and enabling companies to snoop into their private lives.
"This is an area that is largely unregulated," Garrett told committee members recently.
While the answer in some cases could be as simple as turning off the microphone on a smartphone, the two Republican lawmakers believe the public needs a better view into the world of social media and information sharing by big business.
While critics of Facebook and Twitter have complained about enforcement of terms of service against former President Donald Trump, Garrett said his legislation isn't aimed at trying to control social media.
Garrett plans to push forward with legislation in 2022 designed to let Tennesseans know what companies are doing with their data when they sign a contract. That includes the processes for keeping it private, sharing it with third parties and whether they sell it, matters that aren't required to be disclosed, Garrett said.
"None of that is known to the consumer, and that troubles me that they don't know what's happening with their data as they interact with various companies on their mobile phone," Garrett said.
Melinda Claybaugh, privacy policy director for Facebook, now called Meta, told lawmakers the company doesn't sell information to advertisers. Instead, it lets companies advertise to people in certain categories, based on information they provide to Facebook, whether through their bios or other use of Facebook, which now owns applications such as Instagram and WhatsApp, an instant messaging system.
Claybaugh moved from a job with the U.S. Federal Trade Commission to Facebook when the feds were negotiating a $5 billion settlement for privacy violations, according to reports.
"At Meta, we've been very vocal about calling for stronger, consistent privacy rules for some time," Claybaugh said. "The unfortunate truth is that privacy laws have not kept pace with technology."
(READ MORE: October is National Cyber Security Awareness Month: Do your part and #BeCybersmart)
Personal data rights should be the starting point for any legislation, she said, in addition to the ability to delete and transfer information to another service.
Legislation should require all organizations that hold people's data to meet basic obligations for data handling such as internal privacy programs that cut risks, be clear about how they collect and use information and notify people when their data has been exposed in a breach, Claybaugh said. She added that enforcement should be done through the attorney general or a new regulatory agency instead of through a private right of action.
How it started
Garrett was sparked to action by his children and the ease with which they could interact with different internet platforms by using email addresses from school and the need to monitor the information that comes to his children, especially if they're using an email address that's easily identifiable.
That could enable companies to find out where young people go to school and how old they are. No consent is required for children to sign up for platforms, thus parents don't know what information is provided, he said.
"That lit a fire under me to say, what are people doing with the information, both from an adult perspective and then your children's perspective?'" Garrett said.
Bell said he agrees with some lawmakers that because of the interstate commerce clause and the involvement of national and international companies, the federal government should step in.
"But we'll see if we can come up with a solution that will be a Tennessee solution, that would help," said Bell, who represents areas including Bradley, McMinn and Meigs counties.
He noted he had one constituent who was suspended permanently by Facebook and couldn't get the company to respond with an explanation.
(READ MORE: Tips for digital security and cleanup)
With 75% of the American public using Facebook, Bell wonders, "at what point do they reach that level where, oh goodness, government's got to step in and regulate this. It's a tough question."
State Rep. John Ray Clemmons, though, pointed out lawmakers need to be wary of acting hypocritically.
"We also have to look in the mirror and look at what our political parties at the national and state level and our caucuses and some of our own campaigns do," said Clemmons, a Nashville Democrat.
For the most part, business groups want Congress to take action on data privacy because they don't want to be forced to respond to a "patchwork" of state laws. California and Illinois already have laws that business groups say are onerous and expensive to deal with, while they pointed out Virginia, Ohio and Colorado have laws that are easier to navigate and don't have private rights of action that can lead to legal action.
The Tennessee Business Roundtable, for instance, has said its main concern is that any new data privacy law should "first, do no harm" to the state's business climate.
"If our state government chooses to move forward into mandating new requirements in this area, we feel strongly that it should do so only in ways which do not create significant new costs and benefits and risk which burden our existing businesses or which would or could become barriers to new business investment in our state," Patrick Sheehy, president of the Tennessee Business Roundtable, told lawmakers during testimony.
Sheehy said many of the state's companies are spending heavily to comply with data privacy laws enacted by California, Virginia and Colorado. He contended a "single, fair, clear set of federal data privacy regulations" would work best.
Alex Curtis with the Greater Nashville Technology Council also told lawmakers that new threats of legal action "are always a concern for businesses," each coming with possible lawsuits from the state attorney general.
Curtis pointed out businesses such as restaurants that relied on social media ads to survive during the COVID-19 pandemic could be "on the hook" for new costs under this type of legislation.
"Data privacy laws would be best enforced at the national level," Curtis said during testimony.
Justin Owen of the Beacon Center, a free-market think tank, urged the panel to "tread softly when putting privacy restrictions on the private sector." He even raised the question of whether the state can regulate the internet.
Owen pointed out that while Facebook and Google might know people's shopping habits, they don't have Social Security numbers.
Read more at TennesseeLookout.com.