Having a federal instead of state law govern consumer data protection will benefit tech companies.
Image: Getty Images/iStockphoto
On Wednesday, representatives from some of the country’s biggest tech and communications companies appeared before Congress to testify on consumer privacy. The industry’s stance is clear: these tech companies support regulation, so long as it’s governed on the federal level, and so long as they have a say in the contents of the laws.
Executives from AT&T, Amazon, Google, Twitter, Apple, and Charter Communications provided testimony to the U.S. Senate Committee on Commerce, Science, and Technology in a hearing called Examining Safeguards for Consumer Data Privacy.
During his opening statement, Committee Chairman Senator John Thune (R-SD) said that the hearing was not intended to be combative, but rather an exploratory panel to learn about companies’ approach to the possibility of federal legislation. He also stressed that the committee would be holding similar hearings to discuss a potential consumer data protection law with advocates and businesses, not just companies.
“The question is no longer whether we need a law for consumer data privacy, the question is what shape these laws will take,” Rep. Thune said in his opening remarks.
The two biggest issues at play were questions of jurisdiction and enforcement. Other specifics discussed were whether privacy policies should be legally mandated as opt-in or opt-out, the ability to download data, withdraw consent for data collection, whether ad-based business models can truly protect customer’s information, how privacy policies translate to companies’ work overseas (particularly in China), and other issues.
It may come as a surprise to some that all of the companies represented are supportive of federal regulation. But the story is a little more complicated than the gung-ho approach may appear.
In recent months, Europe and California passed strong laws governing online privacy and data. Experts view these laws as some of the most stringent and comprehensive protections possible. And, particularly in California, many tech companies lobbied against the laws.
Some senators acknowledged that these recent laws were a part of the reason that the Congressional hearing was taking place. That’s because it may be in the tech industry’s interest to have a federal law, instead of multiple state laws. And not just a federal law — a law that “preempts,” or, trumps, any state laws.
Most of the tech companies support preemptive federal regulation because the California law — and potentially other laws down the line — are so strong (or, burdensome, as Google and AT&T characterized the GDPR). With a federal law, tech companies would have the opportunity to weigh in on the contents of the law, as the hearing demonstrated.
In noted contrast, Apple’s representative said that it supported preemption as long as that didn’t mean weaker laws, and that it “meets the bar of protecting consumers meaningfully.” Charter Communication’s representative echoed that sentiment; Charter Communications was also, surprisingly, the only tech company that fully supported opt-in, rather than opt-out, privacy and data agreements. Okay, Charter. We see you.
There is a good argument for governing online privacy at the federal rather than state level. Federal commerce laws address inter-state commerce, and online information and business flows between states. Many tech companies expressed concern about the “patchwork of laws” that state legislation could result in. But AT&T’s representative did not mince words about why a federal law would be beneficial when he said that, if state law prevailed over federal law, “Industry will be forced to comply with the most restrictive aspects of each state’s law.”
“Your holy grail is ‘preemption,’” Senator Brian Schatz (D-HI) said. “And we’re not going to replace a strong California law with a weaker federal one.”
The second biggest issue was enforcement. Multiple senators asked the tech companies whether they believed enforcement for consumer data protection should rest with the FTC. As well as whether the FTC’s power to enforce laws should be expanded. Currently, the FTC’s ability to levy fines relies on a complex order of operations, that involves tech companies agreeing that they have done something wrong, before the FTC can enforce anything. The tech companies’ reactions were mixed.
“Voluntary rules have proved insufficient to protect privacy,” Senator Richard Blumenthal (D-CT) said.
Overall the Congressional hearing reenforced the idea that the tech industry has resigned itself to the fact that privacy regulation is coming. And, that given that certainty, these companies would rather have a seat at the table and a say in the regulation, than oppose it outright.