The recent activation of the EU’s General Data Protection Regulation (GDPR) represented a seismic shift in data handling for businesses. The global tech industry is seeing a future in which GDPR-style regulation, which includes stringent requirements for end-to-end handling of customer personal data and considerable fines for even small violations, will be widely adopted by regional and national governments.
Silicon Valley is more keenly aware of this than anyone outside of the EU. Passed in June of 2018, the California Consumer Privacy Act (CCPA) bears similarities to the GDPR and will become fully active on the first day of 2020. Though not quite as stringent overall as the GDPR, the CCPA gives state residents similar rights to know what data companies have collected about them and to require that companies fully remove this data from circulation upon request.
This apparent trend toward heavy government regulation of personal data collection has tech industry titans discussing support for a federal privacy law for the first time. While tech companies by and large view such regulation as onerous and a limitation on their ability to do business, there is a sense of inevitability in the industry. If such legislation is inevitable, then tech companies feel their best play is to get out in front of it with their own industry-supported legislation that contains terms that are as friendly to them as possible.
Trade groups including the Internet Association, The Software Alliance and Information Technology Industry Council are already pushing for voluntary standards to avoid data protection laws similar to the California law. The fear is that actions from Congress and the White House may have huge implications on the business model of the digital economy.
The sudden support for a federal privacy law
At the very least, many in the tech industry feel that a patchwork of state laws similar to the CCPA would be far more troublesome and expensive to comply with than one unified set of federal privacy regulations. In a set of privacy principles published recently, the U.S. Chamber of Commerce recommends that, “Congress should adopt a federal privacy framework that preempts state law on matters concerning data privacy in order to provide certainty and consistency to consumers and businesses alike.”
Some tech industry companies have additional concerns about legal liability. Leaks and hacks are far from uncommon, and sometimes expose the personal data of millions of customers when they occur. That not only represents a tremendous amount of potential fines, but also further susceptibility to massive class-action lawsuits that could prove ruinous to a company.
These tech companies aim to get a federal privacy law passed that is softer in these areas. Saying that “tech companies” are universally supporting federal legislation is painting with too broad of a brush, however; the interest mostly stems from social media companies and those that make their money primarily from advertising. Companies that deal primarily in hardware or in business-to-business services have less reason to seek pre-emptive federal regulation.
Tech industry vs. consumer watchdogs
Though no specific legislation is on the table, consumer rights groups are already taking up positions against a tech-sponsored federal privacy law campaign.
Critics are already sounding alarms that tech-sponsored legislation is about protecting the tech industry under the veneer of consumer privacy and safety. The Electronic Frontier Foundation has already taken a public stand against tech company involvement in crafting a federal privacy law, arguing that their efforts are an attempt to “neuter” California’s relatively strong protections and prevent any more states from adopting similar laws.
There is legitimate reason for concern. A September 26 Senate hearing on consumer data privacy was widely panned for including the biggest names in tech, but not one representative from consumer privacy organizations. These groups argue that allowing tech companies to be the only voices in the room is tantamount to self-regulation.
Additionally, Congress has a permissive record to date on consumer data privacy matters. Skepticism among the general public has been raised by issues such as their handling of the massive Equifax data breach of 2017, for which the company saw no real punishment or negative consequences. Concerns have also been raised that Equifax may actually be profiting from the data breach via sale of optional credit protection services.