New laws in Europe and California are forcing tech companies to protect users’ privacy or risk big fines.
Now, the industry is fearing that more states will enact tough restrictions. So it’s moving to craft federal legislation that would pre-empt state laws and might put the Federal Trade Commission in charge of enforcement.
Europe enacted a tough law in May which requires, among other things, that companies make data breaches public within 72 hours of discovering them.
That’s why Facebook had to promptly announce last month that its systems had been hacked and at least 50 million user accounts were compromised.
In June, California passed legislation that — if it is enacted as written — would go even farther, allowing users to sue for damages for exactly the kind of data breach Facebook suffered.
“They don’t want to entertain the possibility that they would liable to individuals for doing some sort of harm from all the data that they collect,” says Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, a digital advocacy group.
Companies are weighing in now because regulation is coming from all fronts and they’re trying to control it, he says.
Early this summer, a who’s who in tech attended a high-level, private meeting in San Francisco organized by the Information Technology Industry Council, a trade association for Silicon Valley companies.
According to two people with knowledge of the meeting, it was there that Facebook’s top lobbyist, Joel Kaplan, warned that an impending California privacy law posed a threat to everyone in the room. If the California law spread to other states, Kaplan said, it would present an even bigger problem than privacy provisions in Europe’s new General Data Protection Regulation, or GDPR.
“Just this year, [you have] a data broker law from Vermont, in addition to Europe and California,” said the EFF’s Falcon. “And then dating back even further, the state of Illinois has a biometric law that Facebook has opposed and has been trying to amend. So they are seeing a trend.”
That may explain why, soon after that San Francisco meeting, an industrywide effort emerged to not just get behind federal privacy legislation, but to actually write it.
While there’s no formal legislative language yet, the working drafts so far include two must-have provisions for tech companies, according to two people familiar with the process. The companies want a pre-emption clause to ensure federal law trumps any state privacy laws. And they want to put the Federal Trade Commission in charge of enforcing digital privacy laws.
Pre-empting state laws would allow the industry to avoid a patchwork of rules in different states. And tech companies would also get to work with a watchdog they know.
Critics add that the FTC isn’t particularly aggressive.
“The FTC doesn’t have authority to make [new] privacy rules right now,” says Ariel Fox Johnson, policy counsel for Common Sense Media, an advocacy group. “I don’t know what the FTC can do besides put out guides or try to go after people for violating statements that they’ve made in their privacy policies.”
That’s what happened back in 2011. The FTC accused Facebook of not living up to its own privacy policies when it shared information it had told users would remain private. The FTC warned Facebook and the company, without admitting to wrongdoing, promised not to do it again.
Fast-forward seven years to the Cambridge Analytica scandal, when it was discovered that private information of some 87 million Facebook users was shared with the political data firm.
That breach led to congressional hearings — as well as much of the pressure Facebook faces now. (The FTC is still determining whether the Cambridge Analytica debacle means Facebook violated the earlier agreement.)
Late last month, officials from Apple, Amazon, AT&T and Twitter testified before the Senate Commerce Committee about lawmakers’ privacy concerns and came out publicly in support of a new federal privacy law.
Previously, tech companies had opposed that kind of regulation, but experts say that some kind of federal data privacy law is inevitable.
It isn’t just Congress getting the industry’s attention. Tech executives are also working the other end of Pennsylvania Avenue. Google CEO Sundar Pichai, for example, was at the White House recently.
“We had a great meeting — great meeting. I admire him, respect him,” President Trump’s chief economic adviser Larry Kudlow told reporters. Kudlow announced that tech executives would be back for a meeting with Trump later this month.
A reporter asked if the invitees would include big tech players like Facebook, Google and Twitter. Kudlow nodded and said, “That is our hope.”