Federalizing Privacy Rights: How Tech Giants Went From Protesting Privacy Laws to Supporting Them

By: Nayanthika Ramakrishnan

In an impassioned speech in Brussels this October, Tim Cook, the CEO of Apple, threw his weight behind a federal privacy law, denouncing the data collection practices engaged in by his fellow technological giants such as Google and Facebook. While it is not new for tech companies to push for stronger privacy laws, the renewed impetus for the movement comes from the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and California’s Consumer Privacy Actwhich will go into effect on January 1, 2020. On the heels of California’s legislation, other states such as Georgia have also introduced similar bills. This patchwork of legislations across states with different levels of obligations has pushed the tech industries to petition Congress to enact a federal legislation. Earlier in November, Senator Ron Wyden (D–OR) introduced a federal privacy bill, but many news outlets report it as unlikely to be passed into lawWhile the tech companies’ interest may stem more from the desire to avoid compliance with 50 different laws on privacy, this post analyzes the public policy implications of a federal legislation on privacy for the complicated digital economy.

Present federal protections for privacy rights:

The current approach at the federal level in regulating the collection and use of private information is sector-specific, with no umbrella legislation that prevents or regulates how sensitive information is to be used. The only such umbrella legislation on privacy is the Privacy Act of 1974 which applies only to the collection, maintenance, use and dissemination of individual information by federal agencies. Paul Schwartz describes the sector-specific approach to privacy in the United States and explains that federal sector-specific legislations such as the Video Privacy Protection Act and the Wiretap Act merely establish “floors” upon which several states have enacted much more stringent regulations. Paul M. Schwartz, Preemption and Privacy,118 Yale L.J.902, 919 (2009). There is also a sprinkling of regulatory requirements imposed by agencies such as the Securities and Exchange Commission that require public companies to disclose material cybersecurity risks and incidents. Not only is there is no federal omnibus privacy legislation, neither is there a single enforcement authority; rather, enforcement is carried out by three actors: the Federal Trade Commission (FTC), state attorney generals who self-describe themselves as the “Internet’s police”, and class-action attorneys. By and large, however, enforcement of privacy laws at the federal level is toothless, based largely on a breach of the contractual policy of privacy that consumers agree to in click-wrap agreements, and pursued by the FTC if the activities are deceptive or unfair.

Need for a federal privacy law:

A person’s data is collected by companies such as Facebook, Amazon and Google every time he connects to the internet, runs an online search, buys products through e-commerce portals, or even communicates with his Alexa/Google Home device. All of these were being done by companies by including “notice and consent” clauses in extremely fine print in a lengthy agreement where consumers were given notice of such data collection and indicated their consent by clicking on an “I Agree” box. A study done by two researchers at Carnegie Mellon estimated that it would take a user almost 25 days of the year if they were to read every privacy policy on every website that they visit in a year. It was to impose checks on companies collecting such data that the GDPR was formulated, with requirements such as obtaining a clear indication of consent before data collection, communicating the basis of collection, retention and purpose of use of such data, and providing individuals access to the data about them that has been collected. Most of Big Tech did not welcome the GDPR’s requirements, finding them to be burdensome.Yet, these same companies are now pushing for a federal privacy law despite claiming self-regulation was a better solution in the past.

Most of the arguments in favor of a federal privacy law have come from within the industry itself, calling for a uniform law that sets one standard for the entire country as opposed to 50 different standards. This argument seems to be inspired by the reality that state-wide privacy laws are in the offing and will make matters complicated for Big Tech, and an effort to shape public debate by being a part of it. In response to the call for comments by the National Telecommunications & Information Administration (NTIA) on developing the Trump administration’s approach to privacy law, Amazon has called for a uniform federal law that will replace the “patchwork of different privacy obligations”, arguing that differing obligations will be expensive, time-consuming and divert resources that could otherwise be used in innovation. AT&T has framed the need for a federal law in terms of the difficulties to consumers in navigating differing and complicated state-specific legislations.

Privacy advocates, on the other hand, also welcome a federal law on the subject but have called for such standards to be a floor and not a ceiling, and strongly criticize the language of pre-emption of state laws that is adopted by technology industries. Privacy scholars, who submitted comments to the NTIA, explain that states have historically been “laboratories of experimentation” and have been willing to experiment with different approaches to regulate privacy.

Today, there is bipartisan support on the need for a federal privacy law, yet little consensus on what that law should look like. But popular opinion seems to suggest that Americans want more protections for their privacy, not less, and it is unclear whether a federal policy that preempts state requirements will accomplish this. While there is merit to the suggestion that having 50 different state laws and one federal law would only be burdensome and complicated for all actors involved, it is also important to ensure that a uniform federal policy sets the bar high enough so that it affords meaningful protection to internet users.