WASHINGTON (Circa) — Six prominent U.S. internet technology companies were on Capitol Hill Wednesday with a seemingly odd appeal to lawmakers for federal regulations on user data privacy.
It seemed out of character for leaders in an industry that has been largely untouched by regulators. But technology giants are beginning to feel the heat of the public spotlight.
Recent high-profile data privacy breaches have raised concerns about the types of information companies are collecting on its users and who can get access to it. As more Americans question the technology that is part of their everyday lives, companies are scrambling to get ahead of a wave of privacy rules that they expect to be facing very soon in the United States.
Already, U.S. tech firms operating in overseas have had to fall into line with the European Union's General Data Protection Regulation (GDPR), a rigorous framework to enforce how companies can collect, process and share individuals personal data.
U.S. states are now catching on. In June, California's legislature unanimously approved sweeping data privacy rules based on the E.U. model, the California Consumer Privacy Act (CCPA), set to take effect in 2020. Tech firms, including those who call Silicon Valley home, are bristling. Roughly a dozen states have passed new internet privacy laws or are considering them.
With the prospect of a patchwork of new regulations coming down the pike, privacy representatives from Amazon, Apple, AT&T, Charter, Google and Twitter came to Congress Wednesday urging lawmakers to preempt the states.
Google preempted the hearing and released a framework for new privacy laws Monday. While touting some of their newest privacy features, the company called for an "integrated framework of privacy regulations" across all companies that handle user data. They specifically warned that "inconsistent" or "conflicting" rules would lead to a "balkanization of services" and hurt consumers.
AT&T was most explicit, pressing for a "federal preemptive framework" to address what the company sees as problems with both the European and California rules. "What we’re urging is a comprehensive federal law that looks at both of these laws, learns from them but does better than them," said Len Cali, AT&T's senior vice president of global public policy.
The tech giants acknowledged the volume and granularity of data being collected on internet users is growing daily and proposed broad data privacy principles. Generally, the tech giants agreed they should be "transparent" about their privacy policies, users should provide consent and have control over the use of their data, and there should be a single framework applied equally across the industry.
What that single framework might look like is up in the air. In their testimony Wednesday and a recent surge in lobbying efforts in recent months, big tech clearly wants to ensure they have a seat at the table when the rules are written.
That has been a top concern among consumer organizations and digital privacy watchdogs.
Just because tech companies appear to be embracing regulation, does not guarantee a positive outcome for consumers, advised Michelle Richardson, director of the privacy and data at the Center for Democracy & Technology (CDT).
"Without knowing what substantive privacy protections they will support, it's very possible a federal privacy law could actually move us backward," she warned. "Because if you put a low standard in and prevent states from doing better, it's actually a step back from where we are now."
CDT was among the 28 advocacy groups that sent a letter to the Senate Commerce Committee last week arguing the hearing was taking place in a format that "all but ensures a narrow discussion, focused on policy alternatives favored by business groups."
At the hearing Wednesday, Chairman John Thune, R-S.D., answered the letter, promising another hearing in early October featuring California privacy activist Alastair MacTaggert as well as the head of GDPR enforcement for the European Union.
"We were really glad to see they will be holding more hearings and the two witnesses confirmed so far are strong voices for consumers," said Christine Bannan, consumer protection counsel at the Electronic Privacy Information Center (EPIC), which also signed the letter.
The next hearing will provide a different perspective, Bannan said, noting, "There is definitely more of an emphasis in this Congress on hearing from industry than hearing from civil society or other advocates."
Wednesday was only the beginning of what many believe will be a lengthy and overdue national dialogue about privacy in the age of big data.
Google, Apple and Twitter representatives spoke extensively about "consent" and "control" features they introduced recently to let users manage elements of how their data is collected and shared. For example, Google introduced ad settings to let users control what information it shares with advertisers. Twitter similarly upgraded its privacy features.
But even the companies acknowledged they can only go so far with opt-in and opt-out checkboxes. Requiring users to check a box for every processing operation would degrade the service and "disincentivize users from engaging," said Google's chief privacy officer Keith Enright.
The opt-in, opt-out debate is also unlikely to advance privacy protections, Richardson argued. "We need to define people's digital civil rights," she stated. "We need to stop talking about 'notice' and 'consent' as a way out of this problem. The digital ecosystem is just too complicated for people to make meaningful choices about each piece of data and each company that gets to touch it."
Defining those rights will be a challenge. Even among the six industry leaders who testified Wednesday, there was broad agreement on principles, but conflict about details. It was unclear how users should provide their consent and how to explain what they were consenting to.
Senators appeared confused when companies spoke about "transparency" in one breath, and in the next denied "selling" user data.
A frustrated Sen. Jon Tester, D-Mt., questioned why he was being targeted with ads for truck tires if Google was not "selling" his information to advertisers. "How the hell did they get that information?"
Google's chief privacy officer explained that users can opt-out of targeted ads, noting "no personal information is passing from Google to that third party."
The back and forth raised another area of disagreement: What is considered personal information? For Google, it's a user's name, email account or other information tied to the individual or their device. For Sen. Tester, his search for truck tires was personal.
The Federal Trade Commission, which would be in charge of regulating any new internet privacy regime, has taken a broader approach. The FTC debated a definition that would include "persistent identifiers" such as cookies, static IP addresses, MAC addresses, and other device identifiers.
"Because different laws define sensitive information differently, I think that would be an important area to flesh out in federal legislation," Bannan noted.
Ultimately, the tech giants urged Congress to strike the right balance between privacy and business concerns.
Republicans, already wary of costly and potentially burdensome regulations on business were sympathetic to the appeal. Enwright gave a pained response when asked about the cost of compliance, suggesting Google spent billions of dollars and "hundreds of years" of employees' hours to comply with Europe's data privacy regime.
While companies like Google were able to meet the cost of compliance, industry groups have warned small companies and startups are now being driven out of Europe.
"We believe privacy is a fundamental right, not a privilege," Twitter's global data protection officer, Damien Kieran told the committee. "That is why we are supportive of this committee's efforts to develop a robust privacy framework that balances the protection of individuals rights and the preservation of the freedom to innovate."