2019 is shaping up to be the year that the United States finally gets federal privacy legislation that provides data protections for all citizens. The only question, though, is just how stringent and rigorous this new federal privacy legislation is going to be. On one hand, you have privacy advocates pushing for privacy regulations that follow the letter and spirit of the European General Data Protection Regulation (GDPR). On the other hand, you have big tech companies pushing for watered-down privacy legislation that would largely permit them to continue doing business as usual.
Will 2019 be the big year for privacy regulations?
The general consensus is that 2018 was a pivotal year for thinking about privacy regulations. It set up a framework for thinking about how big tech companies like Facebook, Apple, Amazon and Google should be regulated. Until 2018, the approach had largely been a hands-off one, with regulators and politicians talking tough, but largely backing away from any major fines or enforcement actions, even when firms collecting data committed particularly egregious offenses against personal data privacy.
In March 2018, however, Facebook CEO Mark Zuckerberg was called to testify in front of both the House and Senate about the Cambridge Analytica scandal. Just months later, the European Union officially enacted the GDPR. And California passed the very rigorous Consumer Privacy Act (CCPA), set to go into effect on January 1, 2020. This legislation was the first of its kind in the nation, and a clear signal that states were going to take a much more proactive stance on protecting personal data and punishing companies for any data breach impacting their citizens if the federal government was not.
During the second half of 2018, big tech and social media companies clearly saw the writing on the wall. Data privacy laws were coming, one way or another. States were lining up to follow the example of California. Politicians on both sides of the aisle were publicly commenting on the need for beefed up privacy regulations. And privacy advocates (such as the Electronic Frontier Foundation) were emboldened by the passage of the GDPR and the sudden willingness by big tech companies to at least talk about data privacy laws. Previously, big tech companies like Facebook shrugged off any mention of state privacy laws and federal privacy regulations. They knew that most tough talk eventually led nowhere, and that if they simply waited things out, there would be no fines, no penalties and no privacy regulations at the federal level.
Big tech companies begin framing the debate over privacy regulations
What is especially notable, of course, is the newfound willingness by big tech giants in Silicon Valley to talk about privacy regulations. In fact, big tech companies like Apple, Amazon and Microsoft are now publicly pushing for federal legislation. Everyone seems to agree that more needs to be done to protect the consumer. For that reason, both Amazon and Microsoft have spoken out publicly about the need for better control over facial recognition technologies. Apple CEO Tim Cook spoke out very boldly about the need to regulate data brokers, and to clean up the whole “shadow economy” of companies that make their money by buying, selling and trading personal data.
To date, certain frameworks for privacy regulations have been proposed. For example, the Internet Association trade group (which represents Amazon, Facebook, Google and Twitter) has outlined its view of the privacy future in America. The U.S. Chamber of Commerce has advanced its own (pro-business) view of privacy regulations. And Intel has even gone so far as to roll out its own draft legislation, complete with public calls for people to comment on this legislation.
The hidden agenda of big tech companies
So what’s going on here? Are we really to believe that the world’s big tech companies have suddenly turned into benevolent giants, putting the needs and rights of consumers ahead of their own priority to make as much money as possible?
One viewpoint suggests that these big tech giants in the tech industry are working so hard on new privacy regulations that cover consumer data because they are doing everything in their power to supersede, preempt and mitigate the impact of the new California Consumer Privacy Act (CPA). From their perspective, this new state legislation – set to go into effect in less than a year – represents a real threat to their business. It would be far better, the thinking goes, to get a watered-down federal bill that would permit them much greater leeway and freedom in how they process personal data, what type of consent they must obtain, and what type of federal law enforcement action might be taken against them.
In many ways, this viewpoint suggests that Big Tech is turning into Big Pharma. In other words, they are becoming huge oligopolies and, in order to protect their profit potential, have enlisted armies of lobbyists in Washington, D.C. to protect their economic interests.
And, indeed, there is reason to suspect that these tech companies now view federal privacy regulations as a way to construct barriers and moats around their core business. If compliance with federal privacy regulations is costly enough, smaller upstart companies won’t be able to compete on a level playing field. And, indeed, they might not even get started, as entrepreneurs give up on complying with costly GDPR-like compliance. According to some estimates, the Fortune Global 500 spent as much as $7.8 billion on compliance ahead of the launch of the GDPR, and so it’s only natural to assume that it might cost billions of dollars more to comply with any new U.S. federal privacy law.
The uncertain political context in the United States
While there is bipartisan support amongst both Republicans and Democrats for privacy regulations, there is less certainty about who would actually be leading these efforts in Washington. After the midterm elections in 2018, the Republicans no longer control the House and the two parties are engaged in an epic showdown about how to run the country that resulted in a massive government shutdown. Amidst all this uncertainty, one option might just be to punt the matter over to the Federal Trade Commission, and let this agency take over any efforts related to enforcing federal privacy legislation. One thing is certain, though: the California law already on the books has created a very clear timetable for when the big tech companies need to get a final compromise measure passed.