Future Tense

Beware of Tech Companies Bearing Privacy Laws

Federal regulations are the right idea. But Silicon Valley shouldn’t get to write them.

Facebook CEO Mark Zuckerberg testifies before Congress.
He’d prefer he write his regulations than they write his regulations. Chip Somodevilla/Getty Images

The foxes are drawing up plans for a lovely new henhouse.

The New York Times reported on Sunday that big tech companies are lobbying the Trump administration to start outlining a federal privacy law. The law would supersede state laws, including the landmark privacy bill that California passed in June, to create a single national framework for protecting people’s information. “We are committed to being part of the process and a constructive part of the process,” one top tech industry lobbyist told the Times. “The best way is to work toward developing our own blueprint.”

A national consumer privacy law is exactly what we need, as Facebook’s Cambridge Analytica scandal helped make clear. And the tech companies—which include Google, Facebook, IBM, and Microsoft, according to the Times’ Cecilia Kang—are smart to push for one, after years of opposing regulations that could constrain the data harvesting and targeted advertising on which their businesses rely. They understand that the political ground has shifted, and that federal privacy legislation is now a likelihood, if not an inevitability. Good for them.

That doesn’t mean they should be the ones writing it.

Social media companies and data brokers have spent the better part of a decade building disconcertingly detailed profiles of pretty much everyone who uses the internet (even if you don’t use their service). And in many instances, they’ve been shockingly careless with the personal information they collect. Cambridge Analytica, the political consultancy that took advantage of Facebook’s lax privacy policies to obtain profiles of tens of millions of voters without their knowledge or consent, is only the most infamous recent example. Google keeps tracking people’s location even after they’ve asked it not to. Wireless carriers quietly handed shady third parties access to real-time location data that users have no way of turning off. AOL’s release of personal identifiable search data in 2006 is a good reminder that internet companies have been violating users’ expectations of privacy since the days of dial-up.

Good intentions are not the answer. We know this because of all the companies that have failed to safeguard people’s information even when they had a vested interest in doing so. Think of the data breaches at Yahoo, Target, Equifax, and LinkedIn, to name just a few.

Meaningful consumer privacy laws, like the European Union’s General Data Protection Regulation, attach hefty fines to breaches, to make sure companies are properly incentivized to take data security seriously. They also require anyone who collects or shares people’s data to make clear what they’re doing, in plain language, and give people a chance to opt out. For too long, companies have defended their intrusive data practices by appealing to abstruse privacy policies that only lawyers can decipher—not to mention the canard that all their users know the terms of these free services that run on their data.

California’s privacy law, the toughest passed in the United States so far despite being weaker than the ballot measure initially proposed there, goes somewhat easier on some key points, including the fines, than does Europe’s GDPR. But apparently not easy enough for the liking of the technology industry.

As the Times makes clear, tech companies aren’t lobbying for a federal privacy law because they want stricter standards. They’re doing it because they fear stricter standards, both at the state and federal level. And they want a law that explicitly pre-empts the California regulations.

First of all, many tech companies view the California law as too tough already, even though some big ones, including Facebook, eventually signed on to support it. According to the Times, Facebook’s top lobbyist warned his colleagues in the industry trade group in May that California’s privacy proposal posed a threat to the industry, and suggested that they defend themselves by making privacy a priority. (A Facebook representative clarified to me that the company had opposed California’s initial ballot measure but supported the compromise legislation that followed. “Facebook is working with policymakers to craft privacy legislation that protects consumers, ensures people are in control of their information, and promotes responsible innovation,” the company said in a statement.)

Then there’s the likelihood that other states would follow California’s lead, crafting privacy laws of their own—some perhaps weaker, others stronger. The industry is right to fear a crazy quilt of state regulations, and right that a federal solution makes more sense. But tech leaders also smell an opportunity to roll back even the reasonable provisions of California’s legislation (which their lobbyists are also working to “edit” at the state level). As my colleague April Glaser pointed out in June, state laws like California’s have a way of becoming the de facto standard for the country. A weaker federal law would amount to an end run around California’s process.

And why should tech companies expect a federal law to be weaker? It’s not hard to guess. Between a Republican president and a Republican-controlled Congress, the industry has a better chance to write its own rules now than it is likely to have in the foreseeable future. The Times reports that three industry groups, including the U.S. Chamber of Commerce, are planning to pitch “voluntary standards” as part of this approach instead of legal mandates. In exchange, the Times adds, “they would insist that the federal statute nullify California’s rules.”

Voluntary standards aren’t the solution; they’re the problem with companies that largely have been allowed to regulate themselves since their inception. And if that’s what the technology industry has in mind, then what it’s really pushing for isn’t a privacy law at all. It’s more like a law against privacy laws—a bulwark against state legislation, or future federal legislation, that carries serious penalties for violations.

If hiding behind Trump to defend the status quo is Big Tech’s idea of supporting privacy regulations, we might all be better off if it kept opposing them instead.