Fearing Patchwork Privacy Laws, Tech Industry Calls for Federal Regulation

April 22, 2019

By Spencer Feingold

Still reeling from a recent series of devastating consumer data breaches, an unlikely consortium of tech companies is pushing for a uniform federal privacy law to address the growing “techlash” and preempt potentially more onerous regulations or a patchwork of state-by-state rules.

As some states and foreign governments try to implement new limits on what information tech companies can collect and share, once regulation-wary executives are asking for an overarching law — one that they can help write.

“There is a strong willingness to work with the government to determine what is doable and what is feasible,” Kristina Bergman, the founder and CEO of the data privacy firm Integris Software, told Cheddar.

Her firm released a survey this month that found 80 percent of U.S. companies that handle consumer data favor a federal law that would supersede sporadic state regulations. The researchers surveyed over 250 businesses, all with over 500 employees and $25 million or more in revenue across varying industries.

Major corporations, such as Twitter and Google, have publicly expressed their eagerness to collaborate with federal lawmakers. And in a recent op-ed in The Washington Post, Facebook CEO Mark Zuckerberg called for “a more active role for governments and regulators,”outlining four specific areas that lawmakers can have the most impact: harmful content, election integrity, privacy, and data portability.

“Public sentiment has changed. Consumers are no longer comfortable exchanging their data for goods and services,” Bergman said, citing high-profile breaches of consumer data like the Equifax hack in 2017 and the harvesting of Facebook user data by Cambridge Analytica as far back as 2014.

Due to a combination of public pressure and federal inaction, several states have already introduced statewide privacy legislation.

The most prominent state effort is the 2018 California Consumer Privacy Act (CCPA), which was modelled in part after the European Union’s General Data Protection Regulation (GDPR), and is set to be the strictest data privacy law in the country when it goes into effect in 2020.

Like Europe’s strict data privacy requirements, which went into effect last year, the CCPA limits the amount of data companies can collect, and gives consumers the right to request that their data be deleted — known as the “right to be forgotten” in Europe. The two regulatory regimes differ, however, in the scope of their jurisdiction and in how they determine what constitutes sensitive and personal data.

Following California's lead, at least 30 states have introduced privacy bills and many businesses are worried they’ll have to abide by different, maybe even conflicting standards in each state where they have customers.

The potential for multiple layers of regulation has the tech sector united in its push for consistent federal policy.

“Legislation must provide meaningful privacy protections for consumers regardless of the state in which they live,” said Jason Oxman, the president and CEO of the Information Technology Industry Council, the self described “global voice of the tech sector.”

With public pressure, industry support, and bipartisan willingness to act, experts said if there was ever a time to act, it’s now.

Several bills have been introduced in Congress, with Sen. Ed Markey, a Democrat from Massachusetts introducing his Privacy Bill of Rights Act earlier this month. It requires companies to safeguard data, bans the collection was extraneous personal information, and gives the Federal Trade Commission — the “cop on the privacy beat” — greater enforcement mechanisms.

“America’s laws have failed to keep pace with the unprecedented use of consumers’ data and the consistent cadence of breaches and privacy invasions that plague our economy and society,” Markey said in a statement.

Other bills have been introduced in the House that go even further to ensure privacy online.

At the federal level, however, partisan entrenchment and policy differences will complicate, and possibly dilute, any proposed bill, experts say. (The CCPA was passed unanimously by the California state legislature.)

In January, Sen. Marco Rubio (R-Fla.) introduced a separate bill, the American Data Dissemination Act, that would strengthen data protection, but would also require the FTC to establish criteria for exemptions and take precautions not to stifle tech innovation.

Recognizing congressional realities — and a lack of expertise among politicians — several companies, such as the global technology giant Intel, have written their own bills for federal lawmakers to mimic.

Other groups, like the Internet Association (IA), which represents major companies like Amazon, Spotify, and Microsoft, published its own set of principles for a national regulatory framework to help inform lawmakers and provide industry insight.

“The law should cover all parts of the economy and eliminate a confusing patchwork of state laws to ensure Americans have consistent experiences across state lines and industries,” IA spokesperson Noah Theran told Cheddar.