Gopal Ratnam and Dean DeChiaro
Top U.S. technology companies are shifting their focus to state capitals to shape emerging data privacy laws as progress on a federal bill has slowed.
Trade groups representing consumer-oriented technology companies such as Amazon, Google and Facebook, as well as those working on behalf of business-oriented companies such as IBM, Intel, Microsoft and Oracle, have in recent weeks turned their attention to states.
The California Consumer Privacy Act, which requires disclosures so consumers are aware of data being collected about them and permits them to opt out, went into force in January and has become a catalyst for states around the country that are considering similar measures. It reflects a strong desire by voters for protections from unchecked data collection practices by companies and governments.
In a Pew Research Center survey last year, more than 8 in 10 Americans said the potential risks from their data being collected and used by companies outweighed benefits; about 66 percent said they felt the same about data used by the government.
John Olsen, director of state government affairs for the Northeast region at the Internet Association — a trade group that represents Amazon, Facebook and Google, among other consumer companies — said state legislators are showing “increased interest and curiosity about how companies share data and how data is derived, with an interest in protecting consumers’ data privacy.” And many lawmakers see that successfully championing data privacy legislation could boost their political ambitions as well, he said.
Missouri Sen. Josh Hawley, a rising Republican star, is among those taking on big technology companies and their data practices. Hawley has said he’s worried that a handful of tech billionaires are getting richer and more powerful by taking everyone’s information and monetizing it.
The Software Alliance, also known as BSA, which includes Apple, Microsoft and IBM as members, in January announced a state advocacy program. Although federal legislation addressing data privacy that would apply uniformly across the country is still the preferred outcome for tech companies, “we can’t ignore that the states are moving forward,” said Craig Albright, vice president of legislative strategy at BSA. “We are not asking states to pass privacy laws, but we need to help shape it.”
Industry groups are keen to see that laws in different states are more or less uniform in their definitions of users’ rights as well as responsibilities assigned to companies. The groups are also working to ensure that one or more states don’t add a new standard, such as New York, which is considering whether companies should have a fiduciary duty to safeguard users’ data.
Focusing attention on states is a smart strategy on the part of tech companies, said Michelle Richardson, director of privacy and data at the Center for Democracy and Technology, an advocacy group that promotes technology safeguards. “If you pass the same law in a handful of states, that could influence federal legislation,” she said.
Slow start on the Hill
In Congress, meanwhile, multiple bills and draft proposals are being circulated by members in both chambers. Mississippi Republican Roger Wicker, chairman of the Senate Commerce Committee, in early December unveiled a discussion draft. Washington Sen. Maria Cantwell, the top Democrat on the panel, introduced a bill that is backed by Democrats Amy Klobuchar of Minnesota, Edward J. Markey of Massachusetts and Brian Schatz of Hawaii.
The Wicker and Cantwell proposals join others from House members. In November, two California Democrats, Zoe Lofgren and Anna G. Eshoo, unveiled a data privacy bill that would go further than other measures by creating a new federal digital privacy agency.
California’s new law requires companies to show consumers what data is collected on them, delete data upon request and allow people to opt out of their data being sold. It also gives users the right to sue companies for data breaches. The law applies to all companies with annual sales exceeding $25 million and is estimated to affect as many as 500,000 businesses. Nine states around the country are in various stages of considering privacy legislation, according to data compiled by the International Association of Privacy Professionals, or IAPP. Bills in Massachusetts, Minnesota, Nebraska, New Hampshire, New York and Virginia are in the process of being considered by legislative committees, according to IAPP. The Washington state Senate approved a privacy measure last week.
Empire State strikes back
The bill being discussed in New York takes a new approach. It would place fiduciary responsibilities on companies to safeguard users’ data, much like the requirements on financial advisers to safeguard clients’ money.
Other provisions would also make the New York proposal an outlier. For starters, it would apply to all companies in New York, not just those with more than $25 million in annual revenue. It would also allow New York residents to sue for more than just the loss of personal information in a data breach.
The bill would also require confidentiality and protections for consumers from economic and psychological harm, as well as from “significant inconvenience or expenditure of time” and “stigmatization or reputational harm” resulting from data breaches.
The bill’s author, state Sen. Kevin Thomas, who chairs his chamber’s Consumer Protection Committee, hopes the proposal will set a new benchmark in privacy protections.
“It’s the wild, Wild West right now, and the federal government is obviously not moving towards regulating this industry with a universal law,” Thomas said. “So the states have to step up.”
Technology companies were quick to oppose the legislation, and the data fiduciary section in particular.
At a hearing last June, Olsen of the Internet Association said combining the data fiduciary with the ability for residents to sue companies for a broad range of privacy violations “would bankrupt small businesses and likely some larger businesses.”
New York-based industry groups were also opposed.
The Empire State bill was largely supported by privacy advocates, who praised it for seeking tougher protections than those enacted in California. Allie Bohm, policy counsel at the New York Civil Liberties Union, said Thomas’ bill could be “the most progressive in the nation.”
Its advocates are particularly supportive of allowing individuals to sue companies for a broad range of potential violations, not just data breaches, Bohm said. But she expressed concerns over the data fiduciary provision, which she finds “interesting” but in need of significant clarification. “Just saying you have a duty of care doesn’t tell me as a corporation what I’m required to do,” Bohm said. “If you don’t lay out what it means, it can become meaningless.”
After hearings on the legislation last year, Thomas is reworking his bill with input from both privacy advocates and business groups. He plans to reintroduce it in the coming months.
Until Thomas reveals a new version, the bill’s prospects for passing this year remain unclear. He said he’s committed to keeping the data fiduciary provision in the bill but wants to work with businesses to ensure they can comply without going out of business.
“This isn’t a tough bill to pass,” Thomas said. “I’m just trying to balance the privacy aspect and the business models. So I’m not killing industry — just making everything better.”