US privacy law is on the horizon. Here's how tech companies want to shape it

If you can't beat 'em, influence 'em.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read

Lawmakers want to draw the road map for privacy legislation for decades to come, and Silicon Valley is giving them some directions.

The US Senate Committee on Commerce, Science and Transportation is holding a hearing Wednesday to look at how lawmakers can protect consumer privacy. 

Statue of Liberty as if made from a computer motherboard.

Thanks, Clippy.

James Martin/CNET

In opening statements from representatives of AT&T , Amazon , Google , Twitter , Apple and Charter Communications, the tech companies plan to tell lawmakers how they collect data and how regulations should play out.

A key part of the opening statements is calling for lawmakers to pre-empt state privacy laws, creating a federal bill that would overwrite any actions taken by state lawmakers.

The companies are expected to explain their approaches to privacy and help Congress craft a federal privacy law "without hurting innovation," Sen. John Thune, the committee's chairman and a Republican from South Dakota, said in a statement.

Privacy advocates are concerned, however, that the tech giants will use their influence to sway legislation in their favor.

"In the past, they've spent a lot of effort in pushing back on legislation," said Ernesto Falcon, legislative counsel for digital rights group the Electronic Frontier Foundation. "We should all be very suspicious of the fact that now they endorse legislation, so long as it prevents state laws."

Tech companies fought against California's data privacy law, which passed in June. The Internet Association, a lobbying group that represents companies like Facebook , Google, Uber, Amazon and Microsoft , disagreed with the legislation, considered the country's toughest when it comes to privacy.

Lawmakers in the European Union also struck a blow against tech companies, passing the General Data Protection Regulation, which went into effect in May and which gives consumers better control over their personal data.  

For decades, technology companies have been able to self-regulate how they manage your privacy online. That's meant millions of people agreeing to hand over personal data to tech giants without really being aware of how much information they're giving up.

That freedom let companies like Google and Facebook build empires on personalized advertising, where data tracking is key.

"For companies like Facebook and Google, it is the holy grail of how they maximize their profits," Falcon said. "It only gets more valuable the more they know about you. And the only way you curtail that practice is law."

Public concerns over privacy issues have prompted lawmakers to revisit their relationship with tech companies.

A 2014 study from the Pew Research Center found that more than 90 percent of US adults believe they've lost control of their own data to tech companies. And issues like Facebook's Cambridge Analytica data scandal hit home for millions of people.

At a hearing in early September, Sen. Mark Warner, a Democrat from Virginia, told Facebook COO Sheryl Sandberg and Twitter CEO Jack Dorsey that the "era of the wild west in social media is coming to an end."

Current state of affairs

Tech companies couldn't get their way on state privacy laws like those in California, Illinois and Vermont, so the push has now gone to a federal bill that would essentially invalidate local legislation.

The Internet Association, the US Chamber of Commerce (the country's largest lobbying organization) and the Interactive Advertising Bureau have all said that any federal privacy law should pre-empt state law.

They've characterized differing state laws on privacy as a confusing burden for businesses, arguing that they'd be too troublesome to keep up with. In a letter to the Committee on Commerce, Science and Transportation, the IAB called out California's law and the GDPR, saying such legislation will cause a "patchwork of varying state laws and consumer confusion."

In July, the Chamber of Commerce said the potential scenario would "pose a nightmare for businesses."

"There is an increasing risk that we will end up with a patchwork quilt of inconsistent privacy regulations at the federal and state level, which will only serve to confuse consumers and stifle innovation," Leonard Cali, AT&T's senior vice president of global public policy, said in his opening statement.

But advocates warn that closing out states from writing their own laws only hurts personal privacy in the long run.

"If states won't be able to take additional actions, or their current laws no longer have force, you're going to have a situation where you foreclose future legislation that responds to new and emerging threats," said Neema Singh Guliani, legislative counsel for the American Civil Liberties Union. "When we look at consumer privacy, there's many cases where states are the ones to act first."

She pointed to Vermont's breach notification law in response to the notorious incident at credit company Equifax . That legislation passed in May, about eight months after the company announced it had been hacked. In comparison, a congressional bill prompted by the Equifax breach was proposed in January but still hasn't gained any traction.  

Advocates also disagreed with the "patchwork" argument, pointing out that under current laws -- the system tech companies are calling a nightmare -- businesses often just adhere to the strictest policy available and apply it nationwide.

"Equifax had informed all of us because of California's breach notification law, even though they only had to legally inform California," Falcon said.

The GDPR was supposed to apply only to EU residents, but the rules and penalties were strict enough that it pushed tech companies to apply the regulations across the board.

None of the proposed frameworks from tech companies have listed any potential penalties for violating their own standards, or who should enforce the rules.

Those are important missing elements, advocates argue.

"It's all good to have privacy standards," the ACLU's Guliani said, "but we need to have enforcement. We need to have consequences when they don't follow those standards."

Spot the differences

Thune wants legislation and is looking at Wednesday's hearing as a guide to how Congress should approach it. Sen. Ron Wyden, a Democrat from Oregon, is also drafting his own consumer data privacy bill, though it's unclear how much influence Silicon Valley's giants will have on it.

Google laid out its data privacy framework on Monday, and said it looks forward to working with policymakers on future regulation. During congressional hearings earlier this year, Facebook CEO Mark Zuckerberg told lawmakers he'd welcome regulation, if it were the "right regulation." A Twitter spokesman said the company is "an active and committed participant" in conversations with lawmakers over federal privacy legislation.

An AT&T spokesman, meanwhile, said the networking company has "long supported federal legislation for consumer privacy," pushing for a single set of protections rather than multiple state laws. Charter Communications echoed the sentiment, calling for "uniform federal privacy protections," including opt-in consent for personal information collection. 

"The internet industry commits to working with Congress to develop a national approach to privacy that provides people with transparency and trust," an Internet Association spokeswoman said in a statement, "while still allowing companies to innovate and develop products people love."

Amazon didn't respond to a request for comment.

Much of the language laid out in federal frameworks calls for responsibility and transparency, where people know exactly what data tech companies are harvesting from them. But just knowing what data companies are taking isn't enough to protect your privacy, advocates say.

Instead, privacy advocates are pushing for legislation to include opt-in consent, where you have to agree before companies can use your data.

"They just want to tell you what they're doing, not that you have a right in how things go," Falcon said.  

Federal legislation on privacy is still in its early stages, but the behind-the-scenes battle to shape it has been brewing for a while. Subtle differences like opt-in consent and stances on state law have long-term implications.

"What we don't want to end up with is privacy legislation that is weak," Guliani said. "The worry is that if consumers aren't an essential part of this conversation, and if we're only looking to industry voices, that's what we could end up with."

Originally published on Sept. 26 at 5:00 a.m. PT.
Updated at 6:00 a.m. PT: To include details from tech companies' opening statements.

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.