For years, large tech companies have spent millions on lobbying in Washington to make sure that they escape tough regulation. And until recently, they have been successful.
But today is a new day—one where tech companies are actually asking for regulation. How did we get here? Trust in tech giants is at an all-time low. And practices that include collecting untold amounts of data, even when consumers think they have privacy (see: Google Data Collection research); selling data to nefarious players (see: Facebook and Cambridge Analytica); and losing their data to hackers (see: Facebook’s newest data breach of data from 50 million users) has focused the attention of lawmakers in the EU and United States.
While past Senate hearings have at times felt like introductory classes to social media, with tech representatives slowly explaining how their platforms work, last week’s hearings on consumer privacy took on a different tone. “The question is no longer do we need a law for consumer privacy; the question is what shape these laws will take,” Committee Chairman Senator John Thune (R-SD) said in his opening remarks.
Now, the tech industry has come to realize it can’t escape regulation, and Facebook’s data breach has only heightened the stakes. But the question is how you make everyone happy with new regulation, with tech companies chafing at California’s strict new privacy laws and the European Union’s GDPR. How do we get to the “Goldilocks” policy? One that’s not too loose for consumers and not too strict for advertising and commerce. And how much will publishers need to change their ways to comply?
The Limits of Self-Regulation
In the past, as critics have expressed more and more concern over privacy — and investigations have revealed the ways in which nefarious players have mined user data for insidious targeting — tech giants have slowly policed themselves. Facebook, for example, announced in August that it would remove 5,000 options on its site that ask for “sensitive personal attributes” that enabled advertisers to hyper-target and limit their audiences.
Facebook says the move was more pro-active on its part and not in response to anything in particular, though the timing is suspicious after a lawsuit leveled by fair housing groups charging that advertising on Facebook could prevent minority communities from seeing housing ads. The routine is now becoming familiar: Scandal on a tech platform related to data. Platform tries to solve problem with new rules and its own regulation. Remember Cambridge Analytica? If not, look no further than what Facebook is currently facing with its latest data scandal.
But last week’s hearings revealed that representatives from major tech companies like Amazon, AT&T, Google and Twitter— along with the IAB, which had previously favored self-regulation — are warming up to the idea of some kind of federal legislation that, in theory, would mandate actions that might prevent future scandals. They said they’re in “widespread agreement” about that, which Google also acknowledged in a proposal for privacy regulation it published just a few days before the hearing.
Meanwhile, publishers have had to take action to comply with GDPR from Europe. And while they realize it’s a hassle, and privacy-policy pop-ups are annoying for users, there can be upsides. At a recent panel discussion at Marfeel in Spain, publishers noted that they now could take responsibility for first-party data they collect, and make sure it’s secure so that users are comfortable handing it over.
“So, I think if there’s any silver lining, it’s that publishers in general and the media companies in general are now actually taking responsibility to collect that first-party data instead of simply hoping that Google and Facebook would play nice and share some of that,” said Rithesh Menon, vice president of monetization and account management at Good Media Group.
Operating in the Shadow of Europe and California
While this may seem like a drastic change of stance among tech companies, remember they’ve already had to pivot to new privacy laws in Europe and California. In fact, the reasoning behind their embrace of federal privacy laws is that they’re trying to avoid legislation that’s as strict as Europe’s GDPR or California’s Consumer Privacy Act. That was obvious during the Senate hearing, where tech representatives called out both laws in urging Congress to “strike the right balance,” as Leonard Cali, AT&T’s senior vice president of global public policy, put it.
Representatives from Google, Apple, and Twitter, for instance, discouraged Congress from following in the footsteps of the GDPR by noting that small and medium-sized businesses might not have the financial backing to take on the compliance costs that would come with GDPR-like legislation. Amazon’s representative pointedly critiqued California’s privacy bill, arguing it doesn’t promote the best privacy practices.
Theoretically, if federal law is not as strict as state law, tech companies could bypass California’s strict regulations that might very well serve as a model for other states, because federal law would trump state regulations. But Congress also noted that strategy is not what it has in mind.
“Your holy grail is ‘preemption.’” Senator Brian Schatz (D-HI) said. “And we’re not going to replace a strong California law with a weaker federal one.”
Having a Seat at the Table
Having a seat at the table when it comes to drafting federal regulation is in the best interest of tech companies at this point. But the reality is that their huffs and puffs about how strict other legislative models are might not do them any good. With yet another Facebook data breach, consumers and lawmakers alike are fed up.
California’s new law requires that people can see what data companies have on them — which makes perfect sense from a consumer perspective. And the EU is still pushing social media platforms to adjust to a new way of operating under GDPR. European Commissioner Vera Jourova warned Facebook to change some of its terms and conditions by December, so the company can finally tell users how it utilizes their data for commercial purposes. It’s a wake-up call for tech companies that the EU is not going to budge — and that gives American lawmakers the chance to pile on with more conviction.
Now that the tech giants have asked for regulation (though of course of the weaker variety), it is up to Congress to take action. But first, they also have to listen to consumer groups — because a table of decision-makers that only includes one side would not look good. Senator John Thune said Congress is not in any rush toward a decision. But let’s hope one emerges before another data breach occurs.