by Bennett Cyphers, Electronic Frontier Foundation
Last week, the Internet Association launched a campaign asking the federal government to pass a new privacy law.
The Internet Association (IA) is a trade group funded by some of the largest tech companies in the world, including Google, Microsoft, Facebook, Amazon, and Uber. Many of its members keep their lights on by tracking users and monetizing their personal data. So why do they want a federal consumer privacy law?
Surprise! It’s not to protect your privacy. Rather, this campaign is a disingenuous ploy to undermine real progress on privacy being made around the country at the state level. IA member companies want to establish a national “privacy law” that undoes stronger state laws and lets them continue business as usual. Lawyers call this “preemption.” IA calls this “a unified, national standard” to avoid “a patchwork of state laws.” We call this a big step backwards for all of our privacy.
The question we should be asking is, “What are they afraid of?”
STRONGER STATE LAWS
After years of privacy scandals, Americans across the political spectrum want better consumer privacy protections. So far, Congress has failed to act, but states have taken matters into their own hands. The Illinois Biometric Information Privacy Act (BIPA), passed in 2008, makes it illegal to collect biometric data from Illinois citizens without their express, informed, opt-in consent. Vermont requires data brokers to register with the state and report on their activities. And the California Consumer Privacy Act (CCPA), passed in 2018, gives users the right to access their personal data and opt out of its sale. In state legislatures across the country, consumer privacy bills are gaining momentum.
This terrifies big tech companies. Last quarter alone, the IA spent nearly $176,000 lobbying the California legislature, largely to weaken CCPA before it takes effect in January 2021. Thanks to the efforts of a coalition of privacy advocates, including EFF, it failed. The IA and its allies are losing the fight against state privacy laws. So, after years of fighting any kind of privacy legislation, they’re now looking to the federal government to save them from the states. The IA has joined Technet, a group of tech CEOs, and Business Roundtable, another industry lobbying organization, in calls for a weak national “privacy” law that will preempt stronger state laws. In other words, they want to roll back all the progress states like California have made, and prevent other states from protecting consumers in the future. We must not allow them to succeed.
A PRIVATE RIGHT OF ACTION
Laws with a private right of action allow ordinary people to sue companies when they break the law. This is essential to make sure the law is properly enforced. Without a private right of action, it’s up to regulators like the Federal Trade Commission or the US Department of Justice to go after misbehaving companies. Even in the best of times, regulatory bodies often don’t have the resources needed to police a multi-trillion dollar industry. And regulators can fall prey to regulatory capture. If all the power of enforcement is left in the hands of a single group, an industry can lobby the government to fill that group with its own people. Federal Communications Commission chair Ajit Pai is a former Verizon lawyer, and he’s overseen massive deregulation of the telecom industry his office is supposed to keep in check.
The strongest state privacy laws include private rights of action. Illinois BIPA allows users whose biometric data is illegally collected or handled to sue the companies responsible. And CCPA lets users sue when a company’s negligence results in a breach of personal information. The IA wants to erase these laws and reduce the penalties its member companies can face for their misconduct in legal proceedings brought by ordinary consumers.
REAL CHANGES TO THE SURVEILLANCE BUSINESS MODE
We don’t know what the IA’s final legislative proposal will say, but its campaign website is thick with weasel words and equivocation. For example, the section on “Controls” says:
“Individuals should have meaningful controls over how personal information they provide to companies is collected, used, and shared, except where that information is necessary for the basic operation of the business[.]
The “basic operation” of data brokers involves collecting and selling personal data without your consent. Does that mean you shouldn’t be able to stop them?”
The rest of IA’s proposals follow the same pattern. The section on “transparency” says that users should be able to know the “categories of entities” that their data is shared with, but not the names of actual companies or people that receive it. This will make it unnecessarily difficult for people to trace how their personal information is bought and sold. The section on “access” says that users’ ability to access their data should not “unreasonably interfere with a company’s business operations.” Again, if a business depends on gathering data about people without their knowledge, will users ever be able to access their information? Sometimes, exercising your privacy rights will mean “interfering” with a company’s business.
The bottom line is that tech companies are happy for Congress to enact a privacy law — as long as it doesn’t affect their “business operations” in any way. In other words, they’d like a privacy law that doesn’t change anything at all.
The Internet Association knows which way the wind is blowing. Across the country, people are fed up with Big Tech’s empty promises and serial mishandling of personal data. They want real change, and state legislatures are listening. We must allow states to continue passing innovative new privacy laws. Any federal privacy legislation needs to build a floor, not a ceiling.
© 2019 Electronic Frontier Foundation, CC BY 3.0 US, updated time reference