A Red Herring on Privacy

Big Tech Wants a Federal Law That Sinks State Protections

By Griet Van Acker

Big tech companies are in hot water over their handling of users’ personal information.

More than 91 percent of Americans “agree” or “strongly agree” that people have lost control over how personal information is collected by and used by companies.

State legislators have started stepping in and passing laws to protect their constituents from harm. Major privacy legislation is gaining speed in many states, with California’s landmark Consumer Privacy Act among the many online privacy and disclosure laws states already have passed.

Over the past year, Facebook, Google, Amazon, Microsoft and other tech titans have started to aggressively lobby the Trump administration to develop a federal privacy framework, but their newfound enthusiasm for privacy legislation and regulation is a red herring.

Their support for a federal law is actually an attempt to “hit delete on all state data protection laws,” as Federal Trade Commissioner Rohit Chopra put it.

The whole reason tech companies want a federal law is to sink existing state protections and block states from putting in place additional safeguards in the future. Watering down and drowning out state-level privacy protections appears to be their top priority.

The tech companies are working alongside at least three major business associations, including the U.S. Chamber of Commerce, the Internet Association and the Information Technology Industry Council (ITIC) that, “are planning to push for voluntary standards instead of legal mandates that carry steep penalties for violations.” The Chamber of Commerce, the nation’s top spender on lobbying, issued a statement of principles urging Congress to “adopt a federal privacy framework that preempts state law.”

Preemption is the technical, policymaking term for federal law that overrides state law.

Facebook’s lead lobbyist Joel Kaplan spoke at a May 2018 ITIC board meeting where he warned that California’s privacy law posed a threat to the industry and urged members to make the issue of privacy a priority. According to reports, companies attending the meeting agreed to back federal legislation that would, “overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.”

If you think something smells fishy about all this, you’re right. Pushing for preemption at such an early stage is “a not very subtle way to force deregulation at the state level,” Gaurav Laroia, policy counsel at Free Press, told The Hill.

At a congressional hearing on consumer privacy in September 2018, the biggest names in big tech were invited to testify, but not one representative from consumer privacy organizations got a seat at the table. Representatives from Amazon, Apple, AT&T, Charter, Google and Twitter testified, repeatedly “urging lawmakers to preempt the states.” Google tried muddying the waters by warning that “inconsistent” or “conflicting” rules could lead to a “balkanization of services,” and AT&T openly demanded a “federal preemptive framework” to override European and Californian rules.

Here’s how USA Today covered the same hearing:

“Major companies including Amazon, AT&T, Apple and Google are lobbying Congress to craft legislation that would preempt a first-of-its-kind California privacy law that grants sweeping online protections to consumers.

“Senior executives from these companies, plus Twitter and Charter Communications, offered a show of industry support for a federal privacy bill with weaker consumer protections during a Senate hearing Wednesday.

“Such a bill would block states like California from enacting stronger privacy protections. The executives argued that a patchwork of different state laws would make it tough for companies to operate and would threaten innovation. The takeaway from news outlet Axios: ‘Tech companies want privacy rules, but on their own terms.’”

“It’s clear that the strategy here is to neuter California for something much weaker on the federal level. The companies are afraid of California because it sets the bar for other states,” said Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, a digital rights group.

“Without knowing what substantive privacy protections they will support, it’s very possible a federal privacy law could actually move us backward,” advised Michelle Richardson, Director of the Data and Privacy Project at the Center for Democracy & Technology. “If you put a low standard in and prevent states from doing better, it’s actually a step back from where we are now.”

“Tech industry and Republicans say preemption is necessary to avoid a patchwork of state rules that companies must comply with,” The Hill reported. But don’t be fooled – their statements don’t hold water. As Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, aptly warned in a Washington Post op-ed:

“This seeming willingness to subject themselves to federal regulation is, in fact, an effort to enlist the Trump administration and Congress in companies’ efforts to weaken state-level consumer privacy protections.

“It has often been state legislatures — not Congress — that have led efforts to protect consumer privacy. California was the first in the nation to require that companies notify consumers of a data breach (other states have since followed suit), the first to mandate that companies disclose through a conspicuous privacy policy the types of information they collect and share with third parties, and among the first to recognize data privacy rights for children. Illinois set important limits on the commercial collection and storage of biometric information, such as fingerprints and face prints. Idaho, West Virginia, Oklahoma and other states have passed laws to protect student privacy.

“The private sector knows this, and many companies are looking to put a stop to it. […]

“Federal legislation should act as a floor, not a ceiling, for privacy interests. We should be highly skeptical of any proposal that would wipe out existing privacy laws that protect consumers or foreclose states from acting to address future privacy threats. Such pre-emption from Congress would be a win for business interests at the expense of the public.”

A report from the Electronic Frontier Foundation echoed her point:

“The only reason many of these companies seek congressional intervention now, after years of opposing privacy legislation both federally and at the states, is because state legislatures and attorney generals have acted more aggressively to protect the privacy interest of their states’ residents, in many cases over their objections.”

And they might just get their way.

Washington is drowning in tech money. Facebook spent $12 million lobbying in 2018, more than in any previous year. And Google, perennially among the top lobbying spenders in Washington, also broke a new record last year, spending more than $21 million. Lobbying expenses by internet companies climbed to a total of more than $77 million last year, up from around $19 million in 2010, according to data from the Center for Responsive Politics.

Making matters worse, Big Tech companies aren’t shy about swimming alongside key lawmakers. The Hill revealed that AT&T’s political action committee joined forces with telecomm industry trade association USTelecom to host a fundraiser for the U.S. Senate Commerce Committee Chairman U.S. Sen. Roger Whicker (R-Miss.) only a week before the September tech privacy hearing took place.

In pushing to preempt state laws, big tech companies are looking out for their own profits, not the public. And if the tech companies win, the public will find itself in deep water – with nowhere to turn when tech innovation inevitably outpaces federal regulation.

The last thing Americans need right now is an empty federal law that sinks state protections.

###

For press inquiries, please contact David Rosen, drosen@citizen.org, (202) 588-7742.